NTFS data streams and web Security

| = -------------------------------- = |
| = --------- = [NTFS data stream and web security] = --------- = |
| = -------------------------------- = |
| = ------------- = [By 80sec] = ------------ = |
| = ------ = [Xy7@80sec.com & jianxin@80sec.com] = ------ = |
| = -------------------------------- = |

Brief Introduction to NTFS stream:

NTFS is a better file system because of its powerful stability and security, NTFS exchanges data streams (ADSs) designed to be compatible with the HFS File System of the Macintosh, it uses resource forks to maintain file-related information, such as icons and other things. The syntax for creating an ADSs is simple and straightforward. For example, if you create an ADSs file associated with myfile.txt, you only need to use a colon to separate the file name from the ADSs name. For example:

 

D: ads> echo This is an ADS> myfile.txt: hidden

So what is the relationship between this problem and Script Security? The xy7 of 80sec provides the following test code:

/* Configure /*-----------------------------------------------------------------------------------------------------------------
$ Fp = fopen ("pai_get1_a0000.txt", "");
Fwirte ($ fp, 80sec.com );
?>
---------------------------------------*/

When an 80 sec. php? A = x. php: in windows, an x. PHP file, but the content is empty :) but this actually disrupts the program logic. Generating a PHP file is not allowed. So what is going on? Run in Notepad
Notepad x. php:. txt
You can see the actual file path. Is this path available in other file operation functions? After testing, file_exists and include can all use this path, although this path is invisible under the file directory and dir command, and the test shows that, characters such as <> and "that are not allowed in common file names are allowed in this path. These characters may not be noticed during file operations and cause some security problems.

In addition, you can see that such files can easily hide some of your own code in windows systems, such as hiding your own backdoor code in a PHP file, you can then include the file in another place for execution, and this type of hidden file cannot be viewed at the script level. You must use the corresponding tools to view the file.

Because of the special nature of file names, you may be able to pass some file upload security checks. However, after testing, we found that this type of file cannot be accessed in apache and iis, therefore, even if the file can be uploaded successfully, you may not be able to directly access the file and execute it as code :) but it is not ruled out that other http servers in windows can properly process the file name without any problem, this problem should be caused by windows, so it should also exist in other scripts such as asp.