(This article from the main body https://blog.csdn.net/qq_36119192/article/details/82834063 )
File Parsing Vulnerability
File parsing vulnerability mainly due to improper operation or webmaster's own Web server vulnerabilities, causing some special files are IIS, apache, nginx or other Web server interprets the script file to execute in some cases.
For example, site administrators to configure properly, resulting in php2, phtml, ascx, etc. These files are also performed as a script file. And even in some cases the administrator of error due to server configuration .html, .xml and other static page file suffix also be treated as a script file execution.
However, most of the parsing vulnerability or vulnerabilities because the web server itself, lead to a special file as a script file to be executed.
IIS Parsing Vulnerability
Directory parsing vulnerability (/test.asp/1.jpg)
In IIS5.x / 6.0, establish the name of the folder in the site * .asp, *. Asa, *. Cer, *. Cdx folders, then any extension in its catalog files are as IIS asp files to interpret and execute. For example, create a directory test.asp, then /test.asp/1.jpg will be treated as asp file to execute. Assume that hackers can control the upload folder path, you can upload your images regardless of the change can not be renamed to take the shell
Filename parsing vulnerability (test.asp; .jpg)
In IIS5.x / 6.0, the semicolon is not resolved, that xie.asp; .jpg will be seen as the server is xie.asp. There IIS6.0 default executable file also contains in addition to these two asp .asa .cer. And some sites to verify users to upload files, just check its extension. So we just upload * .asp; .jpg, * asa;. .Jpg, * cer;. .Jpg file extension, you can check through the server, and the server will execute it as asp file.
Malformed parsing vulnerability (test.jpg / *. Php)
Microsoft has released a patch to resolve the vulnerability IIS7.0 IIS6.0 and IIS7.0 burst did not expect more severe deformity parsing vulnerability, so Microsoft released a hastily IIS7.5
In IIS7.0, the default Fast-CGI open position, we write the following code to the picture inside
Save the file as test.jpg format and uploaded to the server, assuming that the path to upload / upload, upload was successful direct access /upload/test.jpg/x.php, this time the magic comes into play deformity resolve the matter. test.jpg will be treated as a server php file is executed, so the picture inside the code will be executed. We will discover the magic word Trojan creates a file shell.php in the / upload directory.
Temporary solution: cgi.fix_pathinfo set to 0
The parsing vulnerability and the following Nginx speak of parsing vulnerability is the same.
Other Parsing Vulnerability
In the windows environment, xx.jpg [ space] or xx.jpg. These two types of files are not allowed to exist, if so named, windows will default to remove a space or a hacker can capture, plus the file name a space or point to bypass blacklist. If successful upload, spaces and windows point will be automatically eliminated.
Ngnix Parsing Vulnerability
Malformed parsing vulnerability (test.jpg / *. Php)
Vulnerability reasons:
php configuration file php.ini file opened cgi.fix_pathinfo
/etc/php5/fpm/pool.d/www.conf incorrect configuration security.limit_extensions, resulting in allowing other format file parsing as php execution
In nginx <0.8.03 environment, we create a new file, it says: <php phpinfo ()>, then its name changed to:?? Test.jpg
Access http://192.168.10.139/test.jpg display pictures parsing errors in the browser. Access http://192.168.10.139/test.jpg/test.php in the browser display: Access denied.. This is strange, test.jpg file is not a directory, test.php is non-existent file, no access /test.jpg/test.php reported 404 but displays Access denied..
The reason is that, Nginx get the file path (more professional to say that URI) after /test.jpg/test.php, a look at the suffix is .php, then the file is considered php file, then transferred to php to deal with. php a look /test.jpg/test.php does not exist, then deleting the last /test.php, and see /test.jpg exist, they gave /test.jpg as a file to be executed, and because the suffix. jpg, php that this is not php file, then return to Access denied..
Which involves a php options: cgi.fix_pathinfo, the default value is 1, indicating open. This option is open what use is it? At the name is the file path for processing. For example, when a file is encountered path /aaa.xxx/bbb.yyy/ccc.zzz php, /aaa.xxx/bbb.yyy/ccc.zzz if not present, will remove the last /ccc.zzz, /aaa.xxx/bbb.yyy then determine whether there is, if there is, put /aaa.xxx/bbb.yyy as file /aaa.xxx/bbb.yyy/ccc.zzz, if /aaa.xxx/bbb.yyy still does not exist, then continue to remove /bbb.yyy, and so on.
The options in the php.ini configuration file. If this option is turned off, access http://127.0.0.1/test.jpg/test.php only returns file not found. But turn off the option will likely lead to some other error, it generally is enabled by default.
But now we have not been able to successfully execute the code, test.jpg not as a php file is executed, but returned Access denied, because the new version of php introduced security.limit_extensions, limiting the extension of the executable file, by default only allowed to execute .php file.
This vulnerability is due to improper configuration of Nginx in php caused nothing to do with Nginx version, but in the high version of php, due to the introduction security.limit_extensions, making it difficult to be successfully exploited the vulnerability.
