-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve exploit for more restrictive location regexp #1
Comments
|
Combined with XSS this could be used to get HTTPOnly cookies, such as PHP Session ID - and 1 character to spare! Can dump $_SESSION and be at 23 chars |
I can't help but ask what's modern enough then? :) |
I meant that it's simpler to use two different containers, one for nginx and other for php-fpm, and nginx doesn't actually needs to have access to the php files as it only proxies requests to php-fpm. |
This ticket was opened before we released the PoC in hope we'll discover a way to bypass the limitation before the issue is public. Obviously this is not such an interesting question anymore as the bug is long fixed by now. Closing. |
Hi how are you |
Currently, our exploit works only when Nginx config is like this:
I believe that far more popular config snippet is like this:
which allows only URLs that end with
.php
(and not just contain.php/
somewhere).Given
location ~ \.php$
, there're two further config options:try_files $uri =404
into the location section. There's nothing we can do in this case as it forbids access to non-existing files (and we need it). However, this requires php-fpm and Nginx to share their FS, and I believe many DevOps consider this not modern enough..php
. We can win in this case asfastcgi_split_path_info
is still probably here (and it doesn't matter which regexp it uses).However, to improve our exploit for case 2, we need even shorter php.ini options. We have 23 bytes currently and after adding
;.php
to every string we have only 18 left. So there's a research field.The text was updated successfully, but these errors were encountered: