[TOC]
11.28 restricting a directory from parsing PHP
There is a situation, some sites and forums are allowed to upload images to the server, but this gives the hacker left the door to enter the server, they upload some php or JS to the server, and then we execute the load, some functions can let the hacker get the maximum permissions, thus to the data threat!
To avoid this kind of thing, we need to limit the upload type.
1. Open the configuration file httpd-vhosts.conf
Add the following configuration to the virtual server:
2. All php in the upload directory is not resolved! and match any. php files, all denied access!
<Directory /data/wwwroot/xavi.com/upload> php_admin_flag engine off //禁止php解析,所有访问都报403错误 <FilesMatch (.*)\.php(.*)>//需要转义字符 Order allow,deny //不加deny,它会访问源代码 Deny from all </FilesMatch>
2.-t,-gracful, check the syntax and turn on httpd
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl -tSyntax OK[[email protected] ~]# /usr/local/apache2.4/bin/apachectl gracefulhttpd not running, trying to start[[email protected] ~]# /usr/local/apache2.4/bin/apachectl starthttpd (pid 2838) already running[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful
3. Create the upload directory and create 123.php to test in the upload directory. But did not get 403 results
[[email protected] ~]# mkdir upload[[email protected] ~]# ls123.txt anaconda-ks.cfg httpd-2.4.29.tar.gz rsync test2321.txt awk index.php sed upload556.txt grep initial-setup-ks.cfg split_dir xaaadmin httpd-2.4.29 [[email protected] test1[[email protected] ~]# cp index.php upload/[[email protected] ~]# curl -x127.0.0.1:80 ‘http://xavi.cpm[[email protected] ~]# curl -x127.0.0.1:80 ‘http://xavi.com/admin.php?adadede‘ -IHTTP/1.1 404 Not FoundDate: Sun, 11 Mar 2018 03:33:57 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6Content-Type: text/html; charset=iso-8859-1
4. Find the cause of the error and get the result of verification
The reason for not getting 403 Fobiden here is that I overlooked the environment of instruction execution during the practice of the test. [[email protected] xavi.com] The correct procedure is to operate under the/xavi.comde folder instead of the default file path
The following is the process of re-operation
[[email protected] ~]# cd /data/wwwroot/xavi.com[[email protected] xavi.com]# ls123.php admin index.php xavi.jpg xavi.txt[[email protected] xavi.com]# mkdir uplaod[[email protected] xavi.com]# ls123.php admin index.php uplaod xavi.jpg xavi.txt[[email protected] xavi.com]# mv uplaod upload[[email protected] xavi.com]# ls123.php admin index.php upload xavi.jpg xavi.txt[[email protected] xavi.com]# cp 123.php /upload[[email protected] xavi.com]# !vimvim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf [[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl -tSyntax OK[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl graceful[[email protected] xavi.com]# !curlcurl -x127.0.0.1:80 ‘http://xavi.com/upload/123.php‘ -IHTTP/1.1 403 ForbiddenDate: Sun, 11 Mar 2018 05:31:04 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6Content-Type: text/html; charset=iso-8859-1
5. Test results without filesmatch that passage
Unable to parse, direct display inside the original code
[[email protected] xavi.com]# !vimvim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf [[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl -tSyntax OK[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl graceful[[email protected] xavi.com]# curl -x127.0.0.1:80 ‘http://xavi.com/upload/123.php‘ <?phpecho "123.php";
Summary, such as when you visit a. php file, direct rejection, no chance to visit, let alone execute! If the programmer allows upload to allow parsing, it only means that he is not qualified! Static file storage is not allowed in the place of PHP. No data security is taken into account!!! 11.29 access control, limit user_agent1. What is user_agent (browser ID)
The user agent Chinese name is called "UA", which is a special string header that allows the server to identify the operating system and version, CPU type, browser and version, browser rendering engine, browser language, browser plugin, etc. used by the client.
2.cc attack, Broiler
CC attack: The most common type of attack that we often see, with almost every time of day. The CC attack is that the hacker exploits the available broiler (that is, the so-called Hacker uses the technology to attack the other person's server) to attack (normal access) your site, resulting in your site can not be viewed by normal users. But it is not to be prevented, there is a regular feature of the attack, User_agent is consistent (its referer and access pages are consistent, and in one second to launch N-times access)!
3. Core configuration Files
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC] RewriteRule .* - [F] </IfModule>
Code parsing:
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //匹配Curl的访问 [NC,OR] NC:忽略大小写。 OR:是或者的意思,要么这一条,要么下一条满足情况RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]RewriteRule .* - [F] // F:Forbidden 禁止
4. Test, use curl to access directly banned
[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl -tSyntax OK[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl graceful[[email protected] xavi.com]# curl -x127.0.0.1:80 ‘http://xavi.com/upload/123.php‘ -IHTTP/1.1 403 ForbiddenDate: Sun, 11 Mar 2018 07:04:12 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6Content-Type: text/html; charset=iso-8859-1
5. Use curl-a: Feel free to specify your own browser information as claimed by this visit.
[[email protected] xavi.com]# curl -A "xavilinux xavilinux" -x127.0.0.1:80 ‘http://xavi.com/123.php‘ -IHTTP/1.1 200 OKDate: Sun, 11 Mar 2018 07:21:42 GMTServer: Apache/2.4.29 (Unix) PHP/7.1.6X-Powered-By: PHP/7.1.6Content-Type: text/html; charset=UTF-8
- You can access it by changing your browsing style.
6. View Log files: Tail/usr/local/apache2.4/logs/xavi.com-access_20180311.log
[[email protected] xavi.com]# tail/usr/local/apache2.4/logs/xavi.com-access_20180311.log192.168.72.1--[11/ mar/2018:14:02:02 +0800] "get/upload/123.php http/1.1" "-" "mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/64.0.3282.186 safari/537.36 "192.168.72.1--[11/mar/2018:14:02:02 +0800] "get/upload/123.php http/1.1"-"mozilla/5.0" (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/64.0.3282.186 safari/537.36 "127.0.0.1--[11/mar/2018:15:04:12 + 0800] "HEAD http://xavi.com/upload/123.php http/1.1" 403-"-" curl/7.29.0 "127.0.0.1--[11/mar/2018:15:04:12 +0800]" HE AD http://xavi.com/upload/123.php http/1.1 "403-"-"" curl/7.29.0 "127.0.0.1--[11/mar/2018:15:05:32 +0800]" GET http:// xavi.com/upload/123.php http/1.1 "403 223"-"curl/7.29.0" 127.0.0.1--[11/mar/2018:15:05:32 +0800] "GET http://xavi.co m/upload/123.php http/1.1 "403 223"-"curl/7.29.0" 127.0.0.1--[11/mar/2018:15:21:42 +0800] "HEAD HTTP:xavi.com/123.php http/1.1 "$-"-"Xavilinux xavilinux" 127.0.0.1--[11/mar/2018:15:21:42 +0800] "HEAD http://xavi.c om/123.php http/1.1 "$-"-"Xavilinux xavilinux" 127.0.0.1--[11/mar/2018:15:22:18 +0800] "GET http://xavi.com/123.ph P http/1.1 "7"-"" Xavilinux xavilinux "127.0.0.1--[11/mar/2018:15:22:18 +0800]" GET http://xavi.com/123.php http/1. 1 "7"-"Xavilinux xavilinux"
Useful extensions:
Apache prohibits trace or track against XSS attacks
http://ask.apelearn.com/question/1045
8. Limit a directory to prohibit parsing php& restrictions user_agent