2016年3月

telnet http 实例

telnet 例子:

xiatian@kali:~$ telnet blog.tianxiaohui.com 443
Trying 112.64.53.9...
Connected to blog.tianxiaohui.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: blog.tianxiaohui.com

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.14
Date: Mon, 28 Mar 2016 12:41:55 GMT
Content-Type: text/html
Content-Length: 161
Connection: close
Location: https://blog.tianxiaohui.com/?

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.0.14</center>
</body>
</html>
Connection closed by foreign host.

下面是telnet 百度 主页的:

xiatian@kali:~$ telnet www.baidu.com 80
Trying 61.135.169.125...
Connected to www.a.shifen.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.baidu.com

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2016 12:43:50 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=8DE87DAF466F323D5338FC4C788C25FD:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=8DE87DAF466F323D5338FC4C788C25FD; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1459169030; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
Pragma: no-cache
Cache-control: no-cache
BDPAGETYPE: 1
BDQID: 0x91477ff30001c2ff
BDUSERID: 0
Accept-Ranges: bytes

<!DOCTYPE html><!--STATUS OK-->
<html>
<head>

php fastcgi fix path 引起的 /favicon.ico/a.php

今天看这个帖子的时候, 有个人提到 /favicon.ico/a.php 怎么利用?
http://www.wooyun.org/bugs/wooyun-2016-0185114

利用的前提是你能正常上传图片文件, 图片文件的内容是php, 然后你请求/favicon.ico/a.php 的时候, fastcgi 因为找不到a.php, 就去向前找 favicon.ico 作为php 文件去执行了.

官方bug 在这里:
https://bugs.php.net/bug.php?id=50852

<白帽子讲web安全> 在第8章 8.2.3 讲到这个问题细节.

解决是把php.ini 里面的 cgi.fix_pathinfo=1 的值, 改成 0