[php代码审计] apache 后缀名解析“漏洞”

不能说是漏洞,只是 apache 特性而已。

下面是apache  httpd.conf中截取的一段:

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig conf/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    AddEncoding x-compress .Z
    AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-httpd-php .php
   AddType application/x-httpd-php .php3

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
    
</IfModule>

由上可知道,.php 或 .php3后缀的文件会被php解析。

Index.php.a文件有两个后缀,分别是.php和.a,apache无法识别.a但可以识别.php,然后件给php去解析。

如果去掉后缀 (.php) ,则无法解析,按照默认设置(DefaultType  text/plain),对于无法识别的后缀,按纯文本发给浏览器。

如下图(.a后缀无法识别,按默认):

 

如果在 httpd.conf 中添加AddType application/x-httpd-php .a如图:

 

 

 

Apache按从右到左的顺序识别文件后缀,直至找到后缀能匹配配置文件中的设置。index.php.txt,将会被识别为纯文本(text/plain);

index.php.Z将会被识别为压缩文件。Index.php.a 若.a没有被设置或mime.types没有定义,则会识别为.php后缀的文件,交给php解析。

在mine.types中设置后缀匹配识别:

 

posted @ 2017-07-31 21:27  S3c0ldW4ng  阅读(3139)  评论(0编辑  收藏  举报