解析漏洞
1、php配置引起的扩展名解析漏洞
在mod_php与apache的模式下会出现该漏洞。
该模式下php作为apache的子模块对代码进行解析,遇到匹配下面代码规则的文件,则继续当做php文件执行
将$ 符号改为 . 即可满足php的匹配规则,造成文件解析漏洞
修改前
<FilesMatch ".+\.ph(?:ar|p|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(?:ar|p|ps|tml)$">
Require all denied
</FilesMatch>
# Running PHP scripts in user directories is disabled by default
#
# To re-enable PHP in user directories comment the following lines
# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
# prevents .htaccess files from disabling it.
<IfModule mod_userdir.c>
<Directory /home/*/public_html>
php_admin_flag engine Off
</Directory>
</IfModule>
修改后
<FilesMatch ".+\.ph(?:ar|p|tml)\.">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(?:ar|p|ps|tml)$">
Require all denied
</FilesMatch>
# Running PHP scripts in user directories is disabled by default
#
# To re-enable PHP in user directories comment the following lines
# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
# prevents .htaccess files from disabling it.
<IfModule mod_userdir.c>
<Directory /home/*/public_html>
php_admin_flag engine Off
</Directory>
</IfModule>
漏洞修复
1.还原成$符
2.如果需要保留文件名,严格代码程序,将其中的"."替换为其他符号
2.添加禁止访问的配置
<FilesMatch ".(php.|php3.|php4.|php5.)">
Order Deny,Allow
Deny from all
</FilesMatch>
2、httpd.conf文件配置不当引起的apache文件解析漏洞
在apache的配置文件中,将httpd.conf中的 # 号取消,也会产生文件解析漏洞
当apache遇到不认识的文件后缀时,会从后往前寻找,一直找到认识的php\phtml后缀
造成文件解析漏洞
如: x.php.cji.abc.xxx.xyz
#AddType application/x-httpd-php .php .phtml
漏洞修复
1.加上 # 号
2.添加禁止访问的配置
<FilesMatch ".(php.|php3.|php4.|php5.)">
Order Deny,Allow
Deny from all
</FilesMatch>
目录遍历漏洞
也是由于httpd.conf文件配置不当造成的漏洞
当客户端访问到一个目录时,Apache服务器将会默认寻找一个index list中的文件,若文件不存在,则会列出当前目录下所有文件或返回403状态码,从而造成目录遍历。
DocumentRoot "C:\phpStudy\WWW"
<Directory />
Options +Indexes +FollowSymLinks +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
漏洞修复
1.修改配置,取消目录遍历的权限
- + Indexes 允许目录浏览
- - Indexes 禁止目录浏览
CVE-2017-15715换行解析漏洞(Apache HTTPD)
2.4.0~2.4.29版本中存在该解析漏洞
在解析PHP时,1.php\x0a将被按照PHP后缀进行解析
代码过滤不严格,没有去除文件末尾的%0a/%0d导致漏洞的存在
漏洞修复
1.重新生成文件名,固定上传文件的后缀名
2.禁止上传目录的执行权限
3.升级服务版本