Shulou(Shulou.com)06/01 Report--

There are two ways to parse and utilize IIS 6. 0.

1. Catalog parsing

/ xx.asp/xx.jpg

two。 File parsing

Wooyun.asp;.jpg

First, create a folder with the name .asp or .asa under the website, and any file with the extension in the directory will be parsed and executed by IIS as an asp file.

For example, to create a directory wooyun.asp, then

/ wooyun.asp/1.jpg

Will be executed as an asp file. Assuming that Heikuo can control the path of the uploaded folder, you can get shell regardless of whether your picture is changed or not after you upload it.

Second, under IIS6.0, the semicolon is not parsed, that is to say,

Wooyun.asp;.jpg

Will be regarded as wooyun.asp by the server.

There are also IIS6.0 default executable files that contain these three types in addition to asp

/ wooyun.asa

/ wooyun.cer

/ wooyun.cdx

Analytical Utilization method of IIS 7.5

The vulnerability is related to PHP configuration. Incorrect configuration of parameter cgi.fix_pathinfo in php.ini leads to resolution vulnerability. Cgi.fix_pathinfo is enabled, which has nothing to do with IIS itself, but is only related to php development. Other languages such as asp and aps.net are not supported.

Upload a sentence: horse php.jpg, that is, php, rename it to jpg, and then visit it in the following way:

Https://cache.yisu.com/upload/information/20200310/69/137562.jpg/.php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.