橙色蔡_混淆攻击利用Apache HTTP服务器中的隐藏语义模糊（预录）.pdf

《橙色蔡_混淆攻击利用Apache HTTP服务器中的隐藏语义模糊（预录）.pdf》由会员分享，可在线阅读，更多相关《橙色蔡_混淆攻击利用Apache HTTP服务器中的隐藏语义模糊（预录）.pdf（106页珍藏版）》请在三个皮匠报告上搜索。

1、Confusion Attacks!Orange TsaiExploiting Hidden Semantic Ambiguity in Apache HTTP ServerUSA 2024Who hasnt heard of Apache HTTP Server before?Apache Httpd in a Nutshell1.Almost 30-year-old open-source project2.CGI enabled by default3.Heavily integrated with PHP101 Ways to Run PHP1.mod_php2.php-fpm3.mo

2、d_fastcgi4.mod_proxy_fcgi5.mod_fcgi6.mod_fcgid7.mod_cgi+php-cli8.mod_cgi+php-cgi9.mod_cgi+spawn-fcgi10.mod_cgi+fcgiwrap11.more?Config Directives are ComplicatedSetHandler handler-name|none|expressionAddHandler handler-name extension extension.AddTypemedia-type extension extension.DefaultTypemedia-ty

3、pe|noneForceTypemedia-type|NoneActionaction-type cgi-script virtualRewriteRulePattern Substitution flagsProxyPasspath !|url key=value key=value.nocanon.FcgidWrappercommand suffix virtualFastCgiServerfilename optionWhich is Correct?AddHandler application/x-httpd-php.phpAddTypeapplication/x-httpd-php.

4、phpBoth are Correct!AddHandler application/x-httpd-php.phpAddTypeapplication/x-httpd-php.phpCorrect doesnt mean SecureAddHandler application/x-httpd-php.phpAddTypeapplication/x-httpd-php.phpAddHandler application/x-httpd-php.phpCorrect doesnt mean SecureAddTypeapplication/x-httpd-php.php1.Almost 30-

5、year-old open-source project2.CGI enabled by default3.Heavily integrate with PHP4.Last but not leastApache Httpd in a NutshellApache Httpd in a Nutshell1.Almost 30-year-old open-source project2.CGI enabled by default3.Heavily integrate with PHP4.Last but not least#1 How to Bypass AuthType Basic Auth

6、Name Admin Panel AuthUserFile/etc/apache2/.htpasswd Require valid-user#2 How to BreakRewriteRule/html/(.*)$/$1.html#3 How to Exploit#!/usr/bin/perluse CGI;my$q=CGI-new;my$redir=$q-param(redir);if($redir&$redir=mhttp:/)print Location:$redirn;print Content-Type:text/htmlnn;XSS only?CRLFInjection inRes