forked from vulhub/vulhub
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
28 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # Apache SSI 远程命令执行漏洞 | ||
|
|
||
| 在测试任意文件上传漏洞的时候,目标服务端可能不允许上传php后缀的文件。如果目标服务器开启了SSI与CGI支持,我们可以上传一个shtml文件,并利用`<!--#exec cmd="id" -->`语法执行任意命令。 | ||
|
|
||
| 参考链接: | ||
|
|
||
| - https://httpd.apache.org/docs/2.4/howto/ssi.html | ||
| - https://www.w3.org/Jigsaw/Doc/User/SSI.html | ||
|
|
||
| ## 漏洞环境 | ||
|
|
||
| 运行一个支持SSI与CGI的Apache服务器: | ||
|
|
||
| ``` | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| 环境启动后,访问`http://your-ip:8080/upload.php`,即可看到一个上传表单。 | ||
|
|
||
| ## 漏洞复现 | ||
|
|
||
| 正常上传PHP文件是不允许的,我们可以上传一个shell.shtml文件: | ||
|
|
||
|  | ||
|
|
||
| 成功上传,然后访问shell.shtml,可见命令已成功执行: | ||
|
|
||
|  |