Two vulnerability Server Parsing Vulnerabilities and the currently popular struts2 Command Execution Vulnerability
0x0.1 resolution Vulnerability
Register a user and upload an image containing malicious code on the Avatar modification page.
-------------------------------------------------------------------
0x0.2 struts2 Command Execution Vulnerability
Http://www.gamemayi.com/mayi.website/web! Index. action
Root permission
0 xEnd
-------------------------
Solution: 0x. 01 Parsing Vulnerability
Temporary solutions provided on the Internet include:
Method ① modify php. ini, set cgi. fix_pathinfo = 0, and restart php-cgi. This modification affects applications that use the PATH_INFO pseudo-static, such as my previous Blog Post URL: The http://blog.s135.com/read.php/348.htm won't be accessible.
Method ② Add the following content to the nginx configuration file and restart: if ($ fastcgi_script_name ~ .. */. * Php) {return 403 ;}. This match affects URL access to a http://www.domain.com/software/5.0/test.php like a http://www.domain.com/goto.php/phpwind (5.0 as a directory.
Method 3: For the location {…} of the stored image {...}, Or virtual host server {...}, Only static access is allowed, and PHP access is not configured. For example, images and attachments uploaded on the Jinshan Xiaoyao Network Forum and SNS will be transmitted to a dedicated image and attachment storage server cluster (pic.xoyo.com). These servers provide pure static services, no dynamic PHP configuration. Almost all major websites are separated from image servers. Therefore, this Nginx vulnerability has little impact on large websites.
I provide a temporary solution to modify the nginx. conf configuration file. It is compatible with the PATH_INFO pseudo-static state of "http://blog.s135.com/demo/0day/phpinfo.php/test" and rejects" ingress vulnerability Attacks:
Location ~ *. *. Php ($ | /)
{
If ($ request_filename ~ * (. *). Php ){
Set $ php_url $1;
}
If (! -E $ php_url.php ){
Return 403;
}
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
You can also write the following content in the fcgi. conf file for reference by multiple virtual hosts:
If ($ request_filename ~ * (. *). Php ){
Set $ php_url $1;
}
If (! -E $ php_url.php ){
Return 403;
}
Fastcgi_param GATEWAY_INTERFACE CGI/1.1;
Fastcgi_param SERVER_SOFTWARE nginx;
Fastcgi_param QUERY_STRING $ query_string;
Fastcgi_param REQUEST_METHOD $ request_method;
Fastcgi_param CONTENT_TYPE $ content_type;
Fastcgi_param CONTENT_LENGTH $ content_length;
Fastcgi_param SCRIPT_FILENAME $ document_root $ fastcgi_script_name;
Fastcgi_param SCRIPT_NAME $ uri;
Fastcgi_param REQUEST_URI $ request_uri;
Fastcgi_param DOCUMENT_URI $ document_uri;
Fastcgi_param DOCUMENT_ROOT $ document_root;
Fastcgi_param SERVER_PROTOCOL $ server_protocol;
Fastcgi_param REMOTE_ADDR $ remote_addr;
Fastcgi_param REMOTE_PORT $ remote_port;
Fastcgi_param SERVER_ADDR $ server_addr;
Fastcgi_param SERVER_PORT $ server_port;
Fastcgi_param SERVER_NAME $ server_name;
# PHP only, required if PHP was built with-enable-force-cgi-redirect
Fastcgi_param REDIRECT_STATUS 200;
0x0. 2struts2 Command Execution Vulnerability
Upgrade
Author GuoKer (ZhuLiu)