ÎÒÃÇÔÚPHPÖÐʹÓÃFastCGI½âÎö©¶´Ê±£»FastCGI½âÎö©¶´ÔõôÐÞ¸´£¿ÈçºÎ²éFastCGI½âÎö©¶´¼°ÐÞ¸´·½°¸ÈçÏ£º



FastCGI½âÎö©¶´x2

WebServer FastcgiÅäÖò»µ±£¬»áÔì³ÉÆäËûÎļþ£¨ÀýÈçcss£¬js£¬jpgµÈ¾²Ì¬Îļþ£©±»µ±³Éphp½Å±¾½âÎöÖ´ÐС£µ±Óû§½«¶ñÒâ½Å±¾webshell¸ÄΪ¾²Ì¬ÎļþÉÏ´«µ½webserver´«µÝ¸øºó¶Ëphp½âÎöÖ´Ðк󣬻áÈù¥»÷Õß»ñµÃ·þÎñÆ÷µÄ²Ù×÷ȨÏÞ



©¶´ÃèÊö£º

NginxĬÈÏÊÇÒÔCGIµÄ·½Ê½Ö§³ÖPHP½âÎöµÄ£¬ÆÕ±éµÄ×ö·¨ÊÇÔÚNginxÅäÖÃÎļþÖÐͨ¹ýÕýÔòÆ¥ÅäÉèÖÃSCRIPT_FILENAME¡£µ±·ÃÎÊhttp://192.168.1.102/phpinfo.jpg/1.phpÕâ¸öURLʱ£¬$fastcgi_script_name»á±»ÉèÖÃΪ¡°phpinfo.jpg/1.php¡±£¬È»ºó¹¹Ôì³ÉSCRIPT_FILENAME´«µÝ¸øPHP CGI¡£Èç¹ûPHPÖпªÆôÁËfix_pathinfoÕâ¸öÑ¡ÏPHP»áÈÏΪSCRIPT_FILENAMEÊÇphpinfo.jpg£¬¶ø1.phpÊÇPATH_INFO£¬ËùÒԾͻὫphpinfo.jpg×÷ΪPHPÎļþÀ´½âÎöÁË¡£

©¶´Î£º¦£º

WebServer FastcgiÅäÖò»µ±£¬»áÔì³ÉÆäËûÎļþ£¨ÀýÈçcss£¬js£¬jpgµÈ¾²Ì¬Îļþ£©±»µ±³Éphp½Å±¾½âÎöÖ´ÐС£µ±Óû§½«¶ñÒâ½Å±¾webshell¸ÄΪ¾²Ì¬ÎļþÉÏ´«µ½webserver´«µÝ¸øºó¶Ëphp½âÎöÖ´Ðк󣬻áÈù¥»÷Õß»ñµÃ·þÎñÆ÷µÄ²Ù×÷ȨÏÞ¡£

ÐÞ¸´·½°¸£º

£¨NginxÓû§¿ÉÒÔÑ¡Ôñ·½°¸Ò»»ò·½°¸¶þ£¬IISÓû§ÇëʹÓ÷½°¸Ò»£©

·½°¸Ò»£¬ÐÞ¸Äphp.iniÎļþ£¬½«cgi.fix_pathinfoµÄÖµÉèÖÃΪ0¡£Íê³ÉºóÇëÖØÆôPHPºÍNGINX£¨IIS£©¡£

·½°¸¶þ£¬ÔÚNginxÅäÖÃÎļþÖÐÌí¼ÓÒÔÏ´úÂ룺

¸´ÖÆ´úÂë ´úÂëÈçÏÂ:

if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}

ÕâÐдúÂëµÄÒâ˼Êǵ±Æ¥Åäµ½ÀàËÆtest.jpg/a.phpµÄURLʱ£¬½«·µ»Ø403´íÎó´úÂë¡£ÐÞ¸ÄÍê³ÉºóÇëÖØÆôNginx¾ÍÍê³ÉÁË£¡

FastCGI½âÎö©¶´ÐÞ¸´¿ÉÒÔÔÙÈ¥Õ¾³¤Íø»òÕß°Ù¶ÈÔƹ۲ì²éһϡ£

±¾ÎÄ·¢²¼ÓÚ2016Äê03ÔÂ25ÈÕ00:27£¬ÒѾ­¹ýÁË3400Ì죬ÈôÄÚÈÝ»òͼƬʧЧ£¬ÇëÁôÑÔ·´À¡