1 Apache Configuration Overview

1.1 Global profile httpd.conf

The global configuration file is mainly used to configure the following functions ：

• To configure prefork Module function ;
• Configure the long connection function ;
• To configure httpd Listening socket ;
• To configure worker Module function ;
• To configure DSO;
• Configure the site root ;
• Configure the default home page ;
• Configure access control ;
• be based on IP Access control ;
• User directory ;
• journal ;
• Set character set ;
• Configure path alias ;
• To configure CGI;
• Configure virtual host features ;
• Status page ;
• Page compression ;
• User based access control .

1.2 Distributed profile .htaccess

background ： When we use apache When deploying a website code to prepare for deployment on the Internet , We have apache Of httpd.conf Everyone must know . This is a apache Configuration file for , However, most of our websites are deployed based on cloud servers , There is also the time of team collaborative development , It is difficult for us to directly modify the public httpd.conf, At this time .htaccess Namely httpd.conf Derivatives , It plays the role of httpd.conf Same effect .

.htaccess yes Apache Server's Distributed profile , It's a plain text file , It contains Apache Server configuration related instructions . The configuration file will Cover Apache Global configuration of the server , The scope is the current directory and its subdirectories .

Basic function

• URL rewrite 、 Custom error page
• MIME Type configuration
• Access control, etc
• Mainly reflected in the application of pseudo static
• Photo anti theft chain
• Customize 404 Error page
• prevent / Allow specific IP/IP paragraph
• Directory browsing and home page
• Access to the specified file type is prohibited
• File password protection

Enable .htaccess The conditions of the document

• 1）httpd.conf The file allows rewriting to overwrite the relevant configuration . lookup AllowOverride And enable the , The settings are as follows , Some versions are enabled by default, and some are not , You'd better check it .

• 2） Allow in httpd.conf External override configuration . stay .httpd.conf Find... In the file mod_rewrite.so, The settings are as follows , Some versions are enabled by default, and some are not , You'd better check it .

1.3 Potential risks

If one WEB Apps allow uploading .htaccess file , That means an attacker can change Apache Configuration of , It's very dangerous .
Because the configuration can be changed , It also led to .htaccess Attack imagination is huge . for example ：

• 1） take .png The document serves as PHP File execution
• 2） File name contains php The key word is PHP Program execution
• 3） Let the file with the specified file name be PHP Program execution

2 Introduction to the experiment

2.1 Experimental environment

shooting range ： be based on WAMP Environmental upload-labs shooting range , Refer to the article for the construction process 《【 Environment building -03】 be based on WAMP Environmental upload-labs Construction of vulnerability shooting range 》.
attack ：kali virtual machine , Bring their own BurpSuite Software .
The shooting range and the attacker are under the same LAN .

2.2 Preparation

Prepare a file , The file may be a Trojan horse , It can also be any other file , In this experiment, we used php The probe is used as a test file , To verify whether there are file upload vulnerabilities and methods to bypass vulnerability detection .
The file named ：phpinfo.php, The contents of the document ：<?php phpinfo();?>.

3 Experiment 1 ：.htaccess Build and test

3.1 The experiment purpose

Master the generation of anonymous files .htaccess Methods ;
By modifying the .htaccess Configure the executor that controls various files .

3.2 Generate .htaccess file

（1） Create a new one called " New text document .txt" A blank file of
（2） Open the new text document , Copy the following ：AddType application/x-httpd-php .png.
（3） Click on the file → Save as → Select file type → Set file name .htaccess.

3.3 take .png The document serves as PHP File execution

（1） Generate .htaccess file . In the root directory of the website C:\phpStudy\PHPTutorial\WWW I'm gonna go ahead and create a new folder Upload, stay Upload Press... Under the folder 3.2 Section generation .htaccess file , And enter the following AddType application/x-httpd-php .png. Be careful ,.png It can also be for .gif Such picture files

（2） Generate info.gif file . stay C:\phpStudy\PHPTutorial\WWW\Upload New under the directory info.php file , The content of the document is <?php phpinfo(); ?>. After the info.php Change it to info.gif


（3） Visit and verify . stay kali Use a browser to access the file in the virtual machine , You can see that the code in the file is successfully executed .

3.4 File name contains php The key word is PHP Program execution

（1） stay C:\phpStudy\PHPTutorial\WWW\Upload Under the table of contents , open .htaccess file , Enter the following
AddHandler php5-script php

（2） take info.png After copying, rename to info.php.jpg

（3） Visit and verify . stay kali Use a browser to access the file in the virtual machine , You can see that the code in the file is successfully executed .

3.5 Let the file with the specified file name be PHP Program execution

（1） stay C:\phpStudy\PHPTutorial\WWW\Upload Under the table of contents , open .htaccess file , Enter the following ：

<FilesMatch "zzz">
SetHandler application/x-httpd-php
</FilesMatch>

（2） take info.php After copying, rename to zzz,

（3） Visit and verify . stay kali Use a browser to access the file in the virtual machine , You can see that the code in the file is successfully executed .

4 example ：upload-labs-4 shooting range

Testing process ： You can test the front end first JS Bypass →MIME Bypass → The server suffix bypasses → File content bypass, etc .
（1） Upload .htaccess file .kali Open its Firefox browser on the virtual machine , Enter url http://172.16.1.1/upload-labs/ visit upload-labs, And click to enter the 4 Turn off . Click Browse to select .htaccess file , The contents of the document are as follows . Click upload , It can be seen that the file was uploaded successfully .

<FilesMatch "zzz">
SetHandler application/x-httpd-php
</FilesMatch>

（2） Upload zzz Probe file . Upload a PHP Probe file , And change the filename to zzz. You can see the upload is successful .

（3） Right click the picture , And open in the new tab , You can see that the contents of this file have been successfully executed .

5 summary

（1） When there is a file upload vulnerability , As long as the malicious code is not filtered , There is a danger of execution .
（2） Master and modify .htaccess In order to change the way various documents execute programs .
（3）.htaccess The purpose of the file is to make the uploaded file executable on the server . Previous 00 Truncation is also to allow uploaded files to be executed on the server .

Reference article

[1] 《apache The configuration file httpd.conf》
[2] 《apache Of .htaccess File function and related configuration 》
[3] Online generation .htaccess The file link