[php代码审计] apache 后缀名解析“漏洞”
不能说是漏洞,只是 apache 特性而已。
下面是apache httpd.conf中截取的一段:
<IfModule mime_module> # # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. # TypesConfig conf/mime.types # # AddType allows you to add to or override the MIME configuration # file specified in TypesConfig for specific file types. # #AddType application/x-gzip .tgz # # AddEncoding allows you to have certain browsers uncompress # information on the fly. Note: Not all browsers support this. # AddEncoding x-compress .Z AddEncoding x-gzip .gz .tgz # # If the AddEncoding directives above are commented-out, then you # probably should define those extensions to indicate media types: # AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-httpd-php .php AddType application/x-httpd-php .php3 # # AddHandler allows you to map certain file extensions to "handlers": # actions unrelated to filetype. These can be either built into the server # or added with the Action directive (see below) # # To use CGI scripts outside of ScriptAliased directories: # (You will also need to add "ExecCGI" to the "Options" directive.) # #AddHandler cgi-script .cgi # For type maps (negotiated resources): #AddHandler type-map var # # Filters allow you to process content before it is sent to the client. # # To parse .shtml files for server-side includes (SSI): # (You will also need to add "Includes" to the "Options" directive.) # #AddType text/html .shtml #AddOutputFilter INCLUDES .shtml </IfModule>
由上可知道,.php 或 .php3后缀的文件会被php解析。
Index.php.a文件有两个后缀,分别是.php和.a,apache无法识别.a但可以识别.php,然后件给php去解析。
如果去掉后缀 (.php) ,则无法解析,按照默认设置(DefaultType text/plain),对于无法识别的后缀,按纯文本发给浏览器。
如下图(.a后缀无法识别,按默认):
如果在 httpd.conf 中添加AddType application/x-httpd-php .a如图:
Apache按从右到左的顺序识别文件后缀,直至找到后缀能匹配配置文件中的设置。index.php.txt,将会被识别为纯文本(text/plain);
index.php.Z将会被识别为压缩文件。Index.php.a 若.a没有被设置或mime.types没有定义,则会识别为.php后缀的文件,交给php解析。
在mine.types中设置后缀匹配识别: