Nginx %00空字节执行任意代码(php)漏洞
2013-05-06 15:34
1721 查看
漏洞版本:
nginx 0.5.* nginx 0.6.* nginx 0.7 <= 0.7.65 nginx 0.8 <= 0.8.37
漏洞描述:
Possible Arbitrary Code Execution with Null Bytes, PHP, and Old Versions of nginx Ngnix在遇到%00空字节时与后端FastCGI处理不一致,导致可以在图片中嵌入PHP代码然后通过访问xxx.jpg%00.php来执行其中的代码 In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h). Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
<* 参考
https://nealpoole.com/blog/2011/07/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/
*>
测试方法:
@Sebug.net dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
The attack itself is simple: a malicious user who makes a request to http://example.com/file.ext%00.php causes file.ext to be parsed as PHP. If an attacker can control the contents of a file served up by nginx (ie: using an avatar upload form) the result is arbitrary code execution. This vulnerability can not be mitigated by nginx configuration settings like try_files or PHP configuration settings like cgi.fix_pathinfo: the only defense is to upgrade to a newer version of nginx or to explicitly block potentially malicious requests to directories containing user-controlled content.
Sebug安全建议:
解决方案 升级nginx版本 http://nginx.org[/code]
@Sebug.net [ 2011-08-25 ]
相关文章推荐
- php cgi远程任意代码执行漏洞
- WordPress wp-includes/functions.php脚本远程任意代码执行漏洞
- Nginx %00空字节执行任意代码(php)漏洞
- PHP-CGI远程任意代码执行漏洞(CVE-2012-1823)修复方案
- phpcms前台任意代码执行漏洞(php<5.3)
- WordPress Woopra Analytics插件‘ofc_upload_image.php’任意PHP代码执行漏洞
- PHP代码执行漏洞总结
- 【技术分享】TP-Link WR841N路由器任意代码执行漏洞分析(附演示视频)
- 利用本地包含漏洞执行任意代码
- 微信惊现任意代码执行漏洞 360手机卫士提供自检方案
- PHP代码审计笔记--命令执行漏洞
- [2012-4-10]ThinkPHP框架被爆任意代码执行漏洞(preg_replace)
- nginx NULL-Byte 任意代码执行漏洞
- PHP惊现安全漏洞 易执行恶意代码和DoS攻击
- Discuz! x3.1的插件/utility/convert/index.php代码执行漏洞
- CVE-2018-18319 - 华硕路由器 Merlin.php 代码执行漏洞
- WordPress 'is_serialized()'远程任意代码执行漏洞(CVE-2013-4338)
- Struts2/XWork远程执行任意代码漏洞
- ThinkPHP框架任意代码执行漏洞的利用及其修复方法
- PHP代码审计学习之命令执行漏洞挖掘及防御