Talking about the loopholes in File Analysis and uploading 01/19 Update SLTechnology News&Howtos

Talking about the loopholes in File Analysis and uploading

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Chinese kitchen knife

In web***, I most expect two kinds of vulnerabilities, one is arbitrary command execution vulnerability, such as struct2 vulnerability, and the other is file upload vulnerability, because both vulnerabilities are the fastest and most direct way to gain server permissions. For any command execution vulnerability, if it is mapped through the private network, you may also need to use different means to upload * * files to obtain webshell, port forwarding through webshell or privilege enhancement.

This article mainly introduces the summary of personal experience in file upload, which is divided into two parts: one is the file parsing loophole, the other is the file uploading loophole.

File parsing vulnerability

Parsing vulnerabilities are mainly caused by some special files that are interpreted into script file format and executed by iis, Apache, Nginx and other services in some cases.

Iis 5.x/6.0 parsing vulnerability

There are three main vulnerabilities in iis6.0 parsing:

1. Directory parsing vulnerability / xx.asp/xx.jpg

Create folders with the names of .asp and .asa under the website, and any files with the extension in the directory will be parsed and executed by iis as asp files. Therefore, as long as the user can upload the picture horse directly through this vulnerability, and there is no need to change the suffix!

two。 File parsing xx.asp;.jpg

Under iis6.0, the semicolon is not parsed, so the xx.asp;.jpg is parsed to asp and the script is executed.

3. File type resolution asa/cer/cdx

The default executable file for iis6.0 contains these three types of asa, cer, and cdx in addition to asp.

Apache parsing vulnerability

Apache parses the file mainly from right to left and parses it. If it is judged as a type that cannot be parsed, it continues to parse to the left, for example, xx.php.wer.xxxxx will be parsed to PHP type.

IIS 7.0/ Nginx

Then visit xx.jpg/.php, and a sentence * shell.php will be generated in this directory.

Nginx

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.