Shulou(Shulou.com)06/01 Report--

This article mainly explains the "Apache middleware vulnerability principle and recurrence method", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's train of thought slowly in depth, together to study and learn "Apache middleware vulnerability principle and reproduction method" bar!

1. Brief introduction 1. Brief introduction of apache

Apache is the number one web server software in the world. It is widely used in various computer platforms and is one of the most popular web server-side software because of its cross-platform and security. He is fast, reliable and compiles language interpreters such as perl/python to the server through a simple API extension.

The directory structure of apache:

There are common command tools in bin, such as start.bat and httpd.batcgi-bin, which store commonly used commands under linux. For example: xxx.shconf apache-related configuration files, such as: httpd.conferror error log records where htdocs puts the source code of the website logs log manual manual modules extension module

2. Brief introduction of the principle of apache:

When it comes to the vulnerabilities of apache, you must understand how apache works.

When building a php+apache environment, many friends often use integrated environments such as phpstudy,lamp and xampp, so it is easy to ignore the principle. In order to better understand the loopholes mentioned in this chapter, we have to talk about the little secrets of apache and PHP.

Let's use the following figure to describe the complete web request process:

The request starts with request and ends with response.

The figure briefly describes how apache and php work together to complete a web request, with apache first and php later, so how do they communicate? let's take a look at the framework of php. As shown below:

In-depth understanding of zend SAPIs: https://www.laruence.com/2008/08/12/180.html

Simple understanding:

From the figure above, you can see that the overall PHP is divided into five layers (similar to the architecture diagram of Android), which can be explained as follows:

1.Zend Engine is the underlying implementation of PHP, including compilation and execution, and the underlying implementation is implemented by C language. 2.Zend API and Zend Extension API are based on Zend underlying external encapsulation to provide services. 3.Extendions uses Extension API to implement extended libraries and standard libraries, such as various built-in functions, MySQL connection libraries, etc. 4.SAPI is the server application programming interface, which is used to interact with apache, nginx and FastCGI. 5.Application is the top layer, that is, the PHP code we wrote.

Now that you understand the architecture of php above, you still don't understand the process of communication between apache and php.

Apache itself does not support php parsing. You can know how to communicate through SAPI through the architecture diagram, so how does apache communicate with SAPI? how does apache know what types of files are to be parsed into php? if you have built an environment for apache parsing php, you will definitely understand these two problems:

# load php5_module module LoadModule php5_module php5apache2_2.dll path # add file types that can execute php, have .php resolve to phpAddType application/x-httpd-php .php # or change addtype to the following (which is used by default in apache 2.4.02.4.29) SetHandler application/x-httpd-php and DirectoryIndex index.html index.htm index.php index.phtml

Apache loads the php5_module module (php5apache2_2.dll) through LoadModule, and the goal is to have apache load the php5_module module to parse the php file. It actually means to use loadmodule to load php5_module. That is, php runs as a sub-module of apache. When the php file is accessed through web, apache calls php5_module to parse the php code.

The calling process can be summarized as follows:

HTTP- > APACHE- > PHP5_MODULE- > SAPI-PHP

At this point, you should understand how apache calls php.

2. Vulnerabilities in parsing apache files 1. Introduction

Parsing vulnerability (CVE-2017-15715): unknown extension parsing vulnerability

The resolution vulnerability of apache depends on one feature: apache defaults that a file can have multiple suffixes separated by dots, such as test.php.abc. When the rightmost suffix is not recognized (not in the mime.types file), it continues to identify to the left until the legal suffix is recognized. Unlike windows, the name resolution of a file does not only recognize the last suffix, but from right to left. Until you encounter a file that you can parse.

Apache official explanation address: http://httpd.apache.org/docs/current/mod/directive-dict.html2, deploy phpstudy test

Deploy an apache+php environment through phpstudy

Visit phpinfo

The file name extension of apache is defined in the conf/mime.types file

We create the following file to verify the rule

Access phpinfo.png.abc files

Access phpinfo.png files

We can see that .png.abc files can be parsed to .png files, so I add other suffixes that php can't recognize after php files to parse php files to bypass some file upload restrictions and make them parse normally.

