Nginx file Type Error parsing Vulnerability--attack walkthrough

Read a book today see one of the loopholes mentioned, that is nginx+php server, if the configuration of PHP cgi.fix_pathinfo=1 so there will be a vulnerability. This configuration is 1 by default and setting to 0 will cause many MVC frameworks (such as thinkphp) to run. This loophole is such as localhost/img/1.jpg is normal access to a picture, and localhost/img/1.jpg/1.php will take this picture as PHP file to execute! For example, it should be 404 NotFound is Right, it shows that there is a grammatical error.

Well, if there's a loophole, then try to attack it. First look at the idea: first make a very small JPG file easy to modify, and then insert the code in the jpg file, then upload, and finally open in the browser.

The first step, the small jpg file of course is directly with Photoshop to do one;

A few pixels will suffice. Whatever you like, it's OK.

The second step, insert the code in the JPG, this need to use the binary editor;

How can JPG images be modified to be executable PHP code? This is an example of a function phpinfo (), which performs a successful execution of an output PHP running environment information, for experimental purposes.

First here to edit the picture is not to say with drawing or phtoshop such as graphics software, this time to use the software called the Binary editor, which I used the name Bz.exe, open the picture file as

Do not be frightened, that is, 16 of the number of binary, the right is shown is the corresponding ASCII code, we directly change to the right. Through the comparison of several JPG files found, from the second line can be modified on its own, so start to modify, pay attention not to use the backspace deletion resulting in shortened length, to be replaced with characters, otherwise it will cause file format corruption. Modify it to as, save to local picture folder, test locally.

！ Be careful not to use backspace delete resulting in shortened length, image damage, such as the first one after the change does not show the thumbnail image is already damaged, damaged images may be intercepted at the time of uploading.

After you change it, then test locally.

It seems that there are some PHP syntax errors, it is simple and rude, modified to this, that is, to use the back of the contents of the * * to comment out the end with */closed comments, of course, the end of the comments do not add, will only show a more "unterminated comment Starting "warning.

As you can see, the PHP code can already be executed. Local Attack Walkthrough Successful!

The third step, upload, because upload is really jpg format of the file, the site is almost unrecognized and intercepted; Fourth step, open in the browser, Hello world!

The success of this step requires two conditions:

1) The server is nginx+php and the configuration is cgi.fix_pathinfo=1;

2) The Web site does not block the upload directory of script execution permissions;

So, slowly find it, perhaps can meet but not beg;

|++ the impact effect of this vulnerability and "File Upload vulnerability" is quite ∞, defense recommendations

1) using the mature and tried-and-tested server software such as Apache, IIS, and the support of dynamic language, Nginx is too old.

2) upload directory, static resource directory, all set to mask script execution permissions. For example, use the Apache server to put a. htaccess file in the appropriate directory.

rewriteengine onrewriterule (? i:\.php) $-[F]

Nginx File Type Error parsing Vulnerability--attack walkthrough