POC详情: 3d417fa56baa75d50815fbbce664200c7a1b58ff

来源
https://github.com/Aashay221999/CVE-2024-49368
关联漏洞
标题: Nginx UI 输入验证错误漏洞 (CVE-2024-49368)
描述:Nginx UI是Jacky个人开发者的一个 Nginx 的 WebUI。 Nginx UI 2.0.0-beta.36之前版本存在输入验证错误漏洞,该漏洞源于配置logrotate时,未验证输入,导致任意命令执行。
描述
Explorations of CVE-2024-49368 + Exploit Development
介绍
# Nginx UI Exploit Setup

This guide outlines the steps to set up Nginx UI using Docker Compose, create a user, run an exploit, and verify the results within the Docker container.

## Prerequisites
- Ensure you have Docker and Docker Compose installed on your machine.
- Familiarity with basic command-line operations.

## Installing nginx via docker

1. Download the [docker-compose.yml](docker-compose.yml)
2. Verify that your nginx.conf file has these lines. 
   **Note:** in linux (Ubuntu), this file is at /etc/nginx/nginx.conf
   ```nginx
        http {
            # ...
            include /etc/nginx/conf.d/*.conf;
            include /etc/nginx/sites-enabled/*;
        }
    ```
3. Create a local directory www in your working directory. Copy its path and change the first half of line 13 in the docker compose yaml (Just the part before the `:`). 
    ```yml
        Line 13 ~/cve_session1/nginx/www
    ```
3. Create your container by: 
    ```bash
        docker compose up -d
    ```
4. Wait a couple of minutes and check if the docker image is running:
    ```bash
        sudo docker ps
    ```
    You should see the nginx docker running. 
5. Login to the nginx UI at http://127.0.0.1:8080/#/login
6. Create an admin user accounts. Username: admin , Password: admin.
7. Then within the nginx UI create another user: Username: basic , Password: basic.
   **Note:** You can create the users with whatever names and password you want. Just make sure to update the python script
8. Run the exploit. It is fairly self-explanatory. 
9. Login to docker and check that the command injection works. 
   ``` bash
        # Get container id first
        docker ps

        # Access container shell
        docker exec -it <container-id> /bin/sh

        # Check the tmp directory
        ls -l /tmp
   ```
文件快照

 [4.0K]  /data/pocs/3d417fa56baa75d50815fbbce664200c7a1b58ff
├── [1.1K]  docker-compose.yml
├── [ 268]  Dockerfile
├── [3.6K]  exploit_bash_patched.py
├── [3.6K]  exploit_bash.py
├── [4.0K]  exploration
│   ├── [  32]  go.mod
│   └── [ 622]  program.go
├── [ 610]  nginx_modified.conf
├── [ 600]  nginx_original.conf
├── [1.8K]  README.md
├── [4.0K]  server
│   ├── [ 190]  package.json
│   └── [ 541]  server.js
└── [4.0K]  ui
    ├── [3.6K]  index.html
    ├── [ 133]  package.json
    └── [ 367]  ui-server.js

3 directories, 14 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。