Why is Nginx in php will have this problem? Just one look Nginx because the URL path name ends with .php, then regardless of whether the file exists, directly to the php processing. And as Apache, etc., it will look at whether the file exists, if it exists and then decide what to do. cgi.fix_pathinfo is php have, if before the php correctly determine whether the file already exists, cgi.fix_pathinfo has sent no use, this problem would not exist naturally. (IIS and Nginx at this point is the same, there is the same problem)
00% null byte code analysis vulnerability
Principle: Ngnix 00% in the face of null bytes and back-end FastCGI process due to inconsistent PHP code can be embedded in the picture and then executes the code by accessing xxx.jpg% 00.php
In the following versions of nginx, we embed PHP code in the picture and then executes the code by accessing xxx.jpg% 00.php
Nginx 0.5.*
Nginx 0.6.*
Nginx 0.7 <= 0.7.65
Nginx 0.8 <= 0.8.37
CVE-2013-4547(%20%00)
The impact nginx version: nginx 0.8.41 ~ 1.5.6
The principle of this vulnerability is illegal and finishing slash character spaces (00%) will lead to a finite state machine when Nginx URI parsing confusion and endanger allow an attacker to bypass the space through a non-coding extension limit. what does it mean? For example, assume there is a file on the server: "file.jpg", note the file name of the last character is a space. You can visit:
http://127.0.0.1/file.jpg \0.php
Let Nginx think the file "file.jpg" suffix ".php".
Under testing, the tests were conducted in Nginx / 1.0.15 in. First prepare a picture named "test.html", note that the file name contains spaces. Then access the file in a browser, you will get a 404, because the browser will be automatically encoded as% 20 spaces, the file "test.html% 20" does not exist on the server.
Test goal is to make Nginx think the file is a picture file and correctly displayed in the browser. What we want is uncoded spaces and cutoff character (\ 0), how to do it? Burp Suite using a request packet sent by the browser to fetch, we want to modify the way, the original URL is: http: //192.168.56.101/test.htmlAAAjpg, the first "A" to "20" ( ASCII code symbol spaces), the second "a" to "00" (slash), the third "a" to "2E" ( "." ASCII code), as shown
After modification Forward the request in a browser to see:
We have successfully used a loophole! But what use is it? We want the code to be executed.
Continue testing, preparation of documents "test.jpg", note the file name of the last character is a space, uploaded to the server. Contents of the file:
Burp Suite with packet capture and modify the original URL is: http: "." //192.168.56.101/test.jpg...php, the jpg changed after the first 20, second 00 instead. "" ,As shown below:
After modification Forword the request, seen in the browser: Access denied, okay, is this.
This shows Nginx after receiving this request, the file is indeed "test.jpg" as a php file to php to perform, just to see the php file extension is ".jpg" and rejected. In this way, Nginx will verify the existence of the vulnerability. However, due to the presence of security.limit_extensions, leading we can not exploit this vulnerability
Apache Parsing Vulnerability
File Name Parsing Vulnerability
apache start determination is resolved from right to left, if it is not recognized parsing, and then left to determination. For example xie.php.owf.rar .owf and suffix .rar two unrecognizable parsing apache, apache will be parsed into the xie.php.owf.rar xie.php. How to determine whether it was legal suffix is the key advantage of this vulnerability testing can try to upload a xie.php.rara.jpg.png .. (you know suffixes are written up) to test whether it is legitimate suffix. It does not recognize any suffix, identification progressively upwardly.
Rare suffix
Computer World since the creation of the world, it will free colorful. Remember mime.types file? Search in the file "php" three letters, results are as follows:
- werner@Yasser:~$ cat /etc/mime.types | grep php
- #application/x-httpd-php phtml pht php
- #application/x-httpd-php-source phps
- #application/x-httpd-php3 php3
- #application/x-httpd-php3-preprocessed php3p
- #application/x-httpd-php4 php4
- #application/x-httpd-php5 php5
Remember the regular expression "+ \ ph (p [345] |? T | tml).. $" It, the regular expression matching not only have php, there php3, php4, php5, pht and phtml.
Well, not only the original php, even phtml, pht, php3, php4 and php5 php file suffixes are Apache and php-approved program. I was only aware of ".php", is really an eye-opener. It's like, not only is the suffix py Python program files, there are also pyc and pyo. Upload programmers write filtering rules whether knowledgeable, know that knowledge of it? I think, probably do not know. With these "rare" extension, it is possible to bypass security checks, do some "bad things."
I'm in Ubuntu14.04 + in Apache2.4.7 test, prepare documents text.php, its content is the classic Hello World:
<?php echo 'HELLO WORLD'; ?>
Then open it in a browser, the successful show "HELLO WORLD". And then modify the file suffix for a variety of suffixes, for testing. Test results are to php, phtml, pht, php3, php4 and php5 suffix, can successfully see "HELLO WORLD"; to phps suffix, will be reported 403 errors, Forbidden; to php3p suffix would in a browser see the source code.
.htaccess file
Apache .htaccess file is a configuration file server, which is responsible for the configuration page under the relevant directory. Through .htaccess file, you can: page 301 redirects, custom 404 error page, change the file extension to allow / block access to specific users or directory is prohibited directory listing, configure the default document features such as IIS platform does not exist file, which is enabled by default, enable and disable configuration in the httpd.conf file.
.htaccess file is a prerequisite for entry into force:
mod_rewrite module to open
AllowOverride All
# 1: .htaccess this means that all files which contain the name of the shell script to execute as php
<FilesMatch "shell">
SetHandler application/x-httpd-php
</FilesMatchc>
# 2: This is the meaning of the code allows the file name extension .jpg file format parsing with php format
AddType application/x-httpd-php .jpg