Common parsing vulnerability summary

Others 2019-06-16 21:37:28 views: null

First, Parsing Vulnerability

        Parsing Vulnerability refers to the application server when parsing certain file suffix carefully constructed, and resolves it to the web scripts, leading to the fall of the site. Most vulnerable are generated by the parsing vulnerability caused by the application itself.

Second, the common Parsing Vulnerability

1, IIS5.x-6.x Parsing Vulnerability

         Use IIS5.x-6.x version of the server, most of the Windows server 2003, more ancient site, developed statements generally asp; the parsing vulnerability can only be resolved asp file can not be resolved aspx file.

Directory Parsing Vulnerability

          IIS6.0 directories parsing vulnerability, if there is a site directory * .asp / folder, then all the contents of the folder will be following as IIS asp scripts to perform, such as /xx.asp/xx.jpg

File Parsing Vulnerability

          Semicolon in IIS6.0 (;) vulnerability, IIS content behind the semicolon will be discarded when parsing the file name, so we can give back a semicolon when uploading content to avoid the blacklist filter, such as a. asp; jpg

Parsing the file type

IIS6.0 default executable file also contains in addition to the three asp:

  • /test.asa
  • /test.cer
  • /test.cdx

 2、IIS 7.0/IIS 7.5/Nginx < 8.03

         IIS 7.0 / 7.5, the default Fast-CGI is turned on. If the picture url address directly in the input /*.php (* .jpg) behind, a normal picture will be resolved to php file.

         In some sites use Nginx, the access http://www.xxser.com/1.jpg/1.php,1.jpg will be treated as PHP script to parse, 1.php at this time does not exist. This means that an attacker can upload legitimate "picture" (picture Trojans), and then add "/xxx.php" behind the URL, you can get WebShell site.

        This is not unique to Nginx loopholes, and often there such a parsing vulnerability in IIS7.0, IIS7.5, Lighttpd and other Web container. This is actually a PHP CGI vulnerability parsing vulnerabilities, there is a critical option cgi.fix_pathinfo C in the machine located in the PHP configuration file: wampbinphpphp5.3.10php.ini, is enabled by default, when the URL there does not exist file, PHP will recursive resolution forward.

3, Nginx null byte vulnerability

Affected: 0.5,0.6,0.7 <= 0.7.65, 0.8 <=  0.8.37

        Nginx is the default way to support CGI PHP parsing, common practice in the Nginx configuration file is matched by a positive set SCRIPT_FILENAME. When accessing www.xx.com/phpinfo.jpg/1.php this URL, $ fastcgi_script_name will be set to "phpinfo.jpg / 1.php", then constructed SCRIPT_FILENAME passed to PHP CGI, PHP but why accept parameters, and phpinfo.jpg parse as PHP files? this comes to fix_pathinfo this option a. If this option is turned on, it will trigger the following logic in PHP:

PHP will think SCRIPT_FILENAME is phpinfo.jpg, and 1.php is PATH_INFO, so it will be phpinfo.jpg as a PHP file to resolve the

         That is, when Fast-CGI execute php, http: //127.0.0.1/1.jpg%00.php will 1.jpg file (Trojan file) as a php file to execute.

4, Apache (1.x, 2.x) Parsing Vulnerability

         Principles Apache (1.x, 2.x) parsing file: Apache parsing file names when read from right to left, if they do not recognize the extension is skipped, the extension rar, gif etc. is not Apache identified, thus identified as type will direct php, so as to achieve the purpose of injecting php code.

         If you upload files 1.php.bb.rar, extension rar do not know, analytical forward; 1.php.bb, extension bb do not know, analytical forward; 1.php final analytical results for the php file. If the resolution is not finished yet met extensions can be resolved, it will expose the source file.

         This approach can check the blacklist based on bypass. (Such as site restrictions, not allowed to upload the php file name suffix)

5. Other

        In the Windows environment, xx.jpg [space] or xx.jpg. These two types of files are not allowed to exist, if so named, by default Windows will remove spaces or points. Hackers can capture, add a space after the file name or point to bypass the blacklist, if successful upload, Windows spaces and points will be automatically eliminated, so that you can getshell.

Third, fix vulnerabilities

Update security patches, always concerned about the latest security technology, there is no need to open the timely closure of some services.

Guess you like

Origin blog.csdn.net/weixin_43625577/article/details/91971796
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com