Nginx %00空字节执行任意代码(php)漏洞
来源:互联网 发布:网络设置 编辑:程序博客网 时间:2024/06/07 03:32
漏洞版本:
nginx 0.5.*nginx 0.6.*nginx 0.7 <= 0.7.65nginx 0.8 <= 0.8.37
漏洞描述:
Possible Arbitrary Code Execution with Null Bytes, PHP, and Old Versions of nginxNgnix在遇到%00空字节时与后端FastCGI处理不一致,导致可以在图片中嵌入PHP代码然后通过访问xxx.jpg%00.php来执行其中的代码In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h). Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
<* 参考
https://nealpoole.com/blog/2011/07/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/*>
测试方法:
@Sebug.net dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
- The attack itself is simple: a malicious user who makes a request to http://example.com/file.ext%00.php causes file.ext to be parsed as PHP.
- If an attacker can control the contents of a file served up by nginx (ie: using an avatar upload form) the result is arbitrary code execution. This vulnerability can not be mitigated by nginx configuration settings like try_files or PHP configuration settings like cgi.fix_pathinfo: the only defense is to upgrade to a newer version of nginx or to explicitly block potentially malicious requests to directories containing user-controlled content.
Sebug安全建议:
解决方案升级nginx版本http://nginx.org
@Sebug.net [ 2011-08-25 ]
- Nginx %00空字节执行任意代码(php)漏洞
- php cgi远程任意代码执行漏洞
- 任意代码执行漏洞
- thinkphp任意代码执行漏洞
- thinkphp任意代码执行漏洞
- PHP代码执行漏洞
- ThinkPHP framework 任意代码执行漏洞预警
- 利用本地包含漏洞执行任意代码
- Struts2/XWork远程执行任意代码漏洞
- 利用本地包含漏洞执行任意代码
- 利用本地包含漏洞执行任意代码
- 格式化字符串漏洞执行任意代码分析
- PHP代码执行漏洞总结
- PHP代码执行漏洞总结
- PHP代码执行漏洞总结
- IE 5.5 Index.dat 执行任意代码漏洞
- Struts2/WebWork高危漏洞(远程执行任意代码)
- Hive任意命令/代码执行漏洞+渗透实例
- 讲讲C++中的volatile关键字
- mac os10.7 lion xcode 启动路径
- debug privilege
- Placement new、operator new、new operator 完全释疑
- WIZnet 4月新闻报
- Nginx %00空字节执行任意代码(php)漏洞
- MPLAB X IDE调试代码
- Ogre源码剖析之一:初识Root类
- windows下Git pull、 push 操作无需输密码的方法
- Oracle中insert into select和select into的用法(异常0RA-00905:missing keyword的解决)
- Zend Studio 9.0 字体修改方法
- RabbitMQ介绍
- 给TextView添加边框
- 快速入门互联网协议