当前位置:网站首页>Apache middleware vulnerability recurrence
Apache middleware vulnerability recurrence
2022-07-06 07:27:00 【mingyeqf】
kali Reappear apache Unknown extension resolution vulnerability
- Reappear
I uploaded a name called shell.php.aaa The file of , When this feature exists , Take a look .aaa incognizance ,
Continue to parse ,.php I know , It can be interpreted as php The file . The same goes for visits , For example, visit phpinfo.php.qqq Can be displayed successfully phpinfo
So which suffixes Apache incognizance ?
be not in mime.types None of them know (Multipurpose Internet Mail Extensions)
sudo service apache2
restart cd /etc/apache2/mods-enabled sudo
vim php7.4.conf
hold $ Switch to . And then restart apache It can be parsed into php
sudo service apache2 restart
stay /var/www/html establish shell.php.aaa And write <?php phpinfo();?>
Access local files
4. Repair suggestions
Solution 1
stay httpd.conf or httpd-vhosts.conf Add the following statement , This prevents the file name format from being .php. Access rights of :
<FilesMatch ".(php.|php3.|php4.|php5.)">
Order Deny,Allow
Deny from all
</FilesMatch>
Solution 2
If you need to keep the file name , You can modify the program source code , Replace... In the upload file name “.” by “_”:
$filename = str_replace('.', '_', $filename);
2.2 AddHandler Parsing vulnerability caused by
1. Loophole :
(1)apache There is a principle when parsing files : When encountering an unknown extension , It will be parsed from back to front , Until we meet the expansion of knowledge
Until the exhibition name
(2) If you don't know it, the source code will be exposed .
stay apache Improper configuration will cause apache Parsing vulnerabilities .
2. Reappear :
1、 stay httpd.conf Take out the notes , Suffixes exist .php .phtml Will be resolved into php file
AddType application/x-httpd-php .php .phtml
3. Repair suggestions
1. stay httpd.conf or httpd-vhosts.conf Add the following statement , This prevents the file name format from being .php. Access rights of :
<FilesMatch ".(php.|php3.|php4.|php5.)">
Order Deny,Allow Deny from all
</FilesMatch>
2. Modify the improperly configured file
2.3 Directory traversal vulnerability
1. principle
principle : When a client accesses a directory ,Apache The server will look for one by default index list Documents in , Ruvin Pieces do not exist
stay , All files in the current directory will be listed or returned 403 Status code , The behavior of listing all files in the directory is called directory traversal .
2. Reappear
httpd.conf
3. defense
stay httpd.conf Found in file Options + Indexes + FollowSymLinks + ExecCGI
And modified to Options - Indexes +FollowSymLinks + ExecCGI
And save ( Well + It is amended as follows -)
+ Indexes Allow directory browsing — Indexes Disable directory browsing
2.4 Apache HTTPD Newline parsing vulnerability (CVE-2017-15715)
1. Vulnerability description
Apache HTTPD Is a HTTP The server , It can go through mod_php To run the PHP Webpage . Its 2.4.0~2.4.29 There is
A parsing vulnerability , In parsing PHP when ,1.php\x0a Will be in accordance with PHP The suffix is parsed , This leads to bypassing the security policies of some servers
A little .
As you can see, you need to get the file name separately post One name Of , Because if you pass $_FILES[‘file’][‘name’] a
Take the file name , Will be able to \x0a Automatically remove , therefore $_FILES[‘file’][‘name’] Getting the file name in this way will not cause
This loophole
2. scope
apache :2.4.0~2.4.29 edition
3. Loophole recurrence
Apache HTTPD Newline parsing vulnerability (CVE-2017-15715)
Reference resources :https://blog.cfyqy.com/article/b0e821f4.html
Apache HTTPD Is a HTTP The server , It can go through mod_php To run the PHP Webpage . Its 2.4.0~2.4.29 There is a parsing vulnerability in the version , In parsing PHP when ,1.php\x0A Will be in accordance with PHP The suffix is parsed , This leads to bypassing some of the server's security policies .
Loophole recurrence
Upload a file named index.php The file of , Be intercepted , stay index.php Insert a \x0A( Be careful , It can't be \x0D\x0A, It can only be one \x0A), No longer intercept
Visit the just uploaded /index.php%0a, It is found that... Can be successfully parsed , But this file is not php suffix , This indicates that the target has a parsing vulnerability :
Repair suggestions
1. Upgrade to the latest version
2. Or rename the uploaded file to timestamp + random number +.jpg And disable the upload file directory execution
边栏推荐
- [MySQL learning notes 30] lock (non tutorial)
- 变量的命名规则十二条
- 【线上问题处理】因代码造成mysql表死锁的问题,如何杀掉对应的进程
- Sélectionnez toutes les lignes avec un symbole dans Word et changez - les en titre
- 杰理之BLE【篇】
- Typescript function definition
- 杰理之需要修改 gatt 的 profile 定义【篇】
- TypeScript 变量作用域
- Ble of Jerry [chapter]
- [window] when the Microsoft Store is deleted locally, how to reinstall it in three steps
猜你喜欢
Week6 weekly report
Ble of Jerry [chapter]
JMeter performance test steps practical tutorial
Cookie Technology & session Technology & ServletContext object
Typescript interface and the use of generics
leecode-C语言实现-15. 三数之和------思路待改进版
Related operations of Excel
杰理之BLE【篇】
The way to learn go (I) the basic introduction of go to the first HelloWorld
杰理之开发板上电开机,就可以手机打开 NRF 的 APP【篇】
随机推荐
On the world of NDK (2)
Jerry needs to modify the profile definition of GATT [chapter]
Related operations of Excel
Ble of Jerry [chapter]
How can word delete English only and keep Chinese or delete Chinese and keep English
Methods for JS object to obtain attributes (. And [] methods)
Ble of Jerry [chapter]
【mysql学习笔记30】锁(非教程)
数字IC设计笔试题汇总(一)
You deserve this high-value open-source third-party Netease cloud music player
Scala语言学习-08-抽象类
TypeScript 变量作用域
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
Typescript variable scope
Google可能在春节后回归中国市场。
ORACLE列转行--某字段按指定分隔符转多行
(4) Web security | penetration testing | network security web site source code and related analysis
Structure summary of SystemVerilog integrable model
杰理之开发板上电开机,就可以手机打开 NRF 的 APP【篇】
Bugku CTF daily question: do you want seeds? Blackmailed