Iis6.0,apache low version, PHP CGI Parsing Vulnerability

IIS6.0 Parsing Vulnerability

Under IIS6.0, there is a file " name. asp; name. jpg"

Represents a jpg file that can be executed as a file of the ASP script type.

Based on this parsing vulnerability, we can upload images of this name type, such as

1.asp;xxx.jpg 他会忽略;后边的内容，所以文件相当于1.asp

ASP a word Trojan Horse

<%eval request ("pass")%>  

After finding the uploaded path, you can connect directly with the chopper. If the file content detection, you have to use the picture of the horse.

Sometimes he would set the file's directory to not execute , and that would be it.

iis6.0 There is also an parsing vulnerability, in the " name. asp" folder inside, the file will be run as ASP script. Administrators are not stupid enough to create such a folder, so you have to be able to build and spread the horse to this stupid folder.
Up to now (July 28, 2018 11:38:03), these two vulnerabilities have not yet been patched.

PHP CGI Vulnerability

Access to the ip/web directory/1.jpg/1.php(1.php does not exist, only 1.jpg exists) will cause 1.jpg to execute as a PHP file.
Create a new JPG, edit the document in a way that writes to the PHP code, and then access

It's all because of this configuration, inside php.ini :cgi.fix_pathinfo=1 ,

is equal to 1 is open, when access to the top of the directory is, Nginx see the last/1.php will not be the first to determine whether 1.php exists, will be directly to PHP processing, PHP cgi.fix_pathinfo Reason, will 1.jpg as the name is called 1.jpg/1.php such a php file.

This is not nginx vulnerability, PHP is a problem, parsing files, IIS7.0 is also the case.

workaround : In the PHP configuration file, only PHP files are allowed to execute. However, the security.limit_extensions settings in the higher version of php-fpm.conf only perform PHP php3 php4 phtml. I did not find the configuration file on the Windows installation Phpstudy, so I cut a picture on Linux.

apache1.x/2.x Parsing Vulnerability

Apache parses files from right to left , if you don't know them, move to the left, for example

1.php.abc is a file, the ABC type of Apache does not know, so it will be parsed into a PHP file, equivalent to 1.php

Apache recognized file types in the mime.types file in the conf directory

Iis6.0,apache low version, PHP CGI Parsing Vulnerability