first commit

httpd/apache_parsing_vulnerability/README.md

@@ -0,0 +1,40 @@
+# Apache HTTPD Multiple Extension Parsing Vulnerability
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HTTPD is a widely-used HTTP server that can run PHP web pages through mod_php. This vulnerability is related to how Apache HTTPD handles files with multiple extensions.
+
+Apache HTTPD supports files having multiple extensions, with different directives being executed for each extension. When misconfigured, this feature can lead to security vulnerabilities where malicious files bypass upload restrictions. For example, with the following configuration:
+
+```
+AddType text/html .html
+AddLanguage zh-CN .cn
+AddHandler application/x-httpd-php .php
+```
+
+The server will process multiple extensions from left to right, and if any extension is configured to be handled by a specific handler (like PHP), it will be executed regardless of its position in the filename. This means a file named `malicious.php.jpg` would still be executed as PHP code, potentially bypassing upload restrictions that only check the final extension.
+
+References:
+
+- [Apache HTTP Server Documentation - MultiViews](https://httpd.apache.org/docs/current/content-negotiation.html#multiviews)
+- [OWASP File Upload Vulnerabilities](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+
+## Environment Setup
+
+Execute the following command to start an Apache server with PHP 7.3 environment:
+
+```
+docker compose up -d
+```
+
+## Vulnerability Reproduction
+
+First, visit `http://your-ip/uploadfiles/apache.php.jpeg` in your browser. You'll notice that despite having a `.jpeg` extension, the file is executed as PHP code and displays the phpinfo() page.
+
+To actively exploit this vulnerability, visit `http://your-ip/index.php` where you'll find a file upload interface with extension whitelist validation. The upload functionality only checks the final extension but doesn't rename the uploaded file. By uploading a file with multiple extensions like `shell.php.jpg` or `shell.php.jpeg`, we can bypass the extension check while ensuring the file is still executed as PHP code by Apache.
+
+![Upload Interface](1.png)
+
+After successful upload, accessing the file through the browser will execute the PHP code, demonstrating the vulnerability:
+
+![Vulnerability Proof](2.png)

httpd/apache_parsing_vulnerability/README.zh-cn.md

@@ -0,0 +1,40 @@
+# Apache HTTPD 多后缀解析漏洞
+
+[English](README.md)
+
+Apache HTTPD 是一个广泛使用的开源Web服务器软件。这个漏洞与Apache HTTPD处理多后缀文件的机制有关。
+
+Apache HTTPD支持一个文件拥有多个后缀，并为不同后缀执行不同的指令。当配置不当时，这个特性可能导致安全漏洞，使恶意文件绕过上传限制。例如，以下配置：
+
+```
+AddType text/html .html
+AddLanguage zh-CN .cn
+AddHandler application/x-httpd-php .php
+```
+
+服务器会从左到右处理多个后缀，如果任何后缀被配置为由特定处理器（如PHP）处理，那么无论该后缀在文件名中的位置如何，都会被执行。这意味着一个名为`malicious.php.jpg`的文件仍然会被作为PHP代码执行，从而可能绕过仅检查最后一个后缀的上传限制。
+
+参考链接：
+
+- [Apache HTTP Server文档 - MultiViews](https://httpd.apache.org/docs/current/content-negotiation.html#multiviews)
+- [OWASP文件上传漏洞](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+
+## 环境搭建
+
+执行以下命令启动一个包含PHP 7.3环境的Apache服务器：
+
+```
+docker compose up -d
+```
+
+## 漏洞复现
+
+首先，在浏览器中访问`http://your-ip/uploadfiles/apache.php.jpeg`。你会发现，尽管文件具有`.jpeg`后缀，但它被作为PHP代码执行并显示了phpinfo()页面。
+
+要主动利用这个漏洞，访问`http://your-ip/index.php`，你会看到一个带有后缀白名单验证的文件上传界面。上传功能只检查最后一个后缀，且不会重命名上传的文件。通过上传具有多个后缀的文件（如`shell.php.jpg`或`shell.php.jpeg`），我们可以绕过后缀检查，同时确保文件被Apache作为PHP代码执行。
+
+![上传界面](1.png)
+
+成功上传后，通过浏览器访问该文件将执行PHP代码，证实了漏洞的存在：
+
+![漏洞证明](2.png)

httpd/apache_parsing_vulnerability/conf/docker-php.conf

@@ -0,0 +1,9 @@
+AddHandler application/x-httpd-php .php
+
+DirectoryIndex disabled
+DirectoryIndex index.php index.html                                                                  
+
+<Directory /var/www/>
+    Options -Indexes
+    AllowOverride All
+</Directory>

httpd/apache_parsing_vulnerability/docker-compose.yml

@@ -0,0 +1,10 @@
+services:
+ apache:
+   image: php:7.3-apache
+   volumes:
+    - ./www:/var/www/html
+    - ./conf/docker-php.conf:/etc/apache2/conf-enabled/docker-php.conf
+    - ./start.sh:/var/www/start.sh
+   command: /bin/sh /var/www/start.sh
+   ports:
+    - "80:80"

httpd/apache_parsing_vulnerability/start.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+chmod 777 /var/www/html/uploadfiles
+apache2-foreground

httpd/apache_parsing_vulnerability/www/index.php

@@ -0,0 +1,24 @@
+<?php
+
+if (!empty($_FILES)):
+
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+$new_name = __DIR__ . '/uploadfiles/' . $_FILES['file_upload']['name'];
+if(!move_uploaded_file($_FILES['file_upload']['tmp_name'], $new_name)){
+    die('Error uploading file - check destination is writeable.');
+}
+
+die('File uploaded successfully: ' . $new_name);
+
+else:
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<?php
+endif;

httpd/apache_parsing_vulnerability/www/uploadfiles/apache.php.jpeg

@@ -0,0 +1,2 @@
+<?php
+phpinfo();