nginx-host绕过实例复现_nginx绕过登录-CSDN博客

本文链接：https://blog.csdn.net/zzh164672917/article/details/128928655

测试环境

nginx基础配置

创建一个demo

#1.创建web目录
mkdir -p /var/www/aaa/

#2.配置nginx配置文件 
/usr/local/nginx/conf/nginx.conf

#3.文件内容添加server模块
     server {
        listen       80;
        server_name  www.aaa.com;
        root "/var/www/aaa/nginxhost/web";
        index index.html index.php;

        location / {
        try_files $uri $uri/ /index.php;
        }
        location ~ \.php(.*)$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_split_path_info  ^((?U).+\.php)(/?.+)$;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            fastcgi_param  PATH_TRANSLATED  $document_root$fastcgi_path_info;
            include        fastcgi_params;
        }

    }

#4.启动nginx
[root@blackstone aaa]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@blackstone aaa]# /usr/local/nginx/sbin/nginx

添加hosts文件

192.168.137.131 2023.mhz.pw

在这里插入图片描述

上传pwnhub

在这里插入图片描述

给mhz文件权限，给tmp权限

[root@www sbin]#chmod -R 777 mhz/
[root@www mhz]# cd protected/
[root@www mhz]# mkdir tmp
[root@www mhz]# chmod 777 tmp/

创建库、表

create databases security;
use security;
SET NAMES utf8;
SET FOREIGN_KEY_CHECKS = 0;

DROP TABLE IF EXISTS `flags`;
CREATE TABLE `flags` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `flag` varchar(256) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8mb4;

DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `username` varchar(256) NOT NULL,
  `password` varchar(32) NOT NULL,
  `email` varchar(256) DEFAULT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=15 DEFAULT CHARSET=utf8mb4;

SET FOREIGN_KEY_CHECKS = 1;

测试

在这里插入图片描述
此处若出现问题，在Windows上做了一下相关操作。

测试环境搭建完成。

进入数据库查看数据库结构

mysql> use security;
Database changed
mysql> show tables;
+--------------------+
| Tables_in_security |
+--------------------+
| flags              |
| users              |
+--------------------+
2 rows in set (0.00 sec)

mysql> select * from flags;
Empty set (0.00 sec)

mysql> show columns from flags;
+-------+------------------+------+-----+---------+----------------+
| Field | Type             | Null | Key | Default | Extra          |
+-------+------------------+------+-----+---------+----------------+
| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
| flag  | varchar(256)     | YES  |     | NULL    |                |
+-------+------------------+------+-----+---------+----------------+
2 rows in set (0.00 sec)

mysql> show columns from users;
+----------+------------------+------+-----+---------+----------------+
| Field    | Type             | Null | Key | Default | Extra          |
+----------+------------------+------+-----+---------+----------------+
| id       | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
| username | varchar(256)     | NO   | UNI | NULL    |                |
| password | varchar(32)      | NO   |     | NULL    |                |
| email    | varchar(256)     | YES  |     | NULL    |                |
+----------+------------------+------+-----+---------+----------------+
4 rows in set (0.00 sec)

mysql> insert into flags (flag) values ('累');
Query OK, 1 row affected (0.00 sec)

mysql> select * from flags;
+----+-----------------------+
| id | flag                  |
+----+-----------------------+
|  2 | 累                    |
+----+-----------------------+
1 row in set (0.00 sec)

mysql> select * from users;
+----+----------+----------------------------------+-------------------+
| id | username | password                         | email             |
+----+----------+----------------------------------+-------------------+
| 15 | 123      | 202cb962ac59075b964b07152d234b70 | 1413004557@qq.com |
+----+----------+----------------------------------+-------------------+
1 row in set (0.00 sec)

mysql>

绕过Nginx Host限制

处理方法一

Nginx在处理Host的时候，会将Host用冒号分割成hostname和port，port部分被丢弃。所以，我们可以设置Host的值为2023.mhz.pw:xxx’"@example.com，这样就能访问到目标Server块：
在这里插入图片描述

处理方法二

当我们传入两个Host头的时候，Nginx将以第一个为准，而PHP-FPM将以第二个为准。
也就是说，如果我传入：

Host: 2023.mhz.pw
Host: xxx'"@example.com

Nginx将认为Host为2023.mhz.pw，并交给目标Server块处理；但PHP中使用$_SERVER[‘HTTP_HOST’]取到的值却是xxx’"@example.com。这样也可以绕过：
在这里插入图片描述

处理方法三

在发送https数据包的时候，SNI中指定的域名将会被nginx作为Server Name，而无需和HTTP报文中的Host头保持一致。
在这里插入图片描述
我们可以直接使用Burpsuite来测试这个trick，比如我在后端编写PHP代码echo $_SERVER[‘HTTP_HOST’]。正常访问是会显示此时的Host头。

nginx ssl

创建存放证书的目录

[root@www sbin]# cd /usr/local/nginx
[root@www nginx]# mkdir key

[root@www nginx]# openssl genrsa -des3 -out ssl.key 4096
Generating RSA private key, 4096 bit long modulus
......................................................................................++
........................................................................++
e is 65537 (0x10001)
Enter pass phrase for ssl.key:
Verifying - Enter pass phrase for ssl.key:
[root@www nginx]# openssl req -new -key ssl.key -out ssl.csr
Enter pass phrase for ssl.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xianyang
Organization Name (eg, company) [Default Company Ltd]:oupeng
Organizational Unit Name (eg, section) []:IT_security
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:123456@123

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
[root@www nginx]# openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
Signature ok
subject=/C=cn/ST=shanxi/L=xianyang/O=oupeng/OU=IT_security/CN=localhost/emailAddress=123456@123
Getting Private key
Enter pass phrase for ssl.key:
[root@www nginx]# cd key/
[root@www key]# ll
total 12
-rw-r--r--. 1 root root 1984 Feb  7 08:28 ssl.crt
-rw-r--r--. 1 root root 1805 Feb  7 08:27 ssl.csr
-rw-r--r--. 1 root root 3311 Feb  7 08:23 ssl.key

nginx配置ssl模块

server {
  listen 443 ssl;#https默认使用433端口
  server_name 192.168.137.136

  #ssl on;
  ssl_certificate /usr/local/nginx/key/ssl.crt;
  ssl_certificate_key /usr/local/nginx/key/ssl.key;
  ssl_session_timeout 5m;
  ssl_protocols SSLv2 SSLv3 TLSv1;
  ssl_ciphers; ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  ssl_prefer_server_ciphers on;
  location / {
    ...
    }

#1.判断是否具有ssl模块 --- 输出含有configure arguments: --with-http_ssl_module
/usr/local/nginx/sbin/nginx -V

#2.cd到nginx源码解压目录
[root@www ~]cd nginx.122.1
[root@www nginx-1.22.1]#./configure --with-http_ssl_module

#3.编译执行
make

#4.备份原有已安装好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak

#5.然后将刚刚编译好的nginx覆盖掉原有的nginx（这个时候nginx要停止状态）
cp ./objs/nginx /usr/local/nginx/sbin/

#6.测试查看
[root@blackstone nginx-1.20.2]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.20.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_ssl_module