Nginx CRLF (Renewal Enter) Injection Vulnerability

By Nginx

nginx CRLF (carriage return) injection vulnerability reproduces

< span style="font-size: 18px;">1. Vulnerability description

CRLF is “Enter+ “Line feed” (
) is the abbreviation, and its hexadecimal codes are 0x0d and 0x0a respectively. In the HTTP protocol, the HTTP header and the HTTP body are separated by two CRLFs, and the browser extracts and displays the HTTP content based on these two CRLFs. So, once we can control the characters in the HTTP message header, inject some malicious newlines, so that we can inject some session cookies or HTML code. CRLF vulnerabilities often appear in Location and Set-cookie message headers.

2. Vulnerability principle

1. Modify nginx.conf and add the following configuration in the position as shown below. This configuration implements the function of forced redirection. When users access the nginx server, they will be forced to redirect due to the existence of this configuration. Go to the link you visited before using the https protocol.

  share picture

2. There are two key use points for the above configuration: one is that the $url in the configuration is controllable, so that we can fill in CRLF at the $url, and then The server accesses to achieve header injection. The second is that the server will return a 302 jump to the user, so the header parameters we injected will be returned to the client.

3. Vulnerability environment construction and reproduction

1. Install nginx on ubuntu 16.04

1.1 install nginx dependent libraries< /span>

1.1.1 Install gcc g++ dependent libraries

The ubuntu platform can use the following commands:

apt-get install build-essential p>

apt-get install libtool

1.1.2 Install pcre dependent libraries

apt-get install libpcre3 libpcre3-dev

1.1.3 Install zlib dependent libraries

apt-get install zlib1g-dev

apt-get install zlib1g-dev

span>

1.1.4 Install ssl dependency library

apt-get install openssl

1.2 install nginx

#Download the latest version:

wget http://nginx.org/download/nginx-1.11.3.tar.gz

#Unzip:

tar -zxvf nginx-1.11.3.tar.gz< /span>

#Enter the decompression directory:

cd nginx-1.11.3

#Configuration:

./configure –prefix=/usr/local/nginx

#Edit nginx:

Make

# Install nginx:

make install

#Start nginx:

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/ conf/nginx.conf

1.3 browser access, test whether nginx is successfully built

Share a picture

2. Modify /usr/local/nginx/conf/nginx.conf and add the following content in the position as shown below:< /span>

  share picture

3. Restart nginx service

./sbin/nginx -s reload

  share picture

3. Restart nginx service

./sbin/nginx -s reload

  share picture

4. The browser visits http://192.168.10.137/, and then captures the packet and modifies the data packet. As shown in the figure below, CRLF header injection is successfully implemented

  Share a picture

4. Vulnerability defense

1, delete improperly configured configuration

————— ————————————————– —————————

Reference materials: https://blog.csdn.net/liuhuaijin/article/details/77449579

, , , , , ,

WordPress database error: [Table 'yf99682.wp_s6mz6tyggq_comments' doesn't exist]
SELECT SQL_CALC_FOUND_ROWS wp_s6mz6tyggq_comments.comment_ID FROM wp_s6mz6tyggq_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 4600 ORDER BY wp_s6mz6tyggq_comments.comment_date_gmt ASC, wp_s6mz6tyggq_comments.comment_ID ASC

Leave a Comment

Your email address will not be published.