Principles and usage of Nginx Parsing Vulnerabilities

The Nginx parsing vulnerability is already an old one, but many nginx versions with the parsing vulnerability exist on the Internet.

I haven't written any articles for a long time. I went to sleep and went to the French client to see a penetration article on the nginx vulnerability. I found that I didn't seem to have written it.

And so on ~~~

The nginx parsing vulnerability is caused by a vulnerability in some nginx version programs, which leads to non-executable parsing script programs such as PHP.

Assume that there is an image url on the website with the vulnerability as follows:

Www.2cto.com/logo.jpg // assume this image exists.

When we access it normally, nginx will directly read this file as a non-scripting language and send it to the client (that is, the browser),

Nginx with the parsing vulnerability will parse and execute the following connection ~ :

Www.2cto.com/logo.jpg/a. php // (the old example uses this syntax. nginxwill parse logo.jpg as a script and then output it .)

Www.2cto.com/logo.jpg % 00.php // This Is A parsing vulnerability that emerged in middle July.

What are the dangers of such resolution vulnerabilities? In fact, many websites have strict security or program examples, but many social media

Or interactive websites often allow users to upload images. For example, social websites generally allow users to upload portraits ~ In this way, if someone is interested in sending a Trojan

You can parse it directly. Now, let's take an example to describe:

A dating site:

 

When you see so many images ~~~ There must be a place to upload. Register an account first. After registration, you are prompted to upload the photo.

Upload a prepared tuema. You need to review the image ~~

 

Right-click the image review element (chrome browser is used ):

 

We can see the image connection, but don't be happy ~~ I see middle.jpg. If you are a programmer, you should know

In order to reduce the server pressure, image resources will also be processed and only thumbnails will be displayed in some areas. Therefore, thumbnails are processed.

Tuma does not work. So you must find the source image. In fact, the real address of the source image is to remove. middle. Why? Because the source image will certainly

Saved because my picture is under review (of course, my avatar cannot pass the Review). If the review is approved, click to view the large image.

Generally, this big image is your source image (theoretically ).

Let's take a look at the connection address:

Http://www.2cto.com/upload/picture/photo/006/65/26/503/d136ee3aaf.jpg/. php

For example, the image has been successfully parsed as an executable script:

 

I browsed it a little and the permission was loose ~~~

Well, I still hope that the major Webmasters can pay attention to security ~