(A) Nginx Profile
Nginx is a lightweight Web server, reverse proxy server and e-mail (IMAP / POP3) proxy server, and released under a BSD-like agreement. It features occupy less memory, high concurrency, the ability to do concurrent nginx fact the same type of web server performance is better
(B) file parsing
1 , and causes of vulnerability Introduction
For any file name, behind the Add / .php any filename parsing vulnerabilities, such as the original file name is test.jpg, you can add test.jpg / x.php parsing attacks.
2 , bugs reproduce
I.gif a new file in the root of the site, which is written in phpinfo ()
Open the browser
Use file parsing vulnerability input 192.168.139.129:100/i.gif.2.php, found it impossible to resolve
The /etc/php5/fpm/pool.d/ www.conf .php deletion of security.limit_extensions = .php
Again open in a browser, successfully resolved
3 , bug fixes
1) The php.ini file cgi.fix_pathinfo value is set to 0. Thus when the parsing php 1.php / 1.jpg this directory does not exist is displayed as long as 1.jpg 404;
2) The /etc/php5/fpm/pool.d/ www.conf value is set in the back .php security.limit_ectensions
(C) directory traversal
1 , and causes of vulnerability Introduction
Nginx, like directory traversal and Apache, belongs to configuration issues, wrong configuration may lead to directory traversal and source code disclosure '
2 , bugs reproduce
Open test directory, found it impossible to open
修改/etc/nginx/sites-avaliable/default,在如下图所示的位置添加autoindex on
再次访问
3、 漏洞修复
将/etc/nginx/sites-avaliable/default里的autoindex on改为autoindex off
(四) CRLF注入
1、 漏洞简介及成因
CRLF时“回车+换行”(\r\n)的简称。
HTTP Header与HTTP Body时用两个CRLF分隔的,浏览器根据两个CRLF来取出HTTP内容并显示出来。
通过控制HTTP消息头中的字符,注入一些恶意的换行,就能注入一些会话cookie或者html代码,由于Nginx配置不正确,导致注入的代码会被执行。
2、 漏洞复现
访问页面,抓包
请求加上/%0d%0a%0d%0a<img src=1 onerror=alert(/xss/)>
由于页面重定向,并没有弹窗。
3、 漏洞修复
Nginx的配置文件/etc/nginx/conf.d/error1.conf修改为使用不解码的url跳转。
(五) 目录穿越
1、 漏洞简介及成因
Nginx反向代理,静态文件存储在/home/下,而访问时需要在url中输入files,配置文件中/files没有用/闭合,导致可以穿越至上层目录。
2、 漏洞复现
访问:http://192.168.139.128:8081/files/
访问:http://192.168.139.128:8081/files../
成功实现目录穿越:
3、 漏洞修复
Nginx的配置文件/etc/nginx/conf.d/error2.conf的/files使用/闭合。