Visit phpinfo.php.abc

According to the figure above, we find that the files in php.abc are displayed through txt access, and cannot be parsed using php, because the combination mode of apache and php is different.

3. Three combination methods of apache and php.

CGI mode:

CGI, which is usually translated as a common gateway interface, is an interface through which other programs on the HTTP server domain machine communicate, allowing the WEB server to start additional programs to handle dynamic content if necessary. CGI is a protocol that defines how webserver domain CGI programs communicate. The disadvantage is that each client request requires the establishment and destruction of processes. Because HTTP wants to generate a dynamic page, the system must start a new process to run CGI programs. Fork constantly is a time-consuming and resource-consuming task.

FastCGI mode:

Repeated loading of the CGI parser is the main reason for the poor performance of CGI. If the CGI parser remains in memory and is scheduled by the GastCGI process manager, it can provide good information, scalability, and so on.

FastCGI is a resident CGI that can be executed all the time, as long as it doesn't take time to fork every time after activation.

Module mode:

The working mode of apache's MPM (multiprocessing module) is used to define the model that apache works in response to multiple user requests. There are three MPM modes:

Prefork (one request and one process response)

Worker (respond to a request with one thread, start multiple processes and generate multiple threads per process)

Event (a process processes multiple requests)

For details, please refer to: https://blog.csdn.net/sinat_22991367/article/details/73431316

Based on the above, we have learned about the three modes of the combination of apache and php, so what is the relationship between different patterns and parsing vulnerabilities? let's take a look at:

All versions of apache that use module mode combined with php have an unknown extension resolution vulnerability, and all versions of apache that use fastcig mode combined with php do not. Moreover, to exploit this vulnerability, you must ensure that there is at least one ".php" in the file extension, otherwise it will be treated as an txt/html document by default.

1. Use all versions of module schema domain php combination, apache has unknown extension resolution vulnerability 2, use fastcgi schema domain php combination of all versions, apache does not have this vulnerability unknown extension resolution vulnerability 3. To exploit this vulnerability, you must ensure that the file name has at least one ".php". Otherwise, it will be treated as an txt/html document by default

Apache 2.0 Handler uses module mode

Detailed explanation of https://blog.csdn.net/wn314/article/details/77074477 III, linux environment test file parsing vulnerabilities 1, environment deployment

Install apache

The kali virtual machine contains apache, in the / etc/ directory

Cd / etc/ls-al apache2/

Start apache

/ etc/init.d/apache2 start / etc/init.d/apache2 statusservice apache2 restartnetstat-tnlp

Access port 80

Install php

The kali virtual machine above contains php, which is also under the / etc/ directory

Php-v # View php version

Test whether apache can parse php files

Create an index.php file in the / var/www/html directory

Touch index.php # create file # add # edit file gedit index.php

Visit index.php

2. Analyze apache parsing vulnerabilities

Apache2 and apache directories are different. Apache2 is roughly divided into conf, mods, sites directories and some configuration files, each with an enabled type and an availablelia suffix.

Enabled # is the startup file, and the default is the soft link to the configuration file in the availble # folder. The files you put in avaibled # are the real configuration files. Ports.conf # listens for the configuration file of IP and port settings for the server, apache2.conf # corresponds to the httpd.conf file sites-available # if multiple virtual hosts are configured on the apache, the configuration file of each virtual host is stored in the directory mods-available # is the configuration file and link of the apache function module. When I installed the PHP module, there are php5.load, php5.conf and links to these two files in these two directories.

According to the above instructions, we need to see the configuration of php in the sites-available directory

Looking at the php7.3.conf file, the first line tells us that Apache will parse those suffixed files as php

According to the above rule, the file ending as follows will be parsed by apache as php

Pharphpphtml

The root cause of the apache parsing vulnerability is the $character, which is used to match the end of the string in regular expressions.

