IMCAFS

Home

file analysis of platform security

Posted by fierce at 2020-02-27
all

IIS 5.x / 6.0 parsing vulnerability

Vulnerability triggers

server´╝Üwindows server 2003

Script language: ASP

Utilization mode

1 / xx.asp/xx.jpg IIS will parse and execute files under xx.asp as ASP

2 xx.asp;. JPG IIS does not resolve the content after semicolon by default

3 xx.asa and xx.cer xx.cdx are all parsed by IIS by default

safety protection

1. Users are forbidden to control the upload directory, new directory and other permissions

2. Upload directory and user created directory are forbidden

3. Rename the uploaded file without retaining the suffix of the user's uploaded file

4. It is forbidden to upload files with suffix of ASA, ASP, CER, CDX, etc

IIS 7.0 / 7.5 and nginx < 8.03 malformed parsing vulnerability

Vulnerability triggers

1 PHP + nignx < 8.03 and fast CGI on

2 PHP + iis7.5 + enabled cgi.fix_pathinfo

Utilization mode

1 upload a picture xx.jpg embedded in PHP code

2. The code in the http://www.test.com/xx.jpg/. PHP image will be executed

3. Http://www.test.com/1.jpg.php and http://www.test.com/1.jpg/ \ 0.php can also be used

safety protection

1. Modify the php.ini file and set the value of cgi.fix'pathinfo to 0;

2 add the following code to the nginx configuration file:

The above code means to match the URL conforming to the utilization mode, and return 403

3 upgrade nignx to the latest version

Apache parsing vulnerability

Loophole principle

This vulnerability is related to the parsing feature of Apache, which parses file names from the back to the front until it meets a file type it knows.

Utilization mode

Upload test.php.xxx. Since the suffix of XXX is unknown to Apache, the file will be executed as PHP by Apache.

safety protection

1 add the following code to httpd.conf

2 upgrade Apache version

Windows system features

1 not sensitive to upper and lower case letters

2. Automatic removal of non-conforming naming rules is as follows:

Test.asp.

Test.asp (space)

test.asp:1.jpg

All the above can bypass the blacklist verification and upload to get webshell

Next article code security file contains