aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
nginx/insecure-configuration/README.zh-cn.md Normal file
View File

@@ -0,0 +1,77 @@
# Nginx 配置错误导致漏洞
Nginx是一款Web服务器可以作为反向代理、负载均衡、邮件代理、HTTP缓存等。这个Vulhub环境包含三个由Nginx配置错误导致的漏洞。
## 测试环境
执行以下命令启动一个包含多个漏洞的Nginx服务器
```
docker compose up -d
```
运行成功后Nginx将会监听8080/8081/8082三个端口分别对应三种漏洞。
## Mistake 1. CRLF注入漏洞
Nginx会将`$uri`进行解码,导致传入%0d%0a即可引入换行符造成CRLF注入漏洞。
错误的配置文件示例原本的目的是为了让http的请求跳转到https上
```
location / {
return 302 https://$host$uri;
}
```
Payload: `http://your-ip:8080/%0d%0aSet-Cookie:%20a=1`可注入Set-Cookie头。
![](5.png)
利用《[Bottle HTTP 头注入漏洞探究](https://www.leavesongs.com/PENETRATION/bottle-crlf-cve-2016-9964.html)》中的技巧即可构造一个XSS漏洞
![](1.png)
## Mistake 2. 目录穿越漏洞
Nginx在配置别名Alias的时候如果忘记加`/`,将造成一个目录穿越漏洞。
错误的配置文件示例(原本的目的是为了让用户访问到/home/目录下的文件):
```
location /files {
alias /home/;
}
```
Payload: `http://your-ip:8081/files../` ,成功穿越到根目录:
![](2.png)
## Mistake 3. add_header被覆盖
Nginx配置文件子块server、location、if中的`add_header`,将会覆盖父块中的`add_header`添加的HTTP头造成一些安全隐患。
如下列代码整站父块中添加了CSP头
```
add_header Content-Security-Policy "default-src 'self'";
add_header X-Frame-Options DENY;
location = /test1 {
rewrite ^(.*)$ /xss.html break;
}
location = /test2 {
add_header X-Content-Type-Options nosniff;
rewrite ^(.*)$ /xss.html break;
}
```
`/test2`的location中又添加了`X-Content-Type-Options`头,导致父块中的`add_header`全部失效:
![](3.png)
XSS可被触发
![](4.png)