nginx directory traversal vulnerability reproducibility
First, Vulnerability Description
Nginx and apache directory traversal, as part of configuration issues, wrong configuration can cause directory traversal and source code disclosure.
Second, the principle of vulnerability
1, nginx.conf modify, add autoindex on the position below
Third, the vulnerability environment to build and reproducibility
1, mounted in nginx ubuntu 16.04
1.1 install nginx dependent libraries
1.1.1 install gcc g ++ library dependencies
ubuntu platform can use the following command:
apt-get install build-essential
apt-get install libtool
1.1.2 install pcre dependent libraries
apt-get install libpcre3 libpcre3-dev
Zlib 1.1.3 Installation dependent libraries
apt-get install zlib1g-dev
1.1.4 install ssl dependent libraries
apt-get install openssl
1.2 install nginx
# Download the latest version:
wget http://nginx.org/download/nginx-1.11.3.tar.gz
# Decompression:
tar -zxvf nginx-1.11.3.tar.gz
# Unzip into the directory:
cd nginx-1.11.3
# Configuration:
./configure --prefix=/usr/local/nginx
# Edit nginx:
Make
# Install nginx:
make install
# Start nginx:
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
1.3 browser to access, whether to build a successful test nginx
2, modify /usr/local/nginx/conf/nginx.conf, the following is added in FIG autoindex on position
3, restart nginx service
./sbin/nginx -s reload
4, in the nginx web root () to create a test folder and then create several files
5. At this point a browser to access http://192.168.10.137/test/, found below, indicating the presence loopholes
6、修改/usr/local/nginx/conf/nginx.conf,在如下图位置修改autoindex off,然后重启nginx服务,浏览器再次访问http://192.168.10.137/test/,如下图所示,说明漏洞不存在
四、漏洞防御
1、 修改/usr/local/nginx/conf/nginx.conf,在如下图位置修改autoindex off,或者删除autoindex on
------------------------------------------------------------------------------------------
参考: ubuntu 16.04安装nginx https://www.cnblogs.com/piscesLoveCc/p/5794926.html