漏洞版本:
nginx 0.5.* nginx 0.6.* nginx 0.7 <= 0.7.65 nginx 0.8 <= 0.8.37
漏洞描述:
Possible Arbitrary Code Execution with Null Bytes, PHP, and Old Versions of nginx Ngnix在遇到%00空字節時與後端FastCGI處理不一致,導致可以在圖片中嵌入PHP代碼然後通過訪問xxx.jpg%00.php來執行其中的代碼 In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h). Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
測試方法:
本站提供程序(方法)可能帶有攻擊性,僅供安全研究與教學之用,風險自負!
- The attack itself is simple: a malicious user who makes a request to http://example.com/file.ext%00.php causes file.ext to be parsed as PHP.
- If an attacker can control the contents of a file served up by nginx (ie: using an avatar upload form) the result is arbitrary code execution. This vulnerability can not be mitigated by nginx configuration settings like try_files or PHP configuration settings like cgi.fix_pathinfo: the only defense is to upgrade to a newer version of nginx or to explicitly block potentially malicious requests to directories containing user-controlled content.
Sebug安全建議:
解決方案 升級nginx版本 http://nginx.org