WINDOWS server IIS parsing vulnerability maintenance method to prevent WEBSHELL invasion

更新时间:2019-04-14 10:56:06点击:222026 Website Optimization

After the server of this site has been replaced by the 2012 version, the website is often taken by WEBSHELL to tamper with the file!

I haven't found a loophole for a long time.

Fortunately, the help of WeChat friend Carry found the loophole and gave the following modifications.

I am repaired according to option 3,

Here to share with everyone

First, the vulnerability introduction
Vulnerability Impact IIS7 and IIS7.5 set cgi.fix_pathinfo=1 in php.ini when making FastCGI mode call php
When accessing an arbitrary file URL, when a character such as "/x.php" is added after the URL, the file is parsed by iis as a php file.
For example, the contents of are as follows:


Copy code

Copy the code When you visit you can see that the php code in 1.gif is parsed by iis. Then, when a "hacker" specifically attacks a website, it can first upload an image file containing malicious PHP code through the image upload function provided by the website (or other means). Then through the above description method, let iis parse and execute any malicious PHP code, control the website and the host, and finally lead to serious consequences such as “de-stocking”, “hanging horse”, “implanting illegal seo link” and so on.

The first option: continue to use the FastCGI method to call PHP, to solve this security problem can be set in php.ini cgi.fix_pathinfo=0, after the modification is saved, it is recommended to restart iis (note that some application functions may be affected).

The second option: use PHP to call PHP. (Note: PHP5.3.10 has abandoned ISAPI mode)

The third option: you can use other web server software, such as apache, etc.

[actual solution] enhance IIS settings
Find "Processor Mapping" in IIS, then edit the PHP item, click "Request Restriction", and tick the option "Only when the request is mapped to the following content".
The specific steps are as follows!
1. Open the php program map of the specific website;

2. Check whether the option in the red box below is checked. Normally, you need to check it.


3. If your php mapping is not checked, please check the speed, otherwise the website is very dangerous. If you upload a picture, you can get the web permission.


4, IIS7.5 parsing vulnerability test results;



5. Parsing the vulnerability test results after setting.


Server security settings have not been neglected, please be sure to pay attention to the majority of webmaster friends. If you are not familiar with the server system, here I will provide you with a few small suggestions. In conjunction with some of the security settings I have provided, I believe that it will achieve better results. (all of the following are based on Windows Server)
[The simplest windows server security settings, done carefully, you will find that it is really useful! 】

1, the server does not install some messy things, what 360 security guards and the like, I often see on the server of some webmaster friends, I suggest you must uninstall, if there are 360 security guards, I can break you in a minute The server and the right to lift, the specific reasons are omitted. The server has always been less functional and safer. Please do not uninstall or delete the things that are not used. For example, the DZ directory does not require ASP script execution capability.

2. Please install simple firewall software on the server. If it is windows2008 or 2008R2, it is recommended to use the system firewall directly, with powerful functions and superior performance. In addition to the common port 80 and the ports used by MYSQL, Memcache, and 3389, if there is no special requirement, it is recommended to prevent all other ports from entering and leaving.

3. Install a security software on the server, recommend Mcafee8.8, and block the dangerous invasion through Mcafee. Under normal circumstances, we rarely log in to the server 3389. At this time, we can completely disable the generation of common suffix files, exe\bat\vbs\ini\txt\cmd\com\dll, etc., so that the hacker wants to write on your server. It is very difficult to enter a dangerous file; for example, locking part of the registry item prevents the account from being created and the rights raised.