Nginx Code Execution with Null Bytes hidden points and key points

Last night, the black pot posted a foreigner-exposed Nginx vulnerability on Weibo, and few people started to pay attention to it. I tested and verified the installation environment, I tried two websites on the Internet and verified the vulnerability, So I uploaded the vulnerability on Weibo immediately.

This vulnerability was launched in July 20. Foreigners have made a very detailed analysis. For more information, see:

Https://nealpoole.com/blog/2011/07/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/

Here I will talk about the hidden points and key points of this vulnerability:

1. old broilers become new Broilers

We should remember 80 sec issued nginx file type error Parsing Vulnerability: http://www.bkjia.com/Article/201005/47604.html

The vulnerability is exploited as follows:

/Test.jpg/x. php

 

The temporary solution is:

If ($ fastcgi_script_name ~ \ .. * \/. * Php ){
Return 403;
}

 

New vulnerabilities are exploited in the following ways:
/Test.jpg % 00.php

 

Matched with the regular expression fastcgi_script_name, we will find that this vulnerability is not found, so it is very rare that bots that have been hacked by this vulnerability can be hacked again.

 

2. Methods to accurately identify this vulnerability.

Generally, this vulnerability can be exploited only in applications that can upload files. Therefore, the Forum bears the brunt of this vulnerability. For example, the two files on the discuz forum can easily identify this vulnerability.

1. PHP syntax error.

2. Eat the first line of CGI # comment.

Specific can refer to: http://www.bkjia.com/Article/201101/81627.html

The principle is here.

BY: black box of RAyh4c

Iii. Scope of vulnerability impact

Https://svn.nginx.org/nginx/browser/nginx#tags

All versions of nginx 0.7.65 or lower (0. 5. *, 0. 6. *, 0. 7. *) and 0.8.37 (0. 8. *) are affected.

In fact, some old versions are still affected, but many of the earliest companies in China that sought after ngnix do not have many vulnerable nginx versions used online, especially for security companies, so be careful when you get hacked.