CN105281963A - nginx server vulnerability detection method and device - Google Patents
nginx server vulnerability detection method and device Download PDFInfo
- Publication number
- CN105281963A CN105281963A CN201410248237.1A CN201410248237A CN105281963A CN 105281963 A CN105281963 A CN 105281963A CN 201410248237 A CN201410248237 A CN 201410248237A CN 105281963 A CN105281963 A CN 105281963A
- Authority
- CN
- China
- Prior art keywords
- network address
- content type
- nginx server
- returns
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a nginx server vulnerability detection method and device. The method comprises the steps that an access request for a first network address is transmitted to a nginx server, and a first content type returned by the nginx server for responding to the access request for the first network address is obtained; and an access request for a second network address is transmitted to the nginx server and a second content type returned by the nginx server for responding to the access request for the second network address is obtained, and a situation that the nginx server has vulnerabilities is determined if the first content type and the second content type are different through judgment. With application of the nginx server vulnerability detection method and device, the problem of inaccuracy of nginx server vulnerability detection in the prior art can be solved so that an effect of enhancing accuracy of nginx server vulnerability detection can be achieved.
Description
Technical field
The present invention relates to server detection field, in particular to a kind of leak detection method and device of nginx server.
Background technology
Prior art utilizes white-box testing to detect the configuration file of nginx server, detects to send out in configuration file feature leaky, if leaky feature, then thinks that this nginx server has leak.But the configuration file utilizing white-box testing mistake may be detected, causes undetected or false retrieval, thus causes the inaccurate problem of the leak of nginx server being detected.
For detecting the inaccurate problem of nginx server leak in prior art, at present effective solution is not yet proposed.
Summary of the invention
Embodiments provide a kind of leak detection method and device of nginx server, detect the inaccurate technical problem of nginx server leak to solve in prior art.
According to an aspect of the embodiment of the present invention, provide a kind of leak detection method of nginx server, the leak detection method of this nginx server comprises: send the access request of first network address to nginx server, and obtains the first content type that access request that described nginx server responds described first network address returns; The access request of second network address is sent to described nginx server, and obtain the second content type that access request that described nginx server responds described second network address returns, wherein, described first network address is identical with the content type of described second network address; Judge that whether described first content type is identical with described second content type; And if judge that described first content type is not identical with described second content type, then determine that described nginx server is leaky.
According to the another aspect of the embodiment of the present invention, additionally provide a kind of Hole Detection device of nginx server, the Hole Detection device of this nginx server comprises: the first request unit, for sending the access request of first network address to nginx server, and obtain the first content type that access request that described nginx server responds described first network address returns; Second request unit, for sending the access request of second network address to described nginx server, and obtain the second content type that access request that described nginx server responds described second network address returns, wherein, described first network address is identical with the content type of described second network address; First judging unit, for judging that whether described first content type is identical with described second content type; And determining unit, for when judging that described first content type is not identical with described second content type, determine that described nginx server is leaky.
In embodiments of the present invention, embodiments provide a kind of leak detection method of nginx server, adopt the access request sending first network address to nginx server, and the first content type that the access request obtaining nginx server response first network address returns; The access request of second network address is sent to nginx server, and the second content type that the access request obtaining nginx server response second network address returns, wherein, first network address is identical with the content type of second network address; Judge that whether first content type is identical with the second content type; And if judge that first content type is not identical with the second content type, then determine the leaky mode of nginx server, by judging the difference of first content type and the second content type, reach the object detecting nginx server leak, solve in prior art and detect the inaccurate problem of nginx server leak, and then reach the effect improving and detect nginx server leak accuracy.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of the leak detection method of nginx server according to the embodiment of the present invention;
Fig. 2 is the schematic diagram of the Hole Detection device of nginx server according to the embodiment of the present invention;
Fig. 3 is the flow chart of the leak detection method of nginx server according to the preferred embodiment of the invention;
Fig. 4 carries out mutual sequential chart according to the terminal of the embodiment of the present invention and nginx server; And
Fig. 5 is the structural representation of a kind of terminal according to the embodiment of the present invention.
