In the p cattle blog recently updated articles, portal , feeling very interesting, in their own local test it
0x01 regular expression '$'
apache parsing the root cause of this loophole is this $
, regular expressions, we all know that $ string used to match the end position, we take a look at rookie tutorial in on a regular expression character $
explains:
Match the end position of the input string. If the object is set RegExp Multiline property, also matches the $ '\ n' or '\ r'. To match the $ character itself, use \ $.
Then understand, provided at object RegExp Multiline property conditions, $
but also on to the end of the string newline
0x02 Linux environment
Here is the local Department of kali linux debian, apache configuration file path in /etc/apache2/
the next, apache2.conf
is the core apache configuration file, since my local php as apache mod way of running, so it is necessary mods-enabled
to find the configuration on apache-php module directory:
Can be seen php7.0.conf mods-available/php7.0.conf
soft link, configuration is as follows:
<FilesMatch ".+\.ph(p[3457]?|t|tml)$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch ".+\.phps$"> SetHandler application/x-httpd-php-source # Deny access to raw php sources by default # To re-enable it's recommended to enable access to the files # only in specific virtual host or directory Require all denied </FilesMatch> # Deny access to files without filename (e.g. '.php') <FilesMatch "^\.ph(p[3457]?|t|tml|ps)$"> Require all denied </FilesMatch> # Running PHP scripts in user directories is disabled by default # # To re-enable PHP in user directories comment the following lines # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it # prevents .htaccess files from disabling it. <IfModule mod_userdir.c> <Directory /home/*/public_html> php_admin_flag engine Off </Directory> </IfModule>
第一行就告诉了我们apache会将哪些后缀的文件当做php解析:
<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
以如下方式结尾的文件会被apache当做php解析:
php php3 php4 php5 php7 pht phtml
如果我们再结合我们上面提到的关于$
的使用,很容易想到,如果后缀名是上面这些后缀名以换行符结尾,那么也是可以解析的,本地构造文件:
文件构造好了,从浏览器打开试试看看能不能解析:
可以看见是能解析的,那么在文件上传黑名单就可以通过这种思路来绕过了。
0x02 Windows环境
关于windows环境,p牛博客下面有一些人说测试失败,我也进行了测试,虚拟机环境 win7+phpstudy : Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
配置文件(${Apache_path}/conf/extra/httpd-php.conf)如下:
LoadFile "C:/Users/admin/Desktop/phpstudy/php/php-5.4.45/php5ts.dll" LoadModule php5_module "C:/Users/admin/Desktop/phpstudy/php/php-5.4.45/php5apache2_4.dll" <IfModule php5_module> PHPIniDir "C:/Users/admin/Desktop/phpstudy/php/php-5.4.45/" </IfModule> LoadFile "C:/Users/admin/Desktop/phpstudy/php/php-5.4.45/libssh2.dll" <FilesMatch "\.php$"> SetHandler application/x-httpd-php </FilesMatch>
用p牛的代码测试:
<html> <body> <form action="test.php" method="post" enctype="multipart/form-data"> <input type="file" name="file" /> <input type="text" name="name" /> <input type="submit" value="上传文件" /> </form> </body> </html> <?php if(isset($_FILES['file'])) { $name = basename($_POST['name']); $ext = pathinfo($name,PATHINFO_EXTENSION); if(in_array($ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) { exit('bad file'); } move_uploaded_file($_FILES['file']['tmp_name'], './' . $name); } ?>
抓包修改文件名,上传:
可以看见,这里出现了两个warning,其实并非测试不成功,可以看见其实是绕过了我们代码里的黑名单的,已经执行到了move_uploaded_file
了,说明程序并没有因为没有绕过黑名单而exit,但是因为涉及到文件读写,而windows操作系统不允许后缀以换行符结尾的文件命名方式,所以这里会文件会创建失败,就出现了这两个warning了