System features and web Security

Author: SuperHei
Nature of the article: original
Release date: 2005-10-18
================== Directory =================================
I. WINDOWS

Windows support...
Windows ignores.
Ii. * nix System

Use of/in freebsd system
Case sensitivity
Iii. iis and apache

Use of parsing file types
Iis6 features
Apache File Name Parsing Vulnerability
Iv. Configuration File Location
========================================

I. WINDOWS

1. windows support...

Feature: Cross-directory operations can be performed using .. In win System
When cross-directory operations are performed in web intrusion, we can break through the web program when the web program filters.
Instance: attachment of the MolyX Board. php attach variable loose Vulnerability (http://4ngel.net/article/50.htm) in the angel article provided by the solution, only filtered/, and not to filter, resulting in the Windows Host vulnerability still, see: http://www.4ngel.net/blog/hei/index.php? Action = show & id = 92

2. windows ignore.

Feature: Files suffixed with files in the win system will be ignored, for example, test. php. is equivalent to test. php.
Exploitation: The webshell is used to upload files.
Instance: Missing

Ii. * nix System

1. Use of/in freebsd system (ps: may also exist in other systems)

Features: Directory columns can be used/attacked due to different system file formats in freebsd. For example, run cat/in freebsd to get all folders and files in the root directory:

Cat/

.
... Snap (
Dev
Usr
Var stand between p
Etc? Cdromg? Distsg?
Bin? Boot restart <
Lib libexec
Mnt? Proc environment? (Rescue ?? Root accounts ?? Sbin records ??
Tmp

Sys? . Cshrc ?? . Profile
? COPYRIGHTe?
Compat?
Home] D? Entropy service (d greenarmy play

Use: mysql injection can be used with load_file () for directory column-based attacks. For example, load_file (0x2F) [the hex Value of 0x2F as/], load_file (0x2Froot0x2F)

2. Case sensitivity

Feature: * The file format of the nix system is case-sensitive, while that of the windows system is case-insensitive.
Exploitation: the simplest and most direct system used to differentiate web Servers
Instance: submit separately
Http://www.4ngel.net/blog/hei/index.php normal return
Http://www.4ngel.net/blog/hei/inDex.php prompt file does not exist
This indicates that the host www.4ngel.net is not a windows system.

Iii. iis and apache

1. Use of parsing file types

Besides asp, iis also supports asa, cer, cdx, and htr.
Apache + php supports php3, php4, and phpx in addition to php.
Due to insufficient web program concerns, you can upload webshells.

2. iis6 features

If the IIS 6.0 directory name contains files, any files in the directory will be run as asp files. For example, we save webshell to test. asp/webshell.gif. When http: // xxx/test. asp/webshell.gif is accessed under iis6, webshell.gif is parsed as an asp file. It can be used to obtain webshells through database backup and store backdoors.

3. apache File Name Parsing Vulnerability

During apache file name resolution, the suffix is checked from the end and executed according to the last valid suffix. For example, cmdshell. php. heige is not parsed by apache, so apache resolves this file as a php file.
Exploitation:
A. After some web programs are installed, they will change install. php to install. php. lock, install. php. bak, etc.
Example: BMForum
B. Mining upload Vulnerabilities
Instance: Discuz! And so on
C ,.....

Iv. Configuration File Location

Each system has its own specific configuration file (including the configuration file of the 3rd-party software), and its location is relatively fixed. The file contains sensitive information about the server. When we exploit any web vulnerability to operate on files (such as include vulnerabilities, mysql injection load_file (), read or download these configuration files, resulting in leakage of sensitive information. For example:
Windows System: boot. ini mysql % SYSTEMROOT %/my. ini servu c: program filesserv-uservudeamon.ini, etc.
* Files in the etc/directory of the nix System

Summary

This article is just a summary of my personal experience. Due to my limited personal knowledge, if there is anything wrong or you have good discoveries and experience, please wait for your sharing!