测试环境
nginx基础配置
创建一个demo
#1.创建web目录
mkdir -p /var/www/aaa/
#2.配置nginx配置文件
/usr/local/nginx/conf/nginx.conf
#3.文件内容添加server模块
server {
listen 80;
server_name www.aaa.com;
root "/var/www/aaa/nginxhost/web";
index index.html index.php;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php(.*)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;
}
}
#4.启动nginx
[root@blackstone aaa]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@blackstone aaa]# /usr/local/nginx/sbin/nginx
添加hosts文件
192.168.137.131 2023.mhz.pw
上传pwnhub
给mhz文件权限,给tmp权限
[root@www sbin]#chmod -R 777 mhz/
[root@www mhz]# cd protected/
[root@www mhz]# mkdir tmp
[root@www mhz]# chmod 777 tmp/
创建库、表
create databases security;
use security;
SET NAMES utf8;
SET FOREIGN_KEY_CHECKS = 0;
DROP TABLE IF EXISTS `flags`;
CREATE TABLE `flags` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`flag` varchar(256) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;
DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(256) NOT NULL,
`password` varchar(32) NOT NULL,
`email` varchar(256) DEFAULT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=15 DEFAULT CHARSET=utf8mb4;
SET FOREIGN_KEY_CHECKS = 1;
测试
此处若出现问题,在Windows上做了一下相关操作。
测试环境搭建完成。
进入数据库查看数据库结构
mysql> use security;
Database changed
mysql> show tables;
+--------------------+
| Tables_in_security |
+--------------------+
| flags |
| users |
+--------------------+
2 rows in set (0.00 sec)
mysql> select * from flags;
Empty set (0.00 sec)
mysql> show columns from flags;
+-------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------+------------------+------+-----+---------+----------------+
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| flag | varchar(256) | YES | | NULL | |
+-------+------------------+------+-----+---------+----------------+
2 rows in set (0.00 sec)
mysql> show columns from users;
+----------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+------------------+------+-----+---------+----------------+
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| username | varchar(256) | NO | UNI | NULL | |
| password | varchar(32) | NO | | NULL | |
| email | varchar(256) | YES | | NULL | |
+----------+------------------+------+-----+---------+----------------+
4 rows in set (0.00 sec)
mysql> insert into flags (flag) values ('累');
Query OK, 1 row affected (0.00 sec)
mysql> select * from flags;
+----+-----------------------+
| id | flag |
+----+-----------------------+
| 2 | 累 |
+----+-----------------------+
1 row in set (0.00 sec)
mysql> select * from users;
+----+----------+----------------------------------+-------------------+
| id | username | password | email |
+----+----------+----------------------------------+-------------------+
| 15 | 123 | 202cb962ac59075b964b07152d234b70 | 1413004557@qq.com |
+----+----------+----------------------------------+-------------------+
1 row in set (0.00 sec)
mysql>
绕过Nginx Host限制
处理方法一
Nginx在处理Host的时候,会将Host用冒号分割成hostname和port,port部分被丢弃。所以,我们可以设置Host的值为2023.mhz.pw:xxx’"@example.com,这样就能访问到目标Server块:
处理方法二
当我们传入两个Host头的时候,Nginx将以第一个为准,而PHP-FPM将以第二个为准。
也就是说,如果我传入:
Host: 2023.mhz.pw
Host: xxx'"@example.com
Nginx将认为Host为2023.mhz.pw,并交给目标Server块处理;但PHP中使用$_SERVER[‘HTTP_HOST’]取到的值却是xxx’"@example.com。这样也可以绕过:
处理方法三
在发送https数据包的时候,SNI中指定的域名将会被nginx作为Server Name,而无需和HTTP报文中的Host头保持一致。
我们可以直接使用Burpsuite来测试这个trick,比如我在后端编写PHP代码echo $_SERVER[‘HTTP_HOST’]。正常访问是会显示此时的Host头。
nginx ssl
创建存放证书的目录
[root@www sbin]# cd /usr/local/nginx
[root@www nginx]# mkdir key
[root@www nginx]# openssl genrsa -des3 -out ssl.key 4096
Generating RSA private key, 4096 bit long modulus
......................................................................................++
........................................................................++
e is 65537 (0x10001)
Enter pass phrase for ssl.key:
Verifying - Enter pass phrase for ssl.key:
[root@www nginx]# openssl req -new -key ssl.key -out ssl.csr
Enter pass phrase for ssl.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xianyang
Organization Name (eg, company) [Default Company Ltd]:oupeng
Organizational Unit Name (eg, section) []:IT_security
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:123456@123
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
[root@www nginx]# openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
Signature ok
subject=/C=cn/ST=shanxi/L=xianyang/O=oupeng/OU=IT_security/CN=localhost/emailAddress=123456@123
Getting Private key
Enter pass phrase for ssl.key:
[root@www nginx]# cd key/
[root@www key]# ll
total 12
-rw-r--r--. 1 root root 1984 Feb 7 08:28 ssl.crt
-rw-r--r--. 1 root root 1805 Feb 7 08:27 ssl.csr
-rw-r--r--. 1 root root 3311 Feb 7 08:23 ssl.key
nginx配置ssl模块
server {
listen 443 ssl;#https默认使用433端口
server_name 192.168.137.136
#ssl on;
ssl_certificate /usr/local/nginx/key/ssl.crt;
ssl_certificate_key /usr/local/nginx/key/ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers; ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
...
}
#1.判断是否具有ssl模块 --- 输出含有configure arguments: --with-http_ssl_module
/usr/local/nginx/sbin/nginx -V
#2.cd到nginx源码解压目录
[root@www ~]cd nginx.122.1
[root@www nginx-1.22.1]#./configure --with-http_ssl_module
#3.编译执行
make
#4.备份原有已安装好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
#5.然后将刚刚编译好的nginx覆盖掉原有的nginx(这个时候nginx要停止状态)
cp ./objs/nginx /usr/local/nginx/sbin/
#6.测试查看
[root@blackstone nginx-1.20.2]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.20.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_ssl_module
修改配置文件 后重启