防胜于补:修复Nginx%00空字节执行任意代码(php)漏洞
架设服务器,构建WEB环境不容易,而一些所谓的小黑会毫不留情的拿你试手的,赶紧看看你手中的Nginx版本,如果低于0.7.65,或者0.8.37,而又可以上传的话,那么别说你不知道这个00空字节执行任意代码(php)漏洞的严重性。
Ngnix在遇到%00空字节时与后端FastCGI处理不一致,导致可以在图片中嵌入PHP代码然后通过访问xxx.jpg%00.php来执行其中的代码
影响版本:
nginx 0.5.*
nginx 0.6.*
nginx 0.7 <= 0.7.65
nginx 0.8 <= 0.8.37
In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h).
Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
一.老肉鸡变新肉鸡
大家应该还记得80sec发的nginx文件类型错误解析漏洞吧
http://www.80sec.com/nginx-securit.html
漏洞的利用方式是:
/test.jpg/x.php
转截请注明:文章来自 pc捍卫者 http://www.pchwz.com
本站发布此文为传递更多信息之目的,不表明pc捍卫者赞同其观点