Rookie tutorial explanation: https://www.runoob.com/regexp/regexp-syntax.html

3. Multiple suffix loopholes

Loophole recurrence

We modified the regular expression just mentioned in the php7.3.conf file, meaning to match the suffix name with .php, .phar, .phtml files.

Change $to *

Restart apache

Service apache2 restart

Test access to phpinfo.php.jpg files

We see that phpinfo.php.jpg is parsed as php.

Summarize the conditions of utilization

1. Module mode is used, and the regularity satisfies condition 2. The file is parsed from right to left with at least one .php3.Apache parsing file name. Even if the rightmost file format is in the mime.types file, as long as .php appears in the file, it can be parsed by php module 4. Addhandlerd parsing

Loophole recurrence

Visit phpinfo.php.jpg. Normally, apache parses the file name from right to left. Phpinfo.php.jpg first parses the file in jpg format, so the picture is displayed.

Add a conf file to the sites-enabled directory, which means that apache identifies all files with a .php suffix

AddHandler application/x-httpd-php .php

Restart apache

Service apache2 restart

Access phpinfo.php.jpg files

Utilization summary

Even if the rightmost file format is in the mime.types file, as long as .php appears in the file, it can be parsed by the php module. 5. Rare suffix summary

Loophole recurrence

In the mime.types file, there are not only php, but also php3, php4, php5, and so on.

Cat / etc/mime.types | grep php

In php7.4.php regular expressions, match php, phar, phtml

We can parse php files with other file suffixes, such as phtml. At certain times, bypass some restrictions

6. Summary of configuration problems

1. If you modify the first line of genuine expression in the / etc/apache2/mods-enabled/phpxx.conf file, there will be a file parsing vulnerability.

Change $to *. \. Other characters, etc.

2. If there is such a configuration in / etc/apache2/apache2.conf of apache

SetHandler application/x-httpd-php

At this point, the file name is the file containing .jpg, and all of them are resolved to php.

3. Add a conf file under the sites-enabled directory of apache and configure one line of code:

AddHandler application/x-httpd-php .php

At this time, as long as the file name contains .php, it can be resolved to php.

4. If the / etc/apache2/mods-enabled/phpxx.conf regular expression matches php, phar, phtml and some files such as php3, php4 and php5 in / etc/mime.types, we can simply bypass the restrictions by modifying the suffix to upload files within this range.

4. Apache httpd newline parsing vulnerability (CVE-2017-15715) 1. Brief introduction to the vulnerability

Apache runs scripts through modl_php mode, and there is an apache newline parsing vulnerability in 2.4.0-2.4.29. When parsing php, xx.php\ 0A will be parsed by the security .php suffix, causing some security mechanisms to be bypassed.

The first line of / etc/apache2/mods-enabled/php7.3.php regulates the types of php files that can be parsed

The regular expression ends with the $symbol, and if the Multiline property of the RegExp object is set, $also matches'\ n'or'\ r'.

Using this mechanism, if you add a newline character after the file name, you can bypass the file upload limit and reach the point where it can be parsed by php. Let's start the test, that is:

1.php\ x0a = 1.php\ n2, prepare vulnerability environment Vulhub1, download dockercurl-s https://get.docker.com/ | sh

View docker version

Docker-v

2. Install docker-composeapt install python-pippip install docker-composesudo apt install docker-compose

View docker-compose version

Docker-compose-v

3. Download vulhub

After installing docker and docker-compose, download or upload valhue to any local directory

Git clone https://github.com/vulhub/vulhub.git

Or upload the package locally

4. Launch (CVE-2017-15715) vulnerability environment cd vulhub-master/httpd/CVE-2017-15715 docker-compose up-d after running, it will automatically find the configuration files in the current directory. If the environment contained in the configuration file already exists, it will not be compiled again; if the environment contained in the configuration file does not exist, it will be compiled automatically. So, in fact, the docker-compose up-d command includes docker-compose build. If the configuration file is updated, you can manually execute docker-compose build to recompile the range environment. Docker-compose builddocker-compose up-ddocker ps lists all the running container information.

