A, IIS vulnerabilities Middleware
1> malformed file parsing vulnerability
iis 6.0 File Type: 1234.asp; .jpg 123.aspx; .jpg 123.php; .jpg
Repair method: delete the binding resolve suffix
iis 7.5 File Type: 123.jpg / .php
Restorative: Configuration cgi.fix_pathinfo (php.ini) is 0 and restart the program php-cgi
2> iis short file name guess vulnerability, information disclosure documents
You can see the file of the first six characters, violence guess solution behind file character
Repair: Off CMD command from NTFS 8.3 file format support Windows server 2003: (1 representative Close, 0 open)
Close function change: fsutil behavior set disable8dot3 1
3> put file write
/123.asp
Repair: Off WebDAV and write permissions
Two, Apache middleware vulnerabilities
> Malformed file parsing vulnerability number Vulnerability CVE-2017-15715
File format 1234.php.23testafuck
AddHandler caused Parsing Vulnerability
Repair mode: AddHandler application / x-httpd-php .php .xxxxx
Three, Nginx middleware vulnerabilities
> File Parsing Vulnerability
File Format 123.jpg / .php
Restorative: Configuration cgi.fix_pathinfo (php.ini) is 0 and restart the program php-cgi
> Filename logical number CVE-2013-4547 vulnerability Vulnerability
Upload 123.jpg spaces modified to access 123.jpg ... php, jpg changed to 20.00 in the back of the card will be elective Hex two points 2e
Repair method: upgrade Nginx
> Arbitrary null byte code execution vulnerability
Access info.jpg, and modified to capture info.jpg..php, in jpg behind Hex elective in the cards., Changed to 00.
Repair method: upgrade Nginx
Four, Tomcat middleware vulnerabilities Default Port: 8080
> File Upload
After the configuration file to open the put method can upload files to achieve remote code execution
Repair: Off put method
Five, Jboss middleware vulnerabilities
> Deserialization vulnerability
Filter malicious code is not strictly caused by construction
Repair mode: update, delete http-invoker.sar components
Background The default password admin admin
Six, weblogic middleware middleware port vulnerabilities: 7001
> Deserialization vulnerability
> Arbitrary File Upload Vulnerability