Vulnerability details
Security researcher Andrew Danau of Wallarm sent % 0A (newline character) to the server during the Real World CTF from September 14 to 16, and the server returned an exception message, suggesting a possible vulnerability.
Remote code execution vulnerability exists when Nginx uses a specific FastCGI configuration, but this configuration is not the default Nginx configuration.
When the fastcGI_SPLit_path_info field is configured to ^(.+? \.php)(/.*)$; , an attacker can exploit remote code execution vulnerabilities through carefully constructed payloads. This configuration is widely used and causes serious damage
Affects version
This vulnerability exists when the Nginx + php-fpm server is configured as follows.
location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+? \.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php:9000; . }}Copy the codeExperimental environment
The docker environment github.com/vulhub/vulh…
docker-compose up -d
Docker image download completed
The environment is ready:
Tools used:
Github.com/neex/phuip-…
Clone to local
Git clone github.com/neex/phuip-…
Compilation and utilization tools
No GO environment
Installing the GO Environment
Storage.googleapis.com/golang/go1. wget – c…
Into/usr/local
The directory is tar -c /usr/local/-xzf go1.13.3.linux-amd64.tar.gz
Vim editor/etc/profile
Export PATH=$PATH:/usr/local/go/bin
Run the source /etc/profile command and the installation is successful
Access tools
Perform exp attack to write file A at/TMP /
After the attack is successful, a is written to the TMP directory
The same is true below winddows.
Repair suggestions:
1. Change the regular expression of the fastcgi_split_path_info file in the nginx configuration file to prevent undisplayed characters from being passed after
2. Suspend the nginx+php-fpm service
Delete the following configurations based on service requirements in the production environment
fastcgi_split_path_info ^(.+? \.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
Conclusion:
1, docker environment is relatively easy to implement (Linux native try to construct vulnerabilities, but spend a lot of time, suggested docker).
Phuip -fpizdam is the last directory to be compiled.
3, the recent work leisure loophole reappears (safety is important to insist on), if there is a mistake, look at the big guy correct.
This is the inventory that was reproduced before (it was submitted to the lab of the previous unit). We have time to sort out and send it recently.
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Reference:
Mp.weixin.qq.com/s/pnuMJ8x6k…
Mp.weixin.qq.com/s/NFPVPSUHJ…
Mp.weixin.qq.com/s/kE4nP8sew…
The public no. :
Thelostworld:
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…
This article uses the article synchronization assistant to synchronize