3. Vulnerability testing

Access port 8080

Upload file directly, failed

Use burp to crawl request report

Send it to repeater and add it after 1.php. Symbol

. Symbol hex encoded as 2e0a decoded in hex or newline character

Change 2e to 0a

Before modification

After modification

Uploaded successfully

Access 2.php files

Http://192.168.43.129:8080/2.php%0a

Let's take a look at the uploaded file,\ ncorresponding to the 0a in the hex code.

4. Analyze the code

Why can we give it up by loading 0X0a? let's take a look at the code of index.php first.

Upload

File:

Filename:

It can be seen that the blacklist is used here. If the suffix is found in the blacklist of 'php',' php3', 'php4',' php5', 'phtml',' pht', all blacklists will be uploaded and intercepted.

As we mentioned earlier, the php module validates file names that can be parsed by regular expressions in parsing php files, with the regular expression at the end of the $symbol, and if the Multiline property of the RegExp object is set, $also matches'\ n'or'\ r'. We add\ x0a (\ n) at the end of the file to ensure that the file is parsed and the upload blacklist can be bypassed.

The difference between 0x0a and 0x0d:

0x0d,\ r and CR represent carriage return, which means the same thing. The function of carriage return is to move the cursor to the starting position of the line 0x0a,\ n, and CL, which represent line feed, which means line feed to the beginning of the next line 6, repair suggestion 1, upgrade to the latest version 2, or rename the uploaded file to the format of timestamp + random number + .jpg. And disable the upload file directory to execute script permissions 7. Add: docker-compose commonly used command docker-compose up-d # start all services and run docker-compose up ps # check service running status docker-compose restart # restart all services docker-compose restart myApp # restart myApp services docker-compose start # start all services docker-compose stop # stop all services docker-compose rm # delete all services docker -compose build # recompile the range environment 5. Apche SSI remote Command execution vulnerability (ssi-rce) 1, vulnerability introduction 1, vulnerability description

SSI (server-side includes): an instruction placed in a HTML page that can add dynamically generated content to a current HTML page without having to provide the entire page through a CGI program or other dynamic technology. The above definition adopts the definition of SSI on the official website of apache. To put it bluntly, you can add specific instructions to HTML, and you can also introduce other pages. To start SSI, you need to configure Apache separately. Refer to:

Https://httpd.apache.org/docs/2.4/howto/ssi.html

SSI can complete the viewing time, file modification time, CGI program execution results, execute system commands, connect to the database and other operations, the function is very powerful.

When testing for arbitrary file upload vulnerabilities, the target server may not be allowed to upload files with the php suffix. If the target server has SSI and CGI support enabled, we can upload a shtml file and execute arbitrary commands using syntax.

2. Affect the version

Full version of apache (supports SSI and CGI)

2. Environment building

This test uses docker to build the environment, and the environment uses Vulhub target machine.

Cd / root/vulhub-master/httpd/ssi-rcedocker-compose up-ddocker ps

Cat upload.php

3. Vulnerability reproduction 1. Create script

We use SSI to execute the work of system commands, normal a file containing SSI instructions, saved in the test.shtml file, the contents are as follows:

The suffix name of the file depends on the configuration of apache, and the default is the suffix.

2. Upload Trojans

If the suffix name is not checked strictly at the backend, you can upload a file of type shtml, reach the command execution, and obtain the directory of webshell.

Access the shtml file and see that the whoami command is executed and the result is returned

3, rebound shell thank you for reading, the above is the content of "Apache middleware vulnerability principle and reproduction method". After the study of this article, I believe you have a deeper understanding of the Apache middleware vulnerability principle and reproduction method, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.