table of Contents
1. Apache Parsing Vulnerability
2. apache - wrap Parsing Vulnerability
3. uncommon extension (about the blacklist)
4. distributed configuration file (.htaccess)
2. iis - short file names guess vulnerability
1. deformity resolve vulnerabilities
Preface:
Sometimes even middleware, servers, containers could not tell, I had read a blog, I said very detailed. So I excerpt out
Master middleware vulnerabilities, a great help for penetration testing, such as Apache and iis parsing vulnerabilities, and weblogic deserialization vulnerability
Basic concepts and the role of
Here only intermediate web, web servers, web containers, because in addition to the web, which may also be extended to the concept of database.
web server
http web server for providing a service, namely the client return information, which can handle the HTTP protocol, in response to a request for a static page or image, control page jumps, or delegate the dynamic request another program (middleware program) and so on.
web middleware
web middleware for providing a connection between the system software and application software, so that the container may be provided to one or more applications in the communication between the various software components.
web container
wherein the container is for a web application components (JSP, SERVLET) to provide an environment is an integral part of the intermediate piece, which implements the parsing of dynamic languages. For example, you can resolve tomcat jsp, because it has an internal jsp container.
Category belongs
web server: IIS, Apache, nginx, tomcat , weblogic, websphere and so on.
web middleware: apache tomcat, BEA WebLogic, IBM WebSphere and so on.
web container: JSP container, SERVLET container, ASP containers.Note: web is a web server middleware and overlapping, because other web tomcat middleware have the function of a web server.
This paragraph in the excerpt that some of their predecessors, specifically to see it click here Jump
text:
0x01. Middleware -Apache
1. Apache Parsing Vulnerability
① Introduction and causes of vulnerability
Apache file parsing vulnerability is closely related with the user's profile, strictly speaking belong to the user configuration issues.
Apache file parsing vulnerabilities related to the characteristics of a parsing file:
Apache a default file can have multiple suffixes separated by dots, when the suffix does not recognize the right of the left will continue to recognize that when we request a file like this: shell.php.aaa
When they find php, found recognition is successful, then started
② bug fixes
It will remove AddHandler application / x-httpd-php .php profile.
③ using conditions :
- Use module mode and regular qualifying
- File name extension with at least a .php
2. apache - wrap Parsing Vulnerability
(CVE-2017-15715)
Its version 2.4.0 - 2.4.29 in the presence of a parsing vulnerability in parsing PHP, 1.php \ x0A will be parsed in accordance with the PHP extension, leading to bypass some of the security policy server.
I will not explain this vulnerability
3. uncommon extension (about the blacklist)
php、php3、php4、php5、phpt、phtml
4. distributed configuration file (.htaccess)
