Nginx profile
Nginx(Engine X) is a high-performance HTTP and reverse proxy Web server that also provides IMAP/POP3/SMTP services. It distributes source code under a BSD-like license and is known for its stability, rich feature set, simple configuration files, and low system resource consumption. On June 1, 2011, Nginx 1.0.4 was released.
Nginx is a lightweight Web/reverse proxy server and E-mail (IMAP/POP3) proxy server distributed under the BSD-like protocol.
In fact, nginx’s concurrent ability is better in the same type of web server. In Mainland China, nginx website users include: Baidu, JINGdong, Sina, NetEase, Tencent, Taobao, etc.
Nginx environment installation
Here I use a small leather instead of step by step installation
Nginx penetration
In order to thank our readers for their support, we have prepared the following benefits for you: 1, more than 200 network security series of e-books (should have all) 2, the full set of toolkit (the most complete Chinese version, want to use which use which) 3, 100 SRC source technical documents (project learning, 4, Network security basic introduction, Linux, Web security, attack and defense video (2021 latest edition) 5, network security learning route (bid farewell to not popular learning) 6, CTF capture flag contest analysis (title analysis actual combat operation)
File parsing vulnerability
Vulnerability describes
This vulnerability has nothing to do with the Nginx or PHP version. It is a parsing vulnerability caused by improper user configuration. Nginx. conf causes nginx to hand files ending in ‘.php ‘to fastCGI. For any file name, add /xxx.php (XXX) as any character, and parse the file as PHP.
Common vulnerability configurations:
Vulnerability emersion
Create a new 1.jpg and write to phpInfo
1. JPG followed by /xxx.php will be parsed in PHP
When accessing /1.jpg/xxx.php, nginx will look at the URL and see that it ends in.php, passing the path to PHP FastCGI for processing. In the php.ini configuration file, cgi.fix_pathinfo=1 comes into play. This configuration is enabled by default and has a value of 1 to fix the path or use the upper path if the current path does not exist.
The file that fastCGI handles here becomes’ /1.jpg ‘. The new version of PHP’s configuration file php-fpm.conf introduces “security.limit_extensions”, which limits executable files to only.php files by default.
Repair methods
1. Set the value of cgi.fix_pathinfo in the php.ini file to 0
2. Set the value behind security.limit_extensions in php-fpm.conf to.php
Directory traversal
Vulnerability principle
Nginx directory traversal, like Apache, is a configuration problem, and incorrect configuration can lead to directory traversal and source leakage.
Vulnerability emersion
Create a new Web directory under the WWW directory to test
Repair methods
Fix on to off.
Null byte arbitrary code execution vulnerability
Vulnerability principle
Ngnix encounters %00 empty bytes that are inconsistent with the back-end FastCGI processing, resulting in the ability to embed PHP code in the image and then execute it by accessing XXX.jpg %00.php.
Affects version
* nginx 0.6.* nginx 0.7 <= 0.7.65 nginx 0.8 <= 0.8.37Copy the codeVulnerability emersion
PHP 5.3.2 + Nginx 0.7.65+ Nginx 0.7.65+ PHP 5.3.2
Run startup.bat in the nginx directory
Create 1.jpg and write
Visit 1. JPG.. PHP, caught
Change the dot after JPG to 00 in the HEX TAB
Successfully bypassed.
A forward
This vulnerability is not affected by cgi.fix_pathinfo, which resolves at 0.
Repair methods
Upgrade the Nginx version.
CRLF injection vulnerability
Vulnerability principle
CRLF is short for carriage return + Line feed (RN) and its hexadecimal codes are 0x0D and 0x0A, respectively. In THE HTTP protocol, HTTP headers and HTTP Body are separated by two CRLFS, according to which the browser retrieves and displays the HTTP content.
So, once we can control the characters in the HTTP header and inject some malicious line breaks, we can inject some session cookies or HTML code. CRLF vulnerabilities are commonly found in Location and set-cookie headers.
In nginx.conf, add the following configuration in location to forcibly redirect users to the previous link when accessing the nginx server.
location / {
return 302 https://$host$uri;
}
Copy the code
1. We can control the $URL in the configuration, so we can fill CRLF in the $URL, and then access the server to achieve header injection. 2. The server will return a 302 redirect to the user, so the header parameter we injected will be returned to the client.Copy the codeVulnerability emersion
After modifying the nginx.conf configuration, restart nginx.
(The URL encoding for newline and carriage return is %0d% 0A respectively)
Packet capture, you can see that 6666 is returned through set-cookie;
CRLF + XSS cooperate:
%0D%0A%0D%0A%3Cimg%20src=1%20onerror=alert(/xss/)%3E
Copy the code
However, the browser does not pop up the window, that is because the browser filter filters the XSS features, which can only pop up with a lower version of the browser.
Repair methods
Delete improper configurations.
File name Logic Vulnerability (CVE-2013-4547)
Vulnerability principle
When the following URI is requested: /test[0x20]/… /admin/index.php, this URI will not match the /admin/ after the location, so as to bypass the IP authentication. /test[0x20]/… The /admin/index.php file, also known as /admin/index.php, was successfully accessed in the background. (This is a prerequisite for a directory named test: this is a feature of the Linux system, if there is a directory that does not exist, even if you jump to the next layer, the file will not exist error, Windows does not have this limitation).
Affects version
Nginx 0.8.41 ~ 1.4.3
Nginx 1.5.0 ~ 1.5.7
Copy the codeVulnerability emersion
The Windows environment does not allow files with Spaces after their names, so vulhub is used again for testing.
Start vulnerability environment:
Upload 1.jpg and capture packet;
Add a space after 1.jpg
Access the link returned and add.php to capture the package;
http://192.168.190.134:8080/uploadfiles/1.jpg... phpCopy the code
In the hex TAB, change the hex value for the 2 points after JPG 2e to 20,00.
Successfully bypassed.
The main reason for this vulnerability is that the URL of the request was incorrectly resolved and the file name of the user’s request was incorrectly obtained, resulting in the indirect impact of permission bypass and code execution.
If Nginx matches a.php request, it sends it to FastCGI for parsing.
Normally (with PathInfo turned off), only files with the.php suffix will be sent to FastCGI for parsing.
In the case of CVE-2013-4547, we request 1.jpg\0x20\0x00.php, a URI that matches the regular.php$, to enter the Location block; Once inside, Nginx mistakenly thinks the requested file is 1.jpg\0x20 and sets it to SCRIPT_FILENAME and sends it to FastCGI. Fastcgi parses the value of SCRIPT_FILENAME, resulting in a parsing vulnerability. So, all we need to do is upload a file that ends with a space and PHP will parse it.
Repair methods
Upgraded version
Integer overflow (CVE-2017-7529)
Vulnerability principle
There is an integer overflow vulnerability in Nginx’s Range filter, which can be triggered by malicious requests with specially constructed RANGE HTTP headers and lead to information leakage.
Affects version
Nginx 0.5.6-1.13.2Copy the codeVulnerability emersion
Open hole
Create an image file in the target web root directory as a cache file
Check the cache file in/TMP /nginx of the target machine, and you can see that the cache key content is saved in it, as well as the server information, which will not be returned to the client, but because of this vulnerability, these information will be returned, resulting in information leakage.
Yes, this is not successful, the cache file information is not returned, TBD ~
Repair methods
You are advised to upgrade to version 1.13.3 and 1.12.1. If you cannot upgrade, you can disable multipart range by adding max_ranges 1 to the Nginx configuration file.