current position:Home>Nginx parsing vulnerability

Nginx parsing vulnerability

2022-04-29 08:19:43RedTeam

Vulnerability description

because Nginx.conf The following configuration causes nginx Put in ’.php’ The closing papers are handed over to fastcgi Handle , For this reason, we can construct http://liuwx.cn/test.png/.php (url The end doesn't have to be ‘.php’, Any server does not exist php Documents can be , such as ’a.php’), among test.png It was uploaded by us with PHP Code photo file .

Loophole recurrence environment

1
2
3
4
5
Windows Server 2003

Nginx

PhpStudy

The version environment is :Nginx + PHP5.2

2003 The server must be able to communicate with PC Physical hosts interact with each other Ping through

Here is my physical host IP yes :192.168.1.101

2008 The virtual machine IP yes :192.168.119.134

visit :http://192.168.119.134/

Environment completed !

Nginx- Parsing vulnerability recurrence

A one sentence picture Trojan horse is :test.jpg, If in URL Medium visit :http://www.liuwx.cn/test.jpg/.a.php Yes, the image is parsed and executed as a script format !

visit :http://192.168.119.134/1.jpg

You can see a normal picture !

When in RUL Add one at the end /*.php Or is it /.php, It will be executed as a script file !

visit :http://192.168.119.134/1.jpg/a.php

To demonstrate , I am here hacker.jpg Added in :

1
2
3
<?php
    phpinfo();
?>

visit :http://192.168.119.134/hacker.jpg It's a picture !

We are in accordance with the Nginx Parsing vulnerabilities , Followed by /.php

http://192.168.119.134/hacker.jpg/.php

Successful execution phpinfophp Code !

Loophole defense

1、 take php.ini In the document cgi.fix_pathinfo Is set to 1

2、 take /etc/php5/fpm/pool.d/www.conf in security.limit_ectensions The following value is set to .php

copyright notice
author[RedTeam],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/119/202204290603089191.html