current position:Home>Nginx parsing vulnerability

Nginx parsing vulnerability

2022-04-29 08:19:43RedTeam

Vulnerability description

because Nginx.conf The following configuration causes nginx Put in ’.php’ The closing papers are handed over to fastcgi Handle , For this reason, we can construct (url The end doesn't have to be ‘.php’, Any server does not exist php Documents can be , such as ’a.php’), among test.png It was uploaded by us with PHP Code photo file .

Loophole recurrence environment

Windows Server 2003



The version environment is :Nginx + PHP5.2

2003 The server must be able to communicate with PC Physical hosts interact with each other Ping through

Here is my physical host IP yes :

2008 The virtual machine IP yes :

visit :

Environment completed !

Nginx- Parsing vulnerability recurrence

A one sentence picture Trojan horse is :test.jpg, If in URL Medium visit : Yes, the image is parsed and executed as a script format !

visit :

You can see a normal picture !

When in RUL Add one at the end /*.php Or is it /.php, It will be executed as a script file !

visit :

To demonstrate , I am here hacker.jpg Added in :


visit : It's a picture !

We are in accordance with the Nginx Parsing vulnerabilities , Followed by /.php

Successful execution phpinfophp Code !

Loophole defense

1、 take php.ini In the document cgi.fix_pathinfo Is set to 1

2、 take /etc/php5/fpm/pool.d/www.conf in security.limit_ectensions The following value is set to .php

copyright notice
author[RedTeam],Please bring the original link to reprint, thank you.