Ngnix在遇到%00空字节时与后端FastCGI处理不一致,导致可以在图片中嵌入PHP代码然后通过访问xxx.jpg%00.php来执行其中的代码
影响版本:
nginx 0.5.*
nginx 0.6.*
nginx 0.7 <= 0.7.65
nginx 0.8 <= 0.8.37

In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h).
Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.

一.老肉鸡变新肉鸡

大家应该还记得80sec发的nginx文件类型错误解析漏洞吧

http://www.80sec.com/nginx-securit.html

漏洞的利用方式是:

/test.jpg/x.php

临时解决方案是:

if ( $fastcgi_script_name ~ ..*/.*php ) {
return 403;
}

而新漏洞的利用方式是:
/test.jpg%00.php

对应fastcgi_script_name的匹配正则,我们会发现是匹不到这个漏洞的,所以非常杯具,以前被老nginx漏洞黑过的肉鸡还能被重新黑一次。

二.准确识别这个漏洞的方法.

一般这个漏洞需要在能够上传文件的应用中才能被利用,所以论坛首当其冲,象discuz论坛的两个文件就能非常方便的识别这个漏洞。

1.爆出PHP语法错误。

2.吃掉CGI #注释的第一行。

<*参考
https://nealpoole.com/blog/2011/07/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/

解决方法:升级Nginx