Apache Parsing Vulnerability
Multi-suffix name resolution: xx.php.xxoo
Apache believe that a file can have multiple suffixes, such as: peak.txt.jpg.xx
Apache parsing rule is forward (left) from the (Right) in order to determine the suffix, when Apache does not recognize the extension, it continue to move forward to determine the suffix, suffix if they know, it will be the entire file as the extension of knowledge to resolve, should, from right to left do not know, apache will put the entire file directly to the automatic processing of the browser, the browser does not return to any MIME type
Q: What suffix Apache know, what do not know about it?
A: The record apache know what extension in mime.types file
in /etc/mime.types Linux environment
in apache / conf / mime.types (better to use ubuntu set up the Windows environment, replicate apache windows is not recommended build)
the mime.types recorded in understanding apache file extension and its corresponding MIME type, when the client requests a file, if the file extension apache appreciated, the suffix corresponding to apache will be returned to the browser MIME type; if a suffix apache do not know, then apache will put files directly to the destination server, the browser does not return to any MIME type
Example 1: Let's visit peak.jpg.xxoo, and see what the situation is seen in the figure below this feature is performed, apache do not know .xxoo, but understanding .jpg, jpg MIME type is returned to the browser
Example 2: let's visit peak.xxyy.xxoo, seen from the figure below, this feature is implemented, apache not understanding .xxoo, do not know xxyy, not a suffix know, this whole last apache file directly to the browser handled automatically returned to the browser without any MIME class
Example 3: let's visit peak.php, seen from the following figure, apache php know, so return text / html MIME type to the browser, because in php mime.types MIME type is application / x-httpd-php, Why return text / html I was not very clear
we generally take advantage of this feature is generally used to bypass blacklist file upload vulnerability, assume that the target server filters the .php extension, then we can take advantage of this feature apache, upload peak. php.xxoo, apache do not know .xxoo, to determine forward, hey, understanding .php, then the Apache theory should return text / html to the browser. And resolve to execute peak.php.xxoo php file, is it really? See the figure shown
no resolve to execute php peak.php.xxoo, did not return a MIME type to the browser, but the browser to automatically handle Why? (I used here is apache-2.4.39 + php -5.3.29), here is the reason, apache left judgment to determine whether it recognizes the extension, xxoo, do not know, see php, it recognizes that, then the entire file to the php to perform, but the entire file name as peak.php.xxoo, php suffix xxoo do not know the file, so do not execute the file. Why it can perform in front of peak.jpg.xxoo, because apache from right to left, understanding jpg, jpg is not a php file, it does not resolve to execute php, but in the picture and then perform the way back to the browser
Then we have to look at how php itself is to identify the file, some provisions of configuration files in apache / modules / php? .Conf, I am here just a rough record, because I did not find this file up the environment, such as apache /module/php5.conf, it inside the general content
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
This is the meaning of the expression, php believe the final extension to the file name to be executed to resolve php regular expression matching can (such as the need and php3 | php4 | php5 | pht | phtml match), will deal with this php file name, and some server configuration file set this, so apache unable to use its features to parse php execution peak.php.xxoo, only the rightmost php extension to meet the requirements of the job, because php apache to set conditions. This is equivalent to, apache generals, php is both an abstract entity officer this person on behalf of the officers of the term, peak.php.xxoo is a person, peak.php.xxoo come to generals, the generals see xxoo, do not know, look php when this officer on behalf of abstract nouns, oh, know that you are peak.php.xxoo officer, this time it is the general way to recognize people's (ie mime.types), so that one day the generals php entity the officer who went to peak.php.xxoo officer, trained him a bit, the general is the boss Well, it sets a prescribed before, only the last is php3 | php4 | php5 | pht | phtml php officer is ending, this time the problem there have been, when the officers found peak.php.xxoo php entity, he finally found peak.php.xxoo did not end with the suffix specified, so you can not train him (analysis execution) in accordance with the provisions of the general, because in php entity officer he was not in the eyes of the generals said peak.php.xxoo officer.
Now the question: If you need to peak.php.xxoo can be executed php, you can modify the above code
<FilesMatch ".+\.ph(p[345]?|t|tml)\.">
AddHandler application/x-httpd-php .php
</FilesMatch>
These are access to information I think, because I really did not find this profile ...
in fact, I think the real limit is AddType application httpd.conf in the / x-httpd-php .php .phtml , which represents a file ending with the suffix AddType behind which one kind, will perform as a php file parsing, if there is a server administrator, open or set this configuration. So we can use the previous Apache parsing vulnerability
Note: This AddType application / x-httpd-php settings must be followed by the suffix behind, or get up apache service
can also be used to upload .htcaess, to achieve the same effect, .htaccess can act on the current directory and its subdirectories
use .htcaess prerequisites:
(1) the httpd.conf want to AllowOverride All, AllowOverride None No
(2) need to load the mod_rewrite module, LoadModule rewrite_module modules / mod_rewrite.so
can upload content after three. htaccess file:
The first:
SetHandler application/x-httpd-php
后面什么都不加表示所有的文件都以php解析,最霸道。
如果加了后缀,例如.jpg,那么不管.jpg在文件中的哪个位置,php都能匹配到他并将它以php解析执行,例如:xx.jpg.xxoo
The second:
AddType application/x-httpd-php .jpg
指定后缀以php文件解析执行,这个不像SetHandler那么霸道,指定的后缀必须要在文件末尾,例如xx.oo.jpg,可以解析;xx.jpg.oo,不可以解析
Note: application / x-httpd-php in mime in the corresponding suffix, also php parsed, and after them no matter where in the file name, apache files to php, php can be matched to parse and execute
Third: specifies php parsed document, the following
<FilesMatch "xx.gif">
SetHandler application/x-httpd-php
</FilesMatch>
So, AddType and AddHandler Is there any difference?
AddType : established between a given file extensions with a specific content type mapping, which is mime.types
syntax: AddType MIME-type extension [extension ] ...
Description: AddType is associated with the type of table describes the extension the relationship between the file type, such as:
AddType application/x-httpd-php .jpgrepresenting .jpg file extension is application / x-httpd-php type
AddType image/jpeg .php, represent .php file extension is image / jpg types (Note: * except php, For example xx.php can still resolve as php, xx.php.jj, go through apache, encountered php, and given to php, php to xx.php.jj as jpg)
example:
AddHandler : established between file extensions with a particular processor mapping
Description: What kind of extension of what kind of procedures to deal with, describe the relationship between the extension and treatment program
such as:
AddHandler application/x-httpd-php
(3) SetHandler remember a on the line
SetHandler application/x-httpd-php
to sum up
Apache parsing clear understanding of the principles of vulnerability, just remember that the boss apache, php is the boy, what in advance by Big Brother, brother Brother arrangements listen! It is OK ~
After all, only when the target server is configured in httpd.conf AddType application / x-httpd-php extension or will specify the httpd.conf configured SetHandler application / x-httpd-php root directory or the destination site uploaded .htaccess file, to meet one of these conditions, it indicates the presence of the target server apache file parsing vulnerability, similar peal.php.xxoo php file to be parsed execution
Defensive measures: this is given online, I did not find him because the configuration can not be reproduced, at which time I believe that the best defense is second.
(1) regular written so that only the judge php extension at the end of the text If he had known in httpd.conf, will not judge the entire file name
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
或
<FilesMatch ".+\.phps$">
Order Deny,Allow
Deny from all
</FilesMatch>
(2) to close the httpd.conf AddType / AddHandler / SetHandler