.haccess provides a method for changing the configuration directory, place a file containing one or more instructions in a particular document directory to directory and all subdirectories effect this
means is that as long as this opens up, do whatever the .htaccessFirst enter the command line named files can be generated .haccess
ren 1.txt .htaccessAddType application/x-httpd-php .jpgMeanwhile, 1.txt which have the code above. Tell the server said: The jpg file parsing as php
E.g:
Use the command in cmd ren 1.txt .htaccess
Successful automatically generate a configuration file
Steps: first upload the configuration file .htaccess
And then upload pictures horse
0x02 中间件 - IIS
1. iis - PUT漏洞
①、漏洞介绍及成因
IIS Server 在 Web 服务扩展中开启了 WebDAV ,配置了可以写入的权限,造成任意文件上传。
版本: IIS6.0
②、漏洞复现
1) 开启WebDAV 和写权限
2) 利用burp测试
抓包,将GET请求改为OPTIONS
3)利用工具进行测试
成功上传,再上传一句话木马,然后用菜刀连接,getshell
3、漏洞修复
关闭WebDAV 和写权限
2. iis - 短文件名猜解 漏洞
1、漏洞介绍及成因
IIS的短文件名机制,可以暴力猜解短文件名,访问构造的某个存在的短文件名,会返回404,访问构造的某个不存在的短文件名,返回400。
2、漏洞复现
1)、在网站根目录下添加aaaaaaaaaa.html文件
3) 进行猜解
3、漏洞修复
修复方法:
1)升级.net framework
2)修改注册表禁用短文件名功能
快捷键Win+R打开命令窗口,输入regedit打开注册表窗口,找到路径:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem,将其中的 NtfsDisable8dot3NameCreation这一项的值设为 1,1代表不创建短文件名格式,修改完成后,需要重启系统生效
3)CMD关闭NTFS 8.3文件格式的支持
4)将web文件夹的内容拷贝到另一个位置,如c:\www到d:\w,然后删除原文件夹,再重命名d:\w到c:\www。
修复后:
4、局限性
1) 此漏洞只能确定前6个字符,如果后面的字符太长、包含特殊字符,很难猜解;
2) 如果文件名本身太短(无短文件名)也是无法猜解的;
3) 如果文件名前6位带空格,8.3格式的短文件名会补进,和真实文件名不匹配;
3.iis - 解析漏洞
补充 : iis 黑名单绕过
IIS6.0除了将ASP后缀当做ASP进行解析的同时,当文件后缀名字为.asa .cer .cdx 也会当做asp去解析,这是因为IIS6.0在应用程序扩展中默认设置了.asa .cer .cdx 都会调用 asp.dll
①. 分号(;)截断
IIS6.0 第二个漏洞,分号
;
分号(;)绕过,这个分号等于php版本问题导致的00截断一样
所以在上传的时候抓包,然后asp的马
改为qwe.asp;.jpg他会截断,读取到qwe.asp 但是必须要把jpg带上,不然无法访问
②~③特殊符号造成的解析漏洞
IIS5.1和IIS7.5无此漏洞。
IIS 6.0在处理含有特殊符号的文件路径时会出现逻辑错误,从而造成文件解析漏洞。这一漏洞有两种完全不同的利用方式:qwe.asp;.jpg他将当做asp进行解析qwe.asp/123.jpg他将当做asp进行解
理论上就是随便写个 xxx.jpg 然后它会去访问这个图片
如果不存在就会返回上个文件去执行请求 /aaa.asp;xxxx.jpg
N1:从头部查找查找 “.”号,获得 .asp;xxxx.jpg
N2:查找”;”号,如果有则内存截断
N3:查找”/“,如果有则内存截断
最终,将保留下来 .asp 字符串,从META_SCRIPT_MAP脚本映射表里与扩展名匹配对比,并反馈给了asp.dll处理
网上流传说法:
.asp结尾的目录下面,而被IIS当成可执行文件来解析
以及asp从左往右读,接下去的话会按照asp解析。这个具体不清楚
aa.asp/1.b例如这个例子,这个1.b也会按照asp解析
0x03 .中间件- Nginx
1.畸形解析漏洞
Nginx默认是以CGI的方式支持PHP解析的,普遍的做法是在Nginx配置文件中通过正则匹配设SCRIPT_FILENAME。
当访问www.xx.com/phpinfo.jpg/1.php这个URL时,$fastcgi_script_name会被设置“phpinfo.jpg/1.php”,然后构造成SCRIPT_FILENAME(绝对路径)传递给PHP CGI,如果开启了cgi.fix_pathinfo=1选项(这个默认值就是1,所以没有设置过就是开启),那么就会触发在PHP中的如下逻辑:也是一个逻辑问题,所以说我们只需要在正常的.jpg后面加/.php就可以成功的绕过解析
进入靶场
上传成功,在去访问路径,在路径的后面加个
/.php原理就是找上级文件意思
漏洞修复
1) 将php.ini文件中的cgi.fix_pathinfo的值设为0.这样php在解析1.php/1.jpg这样的目录时,只要1.jpg不存在就会显示404;
2) 将/etc/php5/fpm/pool.d/www.conf中security.limit_ectensions后面的值设为.php
2.CRLF注入
1、 漏洞简介及成因
CRLF时“回车+换行”(\r\n)的简称。
HTTP Header与HTTP Body时用两个CRLF分隔的,浏览器根据两个CRLF来取出HTTP内容并显示出来。
通过控制HTTP消息头中的字符,注入一些恶意的换行,就能注入一些会话cookie或者html代码,由于Nginx配置不正确,导致注入的代码会被执行。
2、 漏洞复现
访问页面,抓包
请求加上/%0d%0a%0d%0a<img src=1 οnerrοr=alert(/xss/)>
由于页面重定向,并没有弹窗。
3、 漏洞修复
Nginx的配置文件/etc/nginx/conf.d/error1.conf修改为使用不解码的url跳转。
3.目录穿越
1、 漏洞简介及成因
Nginx反向代理,静态文件存储在/home/下,而访问时需要在url中输入files,配置文件中/files没有用/闭合,导致可以穿越至上层目录。
2、 漏洞复现
访问:http://192.168.139.128:8081/files/
访问:http://192.168.139.128:8081/files../
成功实现目录穿越:
3、 漏洞修复
Nginx的配置文件/etc/nginx/conf.d/error2.conf的/files使用/闭合。
文末:
根据查找,与自己所知道的相结合,写出了这篇文章。昨晚熬夜打游戏太晚了,今天虚了
文末依然是贴出我的二维码,欢迎表哥们一起加我交流~~~
我得补交去了
