影响范围
PHP、Go、Python等开启CGI(Client)模式的脚本语言
Language | 环境依赖 | HTTP Client |
---|---|---|
PHP | php-fpmmod_php | Guzzle 4+Artax |
Python | wsgiref.handlers.CGIHandlertwisted.web.twcgi.CGIScript | requests |
Go | net/http/cgi | net/http |
漏洞原理
在CGI(RFC 3875)的模式的时候,server 会把请求中的 Header, 加上 HTTP_ 前缀, 注册为环境变量,且重名变量会被覆盖污染,若该变量被脚本调用,即可利用,该漏洞在15年前在LWP中已被发现并修复http://www.nntp.perl.org/group/perl.libwww/2001/03/msg2249.html。
如控制 HTTPHOST 进行 URL 跳转,或者直接控制 HTTP_PROXY 让流量到代理服务器中转,将 HTTP 控制进入环境变量进行shellshock攻击等,所以,所有 HTTP_ 开头的环境变量在CGI模式下都是不可信不安全的。
利用过程如图所示:
可通过
ngrep -q -i -d any -W byline 'proxy' 'dst port 80'
捕获扫描
<?php
$http_proxy = getenv("HTTP_PROXY");
if ($http_proxy) { $context = array( 'http' => array( 'proxy' => $http_proxy, 'request_fulluri' => true, ), ); $s_context = stream_context_create($context); } else { $s_context = NULL; } $ret = file_get_contents("http://www.chaitin.cn/", false, $s_context);
PoC
curl "http://target" -H "Proxy: test env"
利用条件
- 后端信任接收的 Header
- 污染控制的变量被脚本调用
- 开启CGI(Client)模式
- 服务器能对外通信
修复方案
最为有效的方式就是在脚本调用变量之前及时阻断或者限制内部调用时的可信变量
Nginx
在配置中加入
fastcgi_param HTTP_PROXY "";
Apache
根据官方建议patchhttps://www.apache.org/security/asf-httpoxy-response.txt
IIS
运行 appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='proxy',sizelimit='0']
来阻止恶意代理被调用
如果要清理header,可以使用如下规则
<system.webServer>
<rewrite>
<rules> <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard"> <match url="*.*" /> <serverVariables> <set name="HTTP_PROXY" value="" /> </serverVariables> <action type="None" /> </rule> </rules> </rewrite> </system.webServer>
参考来源
https://httpoxy.org/
https://www.symfony.fi/entry/httpoxy-vulnerability-hits-php-installations-using-fastcgi-and-php-fpm-and-hhvm
附其他语言测试用例
bash
#!/bin/bash
export http_proxy=$HTTP_PROXY
`curl http://www.chaitin.cn`
python
#!/usr/bin/python
import requests
import os
import sys
from wsgiref.handlers import CGIHandler if sys.version_info < (3,): def b(x): return x else: import codecs def b(x): return codecs.latin_1_encode(x)[0] def application(environ, start_response): status = '200 OK' r = requests.get("http://www.chaitin.cn/") output = """ Made internal subrequest to http://www.chaitin.cn/ and got: os.environ[HTTP_PROXY]: %(proxy)s os.getenv('HTTP_PROXY'): %(getenv-proxy)s wsgi Proxy header: %(wsgi-env-proxy)s status code: %(status)d text: %(text)s """ % { 'proxy': os.environ['HTTP_PROXY'] if 'HTTP_PROXY' in os.environ else 'none', 'getenv-proxy': os.getenv('HTTP_PROXY', 'none'), 'wsgi-env-proxy': environ['HTTP_PROXY'] if 'HTTP_PROXY' in environ else 'none', 'status': r.status_code, 'text': r.text } response_headers = [('Content-type', 'text/plain'), ('Content-Length', str(len(b(output))))] start_response(status, response_headers) return [b(output)] if __name__ == '__main__': CGIHandler().run(application)
Go
package main import ( "fmt" "io" "log" "net/http" "net/http/cgi" ) func main() { if err := cgi.Serve(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { header := w.Header() header.Set("Content-Type", "text/plain; charset=utf-8") response, err := http.Get("http://www.chaitin.cn/") if err != nil { log.Fatal(err) } else { defer response.Body.Close() fmt.Fprint(w, "Response body from internal subrequest:") _, err := io.Copy(w, response.Body) fmt.Fprintln(w, "") if err != nil { log.Fatal(err) } } fmt.Fprintln(w, "Method:", r.Method) fmt.Fprintln(w, "URL:", r.URL.String()) query := r.URL.Query() for k := range query { fmt.Fprintln(w, "Query", k+":", query.Get(k)) } r.ParseForm() form := r.Form for k := range form { fmt.Fprintln(w, "Form", k+":", form.Get(k)) } post := r.PostForm for k := range post { fmt.Fprintln(w, "PostForm", k+":", post.Get(k)) } fmt.Fprintln(w, "RemoteAddr:", r.RemoteAddr) if referer := r.Referer(); len(referer) > 0 { fmt.Fprintln(w, "Referer:", referer) } if ua := r.UserAgent(); len(ua) > 0 { fmt.Fprintln(w, "UserAgent:", ua) } for _, cookie := range r.Cookies() { fmt.Fprintln(w, "Cookie", cookie.Name+":", cookie.Value, cookie.Path, cookie.Domain, cookie.RawExpires) } })); err != nil { fmt.Println(err) } }
http://www.tuicool.com/articles/Brmm6zm