File upload parsing vulnerability

Apache Parsing vulnerabilities ：

form ： test.php.qwe.asd , Any not belonging to Apache Resolve the names in the blacklist and not in the whitelist
principle ：Apache The rule of parsing files is to judge parsing from right to left , If the suffix is unrecognized file resolution , Just to the left . such as test.php.qwe.asd ,".qwe" and ".asd" These two suffixes are apache Unrecognized parsing ,apache It will test.php.qwe.asd It can be interpreted as php.
Conditions ：apache adopt mod_php To run the script , Its 2.4.0-2.4.29 in apache Newline parsing vulnerability , In parsing php when
xxx.php\x0A Will be in accordance with PHP The suffix is parsed , This leads to bypassing some of the server's security policies
www.xxx.com/test.php.qwe.asd
With moudel Way to connect , The configuration file httpd.conf in LoadModule rewrite_module
modules/mod_rewrite.so Remove the previous comment , Search for keywords ： AllowOverride , And change the following parameters from None All changed All.

Nginx Parsing vulnerabilities ：

form ： Any file name / Any file name .php

Add one after any file name / Any file name .php The parsing vulnerability of , For example, the original file name is test.jpg, Can be added as test.jpg/x.php Conduct parsing attacks .

principle ：Nginx < 0.8.37 The default is CGI The way to support PHP Analytic , The common practice is to Nginx Through regular matching settings in the configuration file SCRIPT_FILENAME . When accessing www.xx.com/phpinfo.jpg/1.php This URL when ,
$fastcgi_script_name Will be set to phpinfo.jpg/1.php , And then it's constructed as SCRIPT_FILENAME Pass to PHPCGI, however PHP Why do you accept such parameters , And will phpinfo.jpg As PHP File parsing ? This is to say
fix_pathinfo This option . If this option is turned on , Then it will trigger in PHP The following logic in ： PHP Will think
SCRIPT_FILENAME yes phpinfo.jpg , and 1.php yes PATH_INFO , So it will phpinfo.jpg As PHP File to parse .

 Form of loopholes ：
www.xxxx.com/UploadFiles/image/1.jpg/1.php
www.xxxx.com/UploadFiles/image/1.jpg.php
www.xxxx.com/UploadFiles/image/1.jpg/ \0.php

form ： Any file name %00.php
For lower versions Nginx You can add... After any file name %00.php Conduct parsing attacks .（Nginx edition <=0.8.37 Empty Byte Code Execution Vulnerability ）

IIS 6.0 Parsing vulnerabilities

1. Directory resolution ：

form ：www.xxx.com/xx.asp/xx.jpg

principle : The server defaults to .asp The files in the directory are parsed into asp file .
https://www.cnblogs.com/milantgh/p/4347520.html
2. File parsing
form ： www.xxx.com/xx.asp;.jpg
principle ： The server does not parse by default ; After the number , therefore xx.asp;.jpg It's interpreted as asp The file .
IIS6.0 The default executable is in addition to asp There are also three kinds of :

/test.asa
/test.cer
/test.cdx

IIS 7.0/7.5 Parsing vulnerabilities

form ： Any file name / Any file name .php
principle ：IIS7.0/7.5 It's right php When parsing, there is a similar to Nginx The parsing vulnerability of , For any file name, just in URL Append the string after it / Any file name .php Will follow php The way to analyze
because php In profile , Open the cgi.fix_pathinfo , And this is not nginx perhaps iis7.5 Its own loopholes .