first commit

httpd/ssi-rce/Dockerfile

@@ -0,0 +1,8 @@
+FROM php:7.1-apache
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && a2enmod include cgid \
+    && sed -i 's/Options -Indexes/Options -Indexes +Includes/' /etc/apache2/conf-enabled/docker-php.conf
+ 

httpd/ssi-rce/README.md

@@ -0,0 +1,36 @@
+# Apache HTTP Server SSI Remote Command Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache HTTP Server with Server Side Includes (SSI) enabled allows server-side execution of commands through special SSI directives in HTML files. When misconfigured, this feature can be exploited through file upload vulnerabilities.
+
+When testing arbitrary file upload vulnerabilities, the target server might block files with PHP extensions. However, if the server has SSI and CGI support enabled, attackers can upload an SHTML file and execute arbitrary commands using the `<!--#exec cmd="command" -->` syntax.
+
+References:
+
+- [Apache SSI Documentation](https://httpd.apache.org/docs/2.4/howto/ssi.html)
+- [W3 SSI Directives](https://www.w3.org/Jigsaw/Doc/User/SSI.html)
+
+## Environment Setup
+
+Execute the following command to start an Apache HTTP Server with SSI and CGI support:
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080/upload.php` to access the upload form.
+
+## Vulnerability Reproduction
+
+While uploading PHP files is not allowed, we can upload a file named `shell.shtml` with the following content:
+
+```shtml
+<!--#exec cmd="ls" -->
+```
+
+![Upload Interface](1.png)
+
+After successful upload, visiting the shell.shtml file will execute the command, demonstrating the vulnerability:
+
+![Command Execution Result](2.png)

httpd/ssi-rce/README.zh-cn.md

@@ -0,0 +1,34 @@
+# Apache HTTP Server SSI 远程命令执行漏洞
+
+Apache HTTP Server 开启了服务器端包含（SSI）功能时，允许通过特殊的SSI指令在HTML文件中执行服务器端命令。当配置不当时，这个功能可能被通过文件上传漏洞利用。
+
+在测试任意文件上传漏洞时，目标服务器可能会禁止上传PHP后缀的文件。但是，如果服务器开启了SSI和CGI支持，攻击者可以上传一个SHTML文件，并使用 `<!--#exec cmd="命令" -->` 语法执行任意命令。
+
+参考链接：
+
+- [Apache SSI 文档](https://httpd.apache.org/docs/2.4/howto/ssi.html)
+- [W3 SSI 指令](https://www.w3.org/Jigsaw/Doc/User/SSI.html)
+
+## 环境搭建
+
+执行以下命令启动一个支持SSI和CGI的Apache服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080/upload.php` 即可看到上传表单界面。
+
+## 漏洞复现
+
+虽然上传PHP文件是被禁止的，但我们可以上传一个名为 `shell.shtml` 的文件，内容如下：
+
+```shtml
+<!--#exec cmd="ls" -->
+```
+
+![上传界面](1.png)
+
+成功上传后，访问shell.shtml文件，可以看到命令已被执行，证实了漏洞的存在：
+
+![命令执行结果](2.png)

httpd/ssi-rce/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ apache:
+   build: .
+   ports:
+    - "8080:80"
+   volumes:
+    - ./upload.php:/var/www/html/upload.php

httpd/ssi-rce/upload.php

@@ -0,0 +1,16 @@
+<?php
+if (!empty($_FILES)):
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (in_array($ext, ['php'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+move_uploaded_file($_FILES['file_upload']['tmp_name'], './' . $_FILES['file_upload']['name']);
+echo "<a href='/{$_FILES['file_upload']['name']}'>{$_FILES['file_upload']['name']}</a>";
+
+endif;
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>