Vulhub vulnerability recurrence 72_ uWSGI

One 、 CVE-2018-7490_ uWSGI PHP Directory traversal vulnerability

Preface

uWSGI Is a Web Application server , It has achieved WSGI、uwsgi and http Such agreement , And support to run various languages through plug-ins .

Vulnerability Details

uWSGI 2.0.17 Previous PHP plug-in unit , There is no right way to deal with `DOCUMENT_ROOT` testing , So that users can pass `..%2f` To cross directories , Read or run `DOCUMENT_ROOT` Files outside the directory .

Vulnerability environment

shooting range ：192.168.4.10_Ubuntu

Run flawed uWSGI The server ：

#docker-compose up -d

After completion of operation , visit `http://your-ip:8080/` You can see phpinfo Information , explain uwsgi-php The server has run successfully .

Loophole recurrence

visit `http://your-ip:8080/..%2f..%2f..%2f..%2f..%2fetc/passwd`, Successfully read file ：

Two 、 uWSGI Unauthorized access vulnerability

Preface

uWSGI Is a Web Application server , It has achieved WSGI、uwsgi and http Such agreement , And support to run various languages through plug-ins , Usually used to run Python WEB application .uwsgi In addition to the name of the application container , It and Fastcgi Something like that , It's also the front end server A communication standard with the back-end application container . at present nginx,apache Also support uwsgi The protocol forwards requests by proxy .

Vulnerability Details

uWSGI Support through magic variables （Magic Variables） Dynamically configure the backend Web application . If its port is exposed , An attacker can construct uwsgi Data packets , And specify magic variables `UWSGI_FILE`, Application `exec://` The protocol executes arbitrary commands .

Reference link ：

- https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md

- https://xz.aliyun.com/t/3512

- https://uwsgi-docs.readthedocs.io/en/latest/Vars.html

Vulnerability environment

Execute the following command to start nginx+uwsgi Environmental Science ：

#docker-compose up -d

After the environment starts , visit `http://your-ip:8080` You can view one Web application , Its uwsgi Exposure to the 8000 port .

Loophole recurrence

Use [poc.py](poc.py), Carry out orders `python poc.py -u your-ip:8000 -c "touch /tmp/success"`：

perform `docker-compose exec web bash` Into the container , so `/tmp/success` Has successfully executed ：