Kotahi tau ki muri, i te 21 o Poutū-te-rangi, 2019, I tae mai tētahi mea tino pai ki a HackerOne i I te wā i werohia ai he paita kore (ASCII 0) ki roto i te tawhā POST o tētahi tono API mēra tukutuku i whakahoki mai i tētahi aronga HTTP, i kitea ngā poraka mahara kāore anō kia tīmatahia i roto i ngā raraunga aronga, ā, i te nuinga o te wā ka kitea ngā kongakonga mai i ngā tawhā GET me ngā pane o ētahi atu tono ki te tūmau kotahi.
He ngoikoretanga nui tēnei, nā te mea kei roto i ngā tono he pihikete wātū. I muri i ētahi haora, i whakatinanahia he whakatikanga rangitahi hei tātari i te paita kore (i kitea i muri mai, kāore i ranea tēnei, nā te mea i taea tonu te werohanga CRLF/ASCII 13, 10, e āhei ai te whakahaere i ngā pane me ngā raraunga urupare HTTP. He iti ake te hiranga o tēnei, engari he hoha tonu). I taua wā anō, i tukuna te take ki ngā kaitātari haumarutanga me ngā kaiwhakawhanake hei tirotiro me te whakatika i te pūtake o te pepeke.
He taupānga tino uaua a Mail.ru Mail; he maha ngā wāhanga rerekē o te pito mua/pito muri, arā, he pūtake tuwhera (ngā mihi nui ki ngā kaiwhakawhanake pūmanawa kore utu katoa) me te mea motuhake, ka taea te whakamahi hei whakaputa urupare. I taea e mātou te whakakore i ngā wāhanga katoa engari ko nginx me openresty, ā, i taea te wehe i te raruraru i mua i te puta mai. I puta te whanonga ohorere o tētahi tuhinga OpenResty (i te whakaurunga o tētahi paita kore, rārangi hou rānei mā roto i ngā tawhā GET me te tuhi anō ki roto i te ngx_http_rewrite_module, e ai ki ngā tuhinga, e whakamahia ana, ā, me mahi tonu, kāore i mahi). I arohia ngā hua pea, i tāpirihia te tātari tino kaha, ā, i manatokohia kua whakakorea e te tātari ngā ara katoa. Engari i noho tonu te tikanga i puta ai te turuturu mahara hei mea ngaro. I te marama i muri mai, i kati te pūrongo hapa i te mea kua whakatauhia, ā, i whakaroahia te rangahau mō te take o te hapa kia tae ki ngā wā pai ake.
He monomai rongonui a OpenResty e āhei ai te tuhi i ngā tuhinga Lua i roto i a Nginx, ā, e whakamahia ana i roto i ētahi kaupapa Mail.ru, nō reira kāore i whakaarohia kua ea te raruraru. I muri i ētahi wā, ka tirohia anō kia mārama ai ki ngā take tūturu, ngā hua ka puta, me te whakarato taunakitanga ki ngā kaiwhakawhanake. Ko ēnei tāngata i whai wāhi ki te keri i te waehere pūtake: и I puta mai ko:
- I roto i te nginx, ina whakamahia te tuhi anō me ngā raraunga kaiwhakamahi, tera pea ka taea te whakawhiti i te whaiaronga (me te SSRF pea) i roto i ētahi whirihoranga, engari he mea mōhiotia tēnei, ā, me kitea e ngā kaitātari whirihoranga tūmau i roto i и Mai i Yandex (āe, e whakamahia ana hoki e mātou, ngā mihi). Ina whakamahia a OpenResty, he ngāwari te ngaro i tēnei āhuatanga, engari kāore i pā ki tā mātou whirihoranga.
Tauira whirihoranga:
location ~ /rewrite { rewrite ^.*$ $arg_x; } location / { root html; index index.html index.htm; }painga
curl localhost:8337/rewrite?x=/../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
... - He hapa kei a Nginx e puta ai he turuturu mahara mēnā kei roto i te aho tuhi anō he paita kore. Ina tukuna he tukunga atu, ka tohaina e Nginx he arai mahara hou e rite ana ki te roa katoa o te aho, engari ka tāruatia te aho ki roto mā te whakamahi i tētahi mahi aho e ko te paita kore te kaiwhakamutunga aho. Nō reira, ka tāruatia te aho tae noa ki te paita kore anake; kei roto i te toenga o te arai ngā raraunga kāore anō kia tīmatahia. Ka kitea he tātari taipitopito i konei. .
