first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
63
nginx/nginx_parsing_vulnerability/README.md
Normal file
63
nginx/nginx_parsing_vulnerability/README.md
Normal file
@@ -0,0 +1,63 @@
|
||||
# Nginx Parsing Vulnerability
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Nginx is a web server that can be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. This environment contains a parsing vulnerability caused by improper user configuration.
|
||||
|
||||
Version information:
|
||||
|
||||
- Latest version of Nginx 1.x
|
||||
- Latest version of PHP 7.1.x
|
||||
|
||||
This indicates that the vulnerability is not related to specific Nginx or PHP versions, but rather is caused by improper user configuration leading to parsing vulnerabilities.
|
||||
|
||||
The vulnerability exists because of how Nginx handles file extensions in its configuration. When a request is made to a file with multiple extensions (like `file.jpg.php`), Nginx may process it based on the last extension, even if the file was originally uploaded as an image.
|
||||
|
||||
This misconfiguration commonly occurs in the following Nginx configuration:
|
||||
|
||||
```nginx
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass 127.0.0.1:9000;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
}
|
||||
```
|
||||
|
||||
When a request is made to `file.jpg/.php`, Nginx will treat it as a PHP file and send it to the PHP-FPM for processing, even though it's actually an image file. This behavior can be exploited to execute malicious code that was uploaded as an image file.
|
||||
|
||||
## Environment Setup
|
||||
|
||||
Execute the following command to start a Nginx server with a parsing vulnerability:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After successful execution, the Nginx server will listen on port 80.
|
||||
|
||||
## Vulnerability Reproduce
|
||||
|
||||
Visit `http://your-ip/uploadfiles/nginx.png` and `http://your-ip/uploadfiles/nginx.png/.php` to see the effect.
|
||||
|
||||
Normal display:
|
||||
|
||||
|
||||
|
||||
After adding the `/.php` suffix, the file is parsed as a PHP file:
|
||||
|
||||
|
||||
|
||||
Visit `http://your-ip/index.php` to test the upload functionality. While the upload code itself has no vulnerabilities, you can get a shell by exploiting the parsing vulnerability:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
To prevent this vulnerability:
|
||||
|
||||
1. Configure proper file extension handling in Nginx
|
||||
2. Implement strict file type validation
|
||||
3. Store uploaded files outside of the web root
|
||||
4. Use random file names for uploaded files
|
||||
5. Implement proper access controls
|
||||
Reference in New Issue
Block a user