kali Reappear apache Unknown extension resolution vulnerability

2. Reappear
   I uploaded a name called shell.php.aaa The file of , When this feature exists , Take a look .aaa incognizance ,
   Continue to parse ,.php I know , It can be interpreted as php The file . The same goes for visits , For example, visit phpinfo.php.qqq Can be displayed successfully phpinfo

So which suffixes Apache incognizance ？
be not in mime.types None of them know （Multipurpose Internet Mail Extensions）

sudo service apache2
restart cd /etc/apache2/mods-enabled sudo 
vim php7.4.conf

hold $ Switch to . And then restart apache It can be parsed into php

sudo service apache2 restart 

stay /var/www/html establish shell.php.aaa And write <?php phpinfo();?>
Access local files

4. Repair suggestions
Solution 1
stay httpd.conf or httpd-vhosts.conf Add the following statement , This prevents the file name format from being .php. Access rights of ：

<FilesMatch ".(php.|php3.|php4.|php5.)"> 
Order Deny,Allow
Deny from all 
</FilesMatch>

Solution 2
If you need to keep the file name , You can modify the program source code , Replace... In the upload file name “.” by “_”：

$filename = str_replace('.', '_', $filename);

2.2 AddHandler Parsing vulnerability caused by

1. Loophole ：
(1)apache There is a principle when parsing files ： When encountering an unknown extension , It will be parsed from back to front , Until we meet the expansion of knowledge
Until the exhibition name
(2) If you don't know it, the source code will be exposed .
stay apache Improper configuration will cause apache Parsing vulnerabilities .
2. Reappear ：
1、 stay httpd.conf Take out the notes , Suffixes exist .php .phtml Will be resolved into php file

AddType application/x-httpd-php .php .phtml

3. Repair suggestions
1. stay httpd.conf or httpd-vhosts.conf Add the following statement , This prevents the file name format from being .php. Access rights of ：

<FilesMatch ".(php.|php3.|php4.|php5.)"> 
Order Deny,Allow Deny from all 
</FilesMatch>

2. Modify the improperly configured file

2.3 Directory traversal vulnerability

1. principle
principle ： When a client accesses a directory ,Apache The server will look for one by default index list Documents in , Ruvin Pieces do not exist
stay , All files in the current directory will be listed or returned 403 Status code , The behavior of listing all files in the directory is called directory traversal .
2. Reappear
httpd.conf

3. defense
stay httpd.conf Found in file Options + Indexes + FollowSymLinks + ExecCGI And modified to Options - Indexes +FollowSymLinks + ExecCGI And save （ Well + It is amended as follows -）

+ Indexes  Allow directory browsing  — Indexes  Disable directory browsing 

2.4 Apache HTTPD Newline parsing vulnerability （CVE-2017-15715）

1. Vulnerability description
Apache HTTPD Is a HTTP The server , It can go through mod_php To run the PHP Webpage . Its 2.4.0~2.4.29 There is
A parsing vulnerability , In parsing PHP when ,1.php\x0a Will be in accordance with PHP The suffix is parsed , This leads to bypassing the security policies of some servers
A little .
As you can see, you need to get the file name separately post One name Of , Because if you pass $_FILES[‘file’][‘name’] a
Take the file name , Will be able to \x0a Automatically remove , therefore $_FILES[‘file’][‘name’] Getting the file name in this way will not cause
This loophole
2. scope
apache ：2.4.0~2.4.29 edition
3. Loophole recurrence

Apache HTTPD Newline parsing vulnerability （CVE-2017-15715）

Reference resources ：https://blog.cfyqy.com/article/b0e821f4.html

Apache HTTPD Is a HTTP The server , It can go through mod_php To run the PHP Webpage . Its 2.4.0~2.4.29 There is a parsing vulnerability in the version , In parsing PHP when ,1.php\x0A Will be in accordance with PHP The suffix is parsed , This leads to bypassing some of the server's security policies .

Loophole recurrence
Upload a file named index.php The file of , Be intercepted , stay index.php Insert a \x0A（ Be careful , It can't be \x0D\x0A, It can only be one \x0A）, No longer intercept

Visit the just uploaded /index.php%0a, It is found that... Can be successfully parsed , But this file is not php suffix , This indicates that the target has a parsing vulnerability ：

Repair suggestions
1. Upgrade to the latest version
2. Or rename the uploaded file to timestamp + random number +.jpg And disable the upload file directory execution