Security - recurrence of Apache httpd newline parsing vulnerability (cve-2017-15715)

Fox FM 2022-02-13 06:06:03 阅读数:569

security recurrence apache httpd newline

Preface

Recurrence environment dockerdocker-composevulhub, Do not use for illegal purposes

Apache HTTPD Line feed parsing vulnerability recurrence (CVE-2017-15715)

Affects version

2.4.0~2.4.29

Loophole recurrence

start-up docker service

 Insert picture description here

If you use docker-compose up -d The following error message appears during startup , It means that the port has been occupied
my 8080 The port is already occupied , Can be in docker-compose.yml Modify port number in configuration

 Insert picture description here
 Insert picture description here

 Insert picture description here

index.php It's an upload page , You can see in the blacklist php suffix

<?php
if(isset($_FILES['file'])) {

$name = basename($_POST['name']);
$ext = pathinfo($name,PATHINFO_EXTENSION);
if(in_array($ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) {

exit('bad file');
}
move_uploaded_file($_FILES['file']['tmp_name'], './' . $name);
} else {

?>
<!DOCTYPE html>
<html>
<head>
<title>Upload</title>
</head>
<body>
<form method="POST" enctype="multipart/form-data">
<p>
<label>file:<input type="file" name="file"></label>
</p>
<p>
<label>filename:<input type="text" name="name" value="evil.php"></label>
</p>
<input type="submit">
</form>
</body>
</html>
<?php
}
?>

 Insert picture description here

Construct a php Script

 Insert picture description here

Upload and grab bags ,filename The input box on the right is the name of the file after uploading

 Insert picture description here

It just needs to be modified test.php%0a Part of the file name ,data.php Is that the original file name will not be used

 Insert picture description here

take %0a Select to proceed URL decode (URL-decode

 Insert picture description here

 Insert picture description here

Click send , Successfully uploaded

 Insert picture description here

Visit... On the page http://IP: port / file name .php%0a It can be parsed php Code

 Insert picture description here

copyright:author[Fox FM],Please bring the original link to reprint, thank you. https://en.javamana.com/2022/02/202202130606006685.html