IIS 5.x / 6.0 parsing vulnerability
Vulnerability triggers
server:windows server 2003
Script language: ASP
Utilization mode
1 / xx.asp/xx.jpg IIS will parse and execute files under xx.asp as ASP
2 xx.asp;. JPG IIS does not resolve the content after semicolon by default
3 xx.asa and xx.cer xx.cdx are all parsed by IIS by default
safety protection
1. Users are forbidden to control the upload directory, new directory and other permissions
2. Upload directory and user created directory are forbidden
3. Rename the uploaded file without retaining the suffix of the user's uploaded file
4. It is forbidden to upload files with suffix of ASA, ASP, CER, CDX, etc
IIS 7.0 / 7.5 and nginx < 8.03 malformed parsing vulnerability
Vulnerability triggers
1 PHP + nignx < 8.03 and fast CGI on
2 PHP + iis7.5 + enabled cgi.fix_pathinfo
Utilization mode
1 upload a picture xx.jpg embedded in PHP code
2. The code in the http://www.test.com/xx.jpg/. PHP image will be executed
3. Http://www.test.com/1.jpg.php and http://www.test.com/1.jpg/ \ 0.php can also be used
safety protection
1. Modify the php.ini file and set the value of cgi.fix'pathinfo to 0;
2 add the following code to the nginx configuration file:
The above code means to match the URL conforming to the utilization mode, and return 403
3 upgrade nignx to the latest version
Apache parsing vulnerability
Loophole principle
This vulnerability is related to the parsing feature of Apache, which parses file names from the back to the front until it meets a file type it knows.
Utilization mode
Upload test.php.xxx. Since the suffix of XXX is unknown to Apache, the file will be executed as PHP by Apache.
safety protection
1 add the following code to httpd.conf
2 upgrade Apache version
Windows system features
1 not sensitive to upper and lower case letters
2. Automatic removal of non-conforming naming rules is as follows:
Test.asp.
Test.asp (space)
test.asp:1.jpg
All the above can bypass the blacklist verification and upload to get webshell
Next article code security file contains