Tauira whirihoranga (^@ null byte)
location ~ /memleak { rewrite ^.*$ "^@asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdasdf"; } location / { root html; index index.html index.htm; }painga
curl localhost:8337/secret -vv
...
curl localhost:8337/memleak -vv
...
Location: http://localhost:8337/secret
...
- Ka tiakina e Nginx ngā tawhā GET mai i te werohanga pūāhua, ā, ka taea anake te whakamahi i ngā tawhā GET i te wā e tuhi anō ana. Nō reira, kāore e taea te werohanga mā roto i ngā tawhā e whakahaerehia ana e te kaiwhakamahi i roto i a Nginx. Heoi, kāore ngā tawhā POST i te tiakina. Ka tautoko a OpenResty i ngā tawhā GET me POST, nō reira mā te whakamahi i ngā tawhā POST mā OpenResty ka taea te werohanga pūāhua motuhake.
Tauira whirihoranga:
location ~ /memleak { rewrite_by_lua_block { ngx.req.read_body(); local args, err = ngx.req.get_post_args(); ngx.req.set_uri( args["url"], true ); } } location / { root html; index index.html index.htm; }hua:
curl localhost:8337 -d "url=secret" -vv
...
curl localhost:8337 -d "url=%00asdfasdfasdfasdfasdfasdfasdfasdf" -vv
...
Location: http://localhost:8337/{...может содержать secret...}
...
Tauhohenga atu
I tukuna te raruraru ki ngā kaiwhakawhanake o nginx me OpenResty, kāore ngā kaiwhakawhanake e whakaaro ana he hapa haumarutanga tēnei i roto i te nginx, nā te mea i roto i te nginx tonu kāore he huarahi ki te whakamahi i te hapa mā te werohanga o ngā tohu motuhake, whakatikahia. i whakaputaina i te 16 o Hakihea. I roto i ngā marama e 4 mai i te pūrongo, kāore a OpenResty i hanga i tētahi huringa, ahakoa i māramahia me whai putanga haumaru o te mahi ngx.req.set_uri(). I te 18 o Poutū-te-rangi, 2020, i whakaputaina e mātou ngā mōhiohio, ā, i te 21 o Poutū-te-rangi, i tukuna e OpenResty , e tāpiri ana i te tirotiro URI.
Pōtiwīka he tuhinga pai, ā, i tangohia ngā kōrero mai i a OpenResty me Nginx (ahakoa he hē, he whakapohehe hoki te kōrero e kī ana he iti noa te wāhanga mahara e whakaaturia ana, ka whakatauhia tēnei e te roa o te aho e whai ana i te paita kore, ā, i te korenga o ngā rohe mārama mō te roa, ka taea te whakahaere e te kaiwhakaeke).
Nā, he aha te hapa, ā, me aha hoki hei ārai i tēnā?
I puta he hapa i roto i te nginx? Ae, i pera, nā te mea he hapa te turuturu o te mahara ahakoa pēhea.
I kitea ētahi hapa i roto i te OpenResty? Āe, i te iti rawa, kāore anō kia rangahaua, kia tuhia hoki te haumarutanga o ngā mahi e tukuna ana e OpenResty.
I puta he hapa whirihoranga/whakamahinga ki a OpenResty? Āe, nā te mea i te korenga o tētahi aratohu mārama, i puta he whakapae kāore anō kia manatokohia mō te haumarutanga o te mahi e whakamahia ana.
Ko tēhea o ēnei pepeke he ngoikoretanga haumarutanga utu nui $10000? Ki a mātou, ehara tēnei i te mea nui. I roto i ngā pūmanawa katoa, inā koa ka honoa ngā wāhanga maha, inā koa ko ērā e whakaratohia ana e ngā kaupapa me ngā kaiwhakawhanake rerekē, kāore e taea e tetahi te kī taurangi kua mōhiotia, kua tuhia hoki ngā taipitopito katoa o tā rātou mahi, ā, kāore he hapa. Nō reira, ka puta ake tetahi ngoikoretanga haumarutanga i te wāhi tonu e pā ana ki te haumarutanga.
Ahakoa pēhea, he mahi pai te whakataurite, te whakawhāiti/tātari rānei i te nui o ngā raraunga whakauru e haere ana ki tētahi kōwae/API o waho, ki te kore he tohutohu mārama, ā, he māramatanga mārama hoki kāore tēnei e hiahiatia.
He hē
Mai i te wheako , hei tiaki i te parakore o te reo:
utu mō ngā pepeke - whakataetae hopu pepeke
pūrongo bug — whakamōhiotanga hapa
tuku anō - te whakawhiti anō
pūtake tuwhera - pūtake tuwhera
hē - mahi i ngā hapa
Source: will.com
