nginx directory traversal vulnerability reproducibility

Others 2019-07-24 16:19:10 views: null

nginx directory traversal vulnerability reproducibility

First, Vulnerability Description

When Nginx configuration alias (Alias), and if you forget to add / will result in a directory traversal vulnerability.

Second, the principle of vulnerability

1, nginx.conf modify, add the following disposed at a position below

When you set the following configuration directory alias / files configured as / home / alias, then when we visit /files../, when the actual processing path nginx /home/../, in order to achieve through the directory.

  

Third, the vulnerability environment to build and reproducibility

1, mounted in nginx ubuntu 16.04

1.1 install nginx dependent libraries

1.1.1 install gcc g ++ library dependencies

ubuntu platform can use the following command:

apt-get install build-essential

apt-get install libtool

1.1.2 install pcre dependent libraries

apt-get install libpcre3 libpcre3-dev

Zlib 1.1.3 Installation dependent libraries

apt-get install zlib1g-dev

1.1.4 install ssl dependent libraries

apt-get install openssl

1.2 install nginx

# Download the latest version:

wget http://nginx.org/download/nginx-1.11.3.tar.gz

# Decompression:

tar -zxvf nginx-1.11.3.tar.gz

# Unzip into the directory:

cd nginx-1.11.3

# Configuration:

./configure --prefix=/usr/local/nginx

# Edit nginx:

Make

# Install nginx:

make install

# Start nginx:

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

1.3 browser to access, whether to build a successful test nginx

   

2, modify /usr/local/nginx/conf/nginx.conf, add the following in the position as shown below:

  

3, restart nginx service

./sbin/nginx -s reload

  

4, browser access http://192.168.10.137/files/

  

5、浏览器访问http://192.168.10.137/files../,如下图所示,说明存在目录穿越漏洞

  

6、修改/usr/local/nginx/conf/nginx.conf,把files使用/闭合

  

7、重启nginx服务,再次访问http://192.168.10.137/files../,提示404,说明该漏洞不存在

  

四、漏洞防御

1、修改/usr/local/nginx/conf/nginx.conf,使用/闭合/files,形成/files/。

 

-------------------------------------------------------------------------------------------------

参考: ubuntu 16.04安装nginx https://www.cnblogs.com/piscesLoveCc/p/5794926.html

Guess you like

Origin www.cnblogs.com/yuzly/p/11212078.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com