Links

IIS, Nginx, and Apache Vulnerabilities

IIS 5.x - 6.x Vulnerabilities

  • Directory parsing
    • Consider www.xxx.com/webshell.asp/webshell.jpg
    • Here webshell.asp is a directory but IIS parses it as a filename.
    • webshell.jpg will be ignored.
  • Filename parsing
    • Consider www.xxx.com/webshell.asp;.jpg
    • IIS does not parse the content after ;, so the filename becomes webshell.asp.
  • Default file extensions
    • IIS parses the following file extensions by default:
      • .asa
      • .cer
      • .cdx

Nginx Vulnerabilities

  • Filename parsing
    • www.xxx.com/webshell.jpg/idonotexist.php
    • If the rightmost file does not exist, the Nginx parser moves to the left by one. In this case, idonotexist.php does not exist, so webshell.jpg is parsed but it will be executed as .php.

Apache 1.x - 2.x Vulnerabilities

  • Filename parsing
    • webshell.php.test
    • Apache parses filename from right to left. If the current file type is not supported, the Apache parser moves to the left by one. Here .test is not supported by Apache, hence the file is parsed as webshell.php.
  • Configuration problems
    • AddHandler php5-script .php
      • This configuration makes webshell.php.jpg executed as webshell.php.
    • AddType application/x-httpd-php .jpg
      • Let .jpg files be executed as .ph