Embodiment
The present invention program is understood better in order to make those skilled in the art person, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, should belong to the scope of protection of the invention.
It should be noted that, term " first ", " second " etc. in specification of the present invention and claims and above-mentioned accompanying drawing are for distinguishing similar object, and need not be used for describing specific order or precedence.Should be appreciated that the data used like this can be exchanged in the appropriate case, so as embodiments of the invention described herein can with except here diagram or describe those except order implement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, such as, contain those steps or unit that the process of series of steps or unit, method, system, product or equipment is not necessarily limited to clearly list, but can comprise clearly do not list or for intrinsic other step of these processes, method, product or equipment or unit.
Leak is introduced: nginx server is a high performance web server, and use widely, it is not only through being often used as reverse proxy, also can the extraordinary operation supporting PHP.But, the safety problem that in this server, existence one is comparatively serious, namely all being resolved in the mode of php by the file of any type of server error may be caused under default situations, make the assailant of malice that this leak may be utilized to run malicious file in the mode of php, thus capture the nginx server supporting php.
Leak analysis: nginx Server Default supports the operation of php in the mode of cgi, such as can resolve php in the following manner in the middle of configuration file:
location~.php${
roothtml;
fastcgi_pass127.0.0.1:9000;
fastcgi_indexindex.php;
fastcgi_paramSCRIPT_FILENAME/scripts$fastcgi_script_name;
includefastcgi_params;
}
Location in Nginx server can use universal resource identifier (UniformResourceIdentifier when selecting request, being called for short URI) environmental variance selects, the $ fastcgi_script_name that the key variables SCRIPT_FILENAME being wherein delivered to rear end Fastcgi is generated by nginx server determines, and can see that $ fastcgi_script_name is directly controlled by URI environmental variance by analyzing, in order to support the extraction of PATH_INFO preferably, cgi.fix_pathinfo option is there is in the config option of php, its objective is to take out real script name in SCRIPT_FILENAME.
So suppose existence http://www.test.com/test.jpg, access with following network address:
http://www.test.com/test.jpg/test.php
A URI environmental variance "/test.jpg/test.php " will be obtained
Through location instruction, this request will give the fastcgi process of rear end, and nginx server is its SCRIPT_FILENAME that sets, and content is:
/scripts/test.jpg/test.php
The fastcgi of rear end is when receiving this network address, can determine whether extra process is carried out to SCRIPT_FILENAME according to fix_pathinfo configuration, if generally not opening fix_pathinfo uses PATH_INFO to carry out the application of Route Selection, so generally this configuration opened impact.Php will be by searching wherein real script file name after this option, and the mode of searching also is whether viewing files exists, and this time will be isolated SCRIPT_FILENAME and PATH_INFO and is respectively:
/ scripts/test.jpg and test.php
Finally, need execution script using/scripts/test.jpg as this request, assailant just can realize allowing nginx server with php to resolve the file of any type.
Access the website that a nginx server supports php, at the file of any resource as added/test.php after robots.txt, this time, you can see following difference:
Access http://www.test.com/robots.txt
HTTP/1.1200OK
Server:nginx/0.6.32
Date:Thu,20May201010:05:30GMT
Content-Type:text/plain
Content-Length:18
Last-Modified:Thu,20May201006:26:34GMT
Connection:keep-alive
Keep-Alive:timeout=20
Accept-Ranges:bytes
Access http://www.test.com/robots.txt/test.php
HTTP/1.1200OK
Server:nginx/0.6.32
Date:Thu,20May201010:06:49GMT
Content-Type:text/html
Contenttype when namely accessing http://www.sec.com/robots.txt is text/plain, and contenttype during access http://www.sec.com/robots.txt/test.php is text/html.
Embodiment 1
According to the embodiment of the present invention, a kind of embodiment that may be used for the leak detection method implementing the application nginx server can be provided, it should be noted that, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, in some cases, can be different from the step shown or described by order execution herein.
According to the embodiment of the present invention, provide a kind of leak detection method of nginx server, as shown in Figure 1, the method comprises the steps:
Step S102, sends the access request of first network address to nginx server, and the first content type that the access request obtaining nginx server response first network address returns.
The access request of first network address is sent to nginx server, after server receives the access request of first network address, the access request of first network address is responded, obtain the first content type returned by nginx server, this first content type is the content type obtained by resolving first network address.
Access different webpages by first network address and return different content types, such as, by first network address access picture file, then the content type returned is image/gpeg, by first network address access txt file, then the content type returned is text/plain.Therefore, after sending the access request of first network address to server, can receive the first content type from server, this first content type is the content type for the first network address sent.
Step S104, sends the access request of second network address to nginx server, and the second content type that the access request obtaining nginx server response second network address returns, wherein, first network address is identical with the content type of second network address.
After sending the access request of second network address to nginx server, the second content type that the access request obtaining nginx server response second network address returns, the second content type is the content type of the file of being accessed by second network address.Wherein, the content type of first network address is identical with the content type of second network address, namely, after sending first network address and second network address respectively to nginx server, the content type of the first network address that nginx server returns should be identical with the content type of second network address.
Step S106, judges that whether first content type is identical with the second content type.Resolving leak because nginx server exists, can make a mistake when resolving SCRIPT_FILENAME, cause the script name mistake extracted.The content type of first network address and response second network address can be determined by the script name extracted when response first network address and response second network address, therefore, by judging the script name whether mistake that content type can judge to extract, thus judge whether server exists leak.
Step S108, if judge that first content type is not identical with the second content type, then determines that nginx server is leaky.
When nginx server is leaky, the script name mistake of extraction, thus cause the first network address that should return same content type different with the second content type with the first content type that second network address returns.Therefore, when judging that first content type and the second content are not identical, then determine that nginx server is leaky.
Pass through above-described embodiment, the identical first network address of content type and second network address is sent respectively to server, then first content type and the second content type that nginx server returns is obtained respectively, the content type difference returned is caused owing to can extract wrong script name when nginx server exists leak, so judge whether nginx server has leak by judging that whether first content type and the second content type be identical, namely when the first content type returned and the second content type are not identical, determine that nginx server has leak.This leak detection method utilizes the content type returning mistake during nginx server leaky, by judging that content type determines that nginx server has leak, thus improves the accuracy of nginx server Hole Detection.
Preferably, in order to guarantee by judging that first content type has leak from the different nginx of the determination server of the second content type, before the request sending access second network address to nginx server, this leak detection method also comprises:
Obtain first network address, wherein, repeatedly during request access first network address, the content type that nginx server returns is consistent.
During in order to utilize the content type in first network address identical with the content type of second network address, first content type is different from the second content type judges that nginx server has leak, then need to ensure that the content type repeatedly returned when nginx server request accesses first network address is identical, just can guarantee to determine when nginx server is leaky by judging that first content type is different with the second content type, there is leak, repeatedly access the consistent network address of the content type that returns and the resource-type network address, as accessed the network address of picture file, JS file network address, the network address of css file and the network address of text file.Wherein, the content type that the network address of access picture file returns is image/gpeg, the content type that access JS file network address returns is text/javascripe, the content type that the network address of access css file returns is text/css, and the content type that the network address of access text file returns is text/plain.
First network address is as www.abcedfg.com/abcd.jpg
Obtain the mark of adding file, wherein, the file type of adding file is different from the file type of being accessed by first network address, and interpolation file is non-existent file in the correspondence webpage of first network address.
In first network address, add the mark of file, obtain second network address.
Belong to the content type of first network address to distinguish the content type returned by nginx server or belong to the content type of second network address, the file type of adding file is different from the file type that first network address is accessed, add the mark of this interpolation file in first network address after, obtain second network address.Real file can be accessed in order to avoid second network address and make to utilize the content type returned to judge the leaky erroneous judgement of nginx server, adding file is non-existent file in webpage corresponding to first network address, namely when nginx server does not have leak, send the access request of first network address and the access request of second network address, the content type that nginx server returns is identical.
Such as, first network address is www.abcedfg.com/abcd.txt, and the file identification of interpolation is dfg.php, and so second network address is www.abcedfg.com/abcd.txt/dfg.php.Because dfg.php is non-existent file, it is only a file identification, the SCRIPT_FILENAME that first network address and second network address extraction go out is respectively/scripts/abcd.txt and/scripts/abcd.txt/dfg.php, therefore the content type that nginx server returns for the SCRIPT_FILENAME extracted is respectively text/plain and text/html, namely first network address is different with the content type of second network address, thus judges that nginx server is leaky.
Pass through above-described embodiment, file type is added different and in the corresponding webpage in first network address, there is not the file identification of file in first network address, identical with the content type of first network address to ensure the second network address of adding after file identification, thus the content type difference that can return according to nginx server determines that nginx server has leak, and then ensure that the accuracy detecting nginx server leak.
Preferably, in order to improve on the basis detecting nginx server leak accuracy, improve the efficiency of Hole Detection, before the first content type that acquisition nginx server response first network address returns, this leak detection method also comprises: check the conditional code that nginx server returns.And judge that whether the request of accessing first network address is successful according to conditional code, wherein, if the request success of access first network address, the first content type that the access request then obtaining nginx server response first network address returns, if the request of access first network address is unsuccessful, then detection of end.
Usually after server receives access request, meeting first return state code (httpstatuscode), to inform whether visitor accesses successfully, return state code be successfully after, nginx server response access request, if conditional code is shown as mistake, then no longer detect.
Common conditional code as:
200-server successfully returns webpage;
The webpage of 404-request does not exist;
503-service is unavailable.
In this embodiment, if the conditional code returned is 200, then server successfully returns webpage, after asking successfully, the first content type that the access request obtaining nginx server response first network address returns, if the request of access first network address is unsuccessful, then detection of end
After nginx server return state code 200, obtain first content type, if non-return state code 200 is asked successfully with prompting, then terminate Hole Detection, in this process, because server does not return the successful conditional code of request, may be now nginx server exception, proceeding Hole Detection may there is error result.
Preferably, in order to improving on the basis detecting nginx server leak accuracy, improve the efficiency of Hole Detection, after the first content type that acquisition nginx server response first network address returns, leak detection method also comprises:
Judge that whether the first content type that nginx server returns is consistent with the content type of first network address.
If the first content type content type corresponding with first network address is consistent, then request access second network address.
If the content type of the content type that nginx server returns webpage corresponding to first network address is inconsistent, then detection of end.
If the first content type that nginx server returns is consistent with the content type of first network address, then determine that nginx server is in normal operating condition, there is no mistake, the result that the detection guarantee carrying out nginx server leak under the normal condition of nginx server detects is correct, therefore, when the first content type that nginx server returns is consistent with the content type of first network address, determine request access second network address, if the content type of the first content type that nginx server returns and first network address is inconsistent, then determine nginx server exception, no longer detect.
The Hole Detection of nginx server is carried out under the condition ensureing nginx server normal operation, guarantee testing result correctly can reflect whether nginx server has leak, therefore, from the generation mechanism of nginx server leak, the leak detection method of this embodiment can not only judge whether this nginx server has leak, can also judge whether the environment carrying out detecting can ensure the correct of testing result, thus improve the accuracy of nginx server Hole Detection.
After determining to obtain first content type, the method obtaining the first content type that nginx server response first network address returns is as follows: the packet capturing the first network address that nginx server returns.Resolution data bag, obtains http head response.Search the content type field in http head response.The first content type in http head response is read according to content type field.
Capture the packet of the first network address that nginx server returns, the first content type that nginx server returns is stored in this packet, http head response is obtained after this packet is resolved, by searching content type field in http head response, and read first content type according to content type field.
Such as, in http head response, search content type field, search " Content-Type " field in the following.
HTTP/1.1200OK
Server:nginx/0.6.32
Date:Thu,20May201010:05:30GMT
Content-Type:text/plain
Content-Length:18
Last-Modified:Thu,20May201006:26:34GMT
Connection:keep-alive
Keep-Alive:timeout=20
Accept-Ranges:bytes
After foregoing finds Content-Type field, the content type read in this field is " text/plain ", the text/plain of reading " be first content type.
In like manner, when acquisition the second content type, also by capturing the packet of the first network address that nginx server returns, and parsing is carried out to packet obtain http head response, in http head response, search content type field, and read the first content type in http head response according to content type field.Namely the method reading the second content type is identical with the method reading first content type, does not repeat at this.
Below in conjunction with Fig. 3, the flow process of the leak detection method of the nginx server of the preferred embodiment of the present invention is described.The leak detection method of this nginx server comprises the steps:
The network address of step S201, input php file, namely obtains first network address.
Step S202, sends the access request of the network address of php file, namely sends the access request of first network address to nginx server.
Whether step S203, httpcode are 200, namely judge whether the conditional code that nginx server returns is 200, if 200 are determined the request success of accessing php file, if success, perform step S204, otherwise perform step S208, detection of end.
Step S204, whether return type is text/html.The returned content type of access php file should be text/html, and judge that the content type returned is identical with the content type of php file, then perform step S205, otherwise perform step S208, result detects.
Step S205, adds file identification and again gives out a contract for a project, namely send second network address to nginx server.
Step S206, judges whether consistent with return type last time, performs step S207, if inconsistent execution step S209 if consistent.Namely judge that whether the content type of the second network address returned is identical with the content type of first network address, namely judge whether the content type returning to second network address is text/html.If the content type returning to second network address is text/html, then determines that nginx server does not have leak, otherwise be step S209, determine that nginx server has leak.
, there is not leak in step S207.
, there is leak in step S209.
It should be noted that, for aforesaid each embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that can add required general hardware platform by software according to the method for above-described embodiment and realize, hardware can certainly be passed through, but in a lot of situation, the former is better execution mode.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium (as ROM/RAM, magnetic disc, CD), comprising some instructions in order to make a station terminal equipment (can be mobile phone, computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.
Embodiment 2
According to the embodiment of the present invention, additionally provide a kind of device for implementing nginx server Hole Detection.The Hole Detection device that the leak detection method of the embodiment of the present invention can be provided by the embodiment of the present invention performs, and the Hole Detection device of the embodiment of the present invention also may be used for performing the leak detection method that the embodiment of the present invention provides.
As shown in Figure 2, this device comprises: the first request unit 20, second request unit 40, first judging unit 60 and determining unit 80.
First request unit 20 is for sending the access request of first network address to nginx server, and the first content type that the access request obtaining nginx server response first network address returns.
The access request of first network address is sent to nginx server, after server receives the access request of first network address, the access request of first network address is responded, obtain the first content type returned by nginx server, this first content type is the content type obtained by resolving first network address.
Access different webpages by first network address and return different content types, such as, by first network address access picture file, then the content type returned is image/gpeg, by first network address access txt file, then the content type returned is text/plain.Therefore, after sending the access request of first network address to server, can receive the first content type from server, this first content type is the content type for the first network address sent.
Second request unit 40 is for sending the access request of second network address to nginx server, and the second content type that the access request obtaining nginx server response second network address returns, wherein, first network address is identical with the content type of second network address.
After sending the access request of second network address to nginx server, the second content type that the access request obtaining nginx server response second network address returns, the second content type is the content type of the file of being accessed by second network address.Wherein, the content type of first network address is identical with the content type of second network address, namely, after sending first network address and second network address respectively to nginx server, the content type of the first network address that nginx server returns should be identical with the content type of second network address.
First judging unit 60 is for judging that whether first content type is identical with the second content type.
Resolving leak because nginx server exists, can make a mistake when resolving SCRIPT_FILENAME, cause the script name mistake extracted.The content type of first network address and response second network address can be determined by the script name extracted when response first network address and response second network address, therefore, by judging the script name whether mistake that content type can judge to extract, thus judge whether server exists leak.
Determining unit 80, for when judging that first content type and the second content type are not identical, determines that nginx server is leaky.
When nginx server is leaky, the script name mistake of extraction, thus cause the first network address that should return same content type different with the second content type with the first content type that second network address returns.Therefore, when judging that first content type and the second content are not identical, then determine that nginx server is leaky.
Pass through above-described embodiment, the identical first network address of content type and second network address is sent respectively to server, then first content type and the second content type that nginx server returns is obtained respectively, the content type difference returned is caused owing to can extract wrong script name when nginx server exists leak, so judge whether nginx server has leak by judging that whether first content type and the second content type be identical, namely when the first content type returned and the second content type are not identical, determine that nginx server has leak.This leak detection method utilizes the content type returning mistake during nginx server leaky, by judging that content type determines that nginx server has leak, thus improves the accuracy of nginx server Hole Detection.
Preferably, in order to guarantee by judging that first content type has leak from the different nginx of the determination server of the second content type, this Hole Detection device also comprises: the first acquiring unit/second acquisition unit and adding device.
First acquiring unit, for before the access request sending second network address to nginx server, obtain first network address, wherein, repeatedly during request access first network address, the content type that nginx server returns is consistent.
During in order to utilize the content type in first network address identical with the content type of second network address, first content type is different from the second content type judges that nginx server has leak, then need to ensure that the content type repeatedly returned when nginx server request accesses first network address is identical, just can guarantee to determine when nginx server is leaky by judging that first content type is different with the second content type, there is leak, repeatedly access the consistent network address of the content type that returns and the resource-type network address, as accessed the network address of picture file, JS file network address, the network address of css file and the network address of text file.Wherein, the content type that the network address of access picture file returns is image/gpeg, the content type that access JS file network address returns is text/javascripe, the content type that the network address of access css file returns is text/css, and the content type that the network address of access text file returns is text/plain.
First network address is as www.abcedfg.com/abcd.jpg
Second acquisition unit, for obtaining the mark of adding file, wherein, the file type of adding file is different from the file type of being accessed by first network address, and interpolation file is non-existent file in the correspondence webpage of first network address.And
Adding device, for adding the mark of file in first network address, obtains second network address.
Belong to the content type of first network address to distinguish the content type returned by nginx server or belong to the content type of second network address, the file type of adding file is different from the file type that first network address is accessed, add the mark of this interpolation file in first network address after, obtain second network address.Real file can be accessed in order to avoid second network address and make to utilize the content type returned to judge the leaky erroneous judgement of nginx server, adding file is non-existent file in webpage corresponding to first network address, namely when nginx server does not have leak, send the access request of first network address and the access request of second network address, the content type that nginx server returns is identical.
Such as, first network address is www.abcedfg.com/abcd.txt, and the file identification of interpolation is dfg.php, and so second network address is www.abcedfg.com/abcd.txt/dfg.php.Because dfg.php is non-existent file, it is only a file identification, the SCRIPT_FILENAME that first network address and second network address extraction go out is respectively/scripts/abcd.txt and/scripts/abcd.txt/dfg.php, therefore the content type that nginx server returns for the SCRIPT_FILENAME extracted is respectively text/plain and text/html, namely first network address is different with the content type of second network address, thus judges that nginx server is leaky.
Pass through above-described embodiment, file type is added different and in the corresponding webpage in first network address, there is not the file identification of file in first network address, identical with the content type of first network address to ensure the second network address of adding after file identification, thus the content type difference that can return according to nginx server determines that nginx server has leak, and then ensure that the accuracy detecting nginx server leak.
Preferably, in order to improve on the basis detecting nginx server leak accuracy, improve the efficiency of Hole Detection, Hole Detection device also comprises: check unit, also can with obtaining before nginx server responds the first content type that first network address returns, check the conditional code that nginx server returns.And second judging unit, for judging that according to conditional code whether the request of accessing first network address is successful, wherein, if the request success of access first network address, the first content type that the access request then obtaining nginx server response first network address returns, if the request of access first network address is unsuccessful, then detection of end.
Usually after server receives access request, meeting first return state code (httpstatuscode), to inform whether visitor accesses successfully, return state code be successfully after, nginx server response access request, if conditional code is shown as mistake, then no longer detect.
Common conditional code as:
200-server successfully returns webpage;
The webpage of 404-request does not exist;
503-service is unavailable.
In this embodiment, if the conditional code returned is 200, then server successfully returns webpage, after asking successfully, the first content type that the access request obtaining nginx server response first network address returns, if the request of access first network address is unsuccessful, then detection of end
After nginx server return state code 200, obtain first content type, if non-return state code 200 is asked successfully with prompting, then terminate Hole Detection, in this process, because server does not return the successful conditional code of request, may be now nginx server exception, proceeding Hole Detection may there is error result.
Preferably, in order to improve on the basis detecting nginx server leak accuracy, improve the efficiency of Hole Detection, Hole Detection device is also comprising:
3rd judging unit, for after obtaining the first content type that nginx server response first network address returns, judges that whether the first content type that nginx server returns is consistent with the content type of first network address.
3rd request unit, time consistent for the content type corresponding with first network address in first content type, request access second network address.
First end unit, when the content type of the webpage corresponding to first network address of the content type for returning at nginx server is inconsistent, detection of end.
If the first content type that nginx server returns is consistent with the content type of first network address, then determine that nginx server is in normal operating condition, there is no mistake, the result that the detection guarantee carrying out nginx server leak under the normal condition of nginx server detects is correct, therefore, when the first content type that nginx server returns is consistent with the content type of first network address, determine request access second network address, if the content type of the first content type that nginx server returns and first network address is inconsistent, then determine nginx server exception, no longer detect.
The Hole Detection of nginx server is carried out under the condition ensureing nginx server normal operation, guarantee testing result correctly can reflect whether nginx server has leak, therefore, from the generation mechanism of nginx server leak, the leak detection method of this embodiment can not only judge whether this nginx server has leak, can also judge whether the environment carrying out detecting can ensure the correct of testing result, thus improve the accuracy of nginx server Hole Detection.
After determining to obtain first content type, the first content type that the first request unit returns by obtaining nginx server response first network address with lower module: handling module, for capturing the packet of the first network address that nginx server returns.Parsing module, for resolution data bag, obtains http head response.Search module, for searching the content type field in http head response.And read module, for reading the first content type in http head response according to content type field.
Capture the packet of the first network address that nginx server returns, the first content type that nginx server returns is stored in this packet, http head response is obtained after this packet is resolved, by searching content type field in http head response, and read first content type according to content type field.
Such as, in http head response, search content type field, search " Content-Type " field in the following.
HTTP/1.1200OK
Server:nginx/0.6.32
Date:Thu,20May201010:05:30GMT
Content-Type:text/plain
Content-Length:18
Last-Modified:Thu,20May201006:26:34GMT
Connection:keep-alive
Keep-Alive:timeout=20
Accept-Ranges:bytes
After foregoing finds Content-Type field, the content type read in this field is " text/plain ", and " text/plain " of reading is first content type.
In like manner, when acquisition the second content type, also by capturing the packet of the first network address that nginx server returns, and parsing is carried out to packet obtain http head response, in http head response, search content type field, and read the first content type in http head response according to content type field.Namely the method reading the second content type is identical with the method reading first content type, does not repeat at this.
Embodiment 3
According to the embodiment of the present invention, additionally provide a kind of system, this system comprises terminal 100 and nginx server 300.Fig. 4 carries out mutual sequential chart according to the terminal of the embodiment of the present invention and nginx server.
As shown in the figure, terminal 100 sends the access request of first network address to nginx server 300, and obtains the first content type that nginx server 300 returns.Afterwards, terminal 100 sends the access request of second network address to nginx server 300, and obtains the second content type that nginx server 300 returns.
After acquisition first content type and the second content type, judge that whether first content type is identical with the second content type, if first content type is not identical with the second content type, then determine that this nginx server 300 is leaky.
Terminal 100 in this system comprises processor 1001, memory 1002 and input unit 1003, as shown in Figure 5.Fig. 5 is the structural representation of a kind of terminal disclosed in the embodiment of the present invention.
Terminal equipment shown in Fig. 5 can PC, smart mobile phone (as Android phone, iOS mobile phone etc.), the terminal equipment such as panel computer, palmtop PC and mobile internet device (MobileInternetDevices, MID), PAD.As shown in Figure 5, this terminal equipment can comprise:
Processor 1001, and the memory 1002 be connected with processor 1001 and input unit 1003.Wherein, first network address can be obtained by input unit 1003, and be stored in memory 1002, after acquisition first network address, processor 1001 sends the access request of first network address to nginx server 300, and the first content type returned by nginx server 300 is stored in memory 1002.Then processor 1001 generates second network address according to first network address and from the mark of the interpolation file of input unit 1003 acquisition, send the access request of second network address to nginx server 300, and the second content type returned by nginx server 300 is stored in memory 1002.
Processor 1001 judges that whether the first content type stored in memory 1002 is identical with the second content type, if judge that first content type is not identical with the second content type, then determines that nginx server is leaky.
Processor 1001 is before the access request sending second network address to nginx server, and obtain first network address by input equipment 1003, wherein, repeatedly during request access first network address, the content type that nginx server returns is consistent.Processor 1001 obtains the mark of adding file, and wherein, the file type of adding file is different from the file type of being accessed by first network address, and interpolation file is non-existent file in the correspondence webpage of first network address.And processor 1001 adds the mark of file in first network address, obtains second network address.
Before processor 1001 obtains the first content type that returns of nginx server response first network address, the conditional code that nginx server returns checked by processor 1001.And judge that whether the request of accessing first network address is successful according to conditional code,
Wherein, if the request success of access first network address, then the first content type that the access request obtaining nginx server response first network address returns, if the request of access first network address is unsuccessful, then detection of end.
After processor 1001 obtains the first content type that returns of nginx server response first network address, judge that whether the first content type returned by nginx server of storage in memory 1002 is consistent with the content type of first network address.If the first content type content type corresponding with first network address is consistent, then request access second network address.If the content type of the content type that nginx server returns webpage corresponding to first network address is inconsistent, then detection of end.
The first content type that acquisition nginx server response first network address returns in the following way captures the packet of the first network address that nginx server returns:
Processor 1001 resolution data bag, obtains http head response.Search the content type field in http head response.And read the first content type in http head response according to content type field.
By the terminal in this embodiment, the request of the first web page address and the second web page address can be sent respectively to nginx server, and preserve the first content type and the second content type that nginx server returns, when judging that first content type is different with the second content type, determine that nginx server exists leak.
Embodiment 4
According to the embodiment of the present invention, additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium may be used for the program code of each step of Hole Detection of the nginx server performing the embodiment of the present invention.
Alternatively, in the present embodiment, above-mentioned storage medium can be arranged in mobile terminal device and computer.
Alternatively, in the present embodiment, storage medium is set to store the program code for performing following steps:
Step S1, sends the access request of first network address to nginx server, and the first content type that the access request obtaining nginx server response first network address returns.
Step S2, sends the access request of second network address to nginx server, and the second content type that the access request obtaining nginx server response second network address returns, wherein, first network address is identical with the content type of second network address.
Step S3, judges that whether first content type is identical with the second content type.
Step S4, if judge that first content type is not identical with the second content type, then determines that nginx server is leaky.
Alternatively, in the present embodiment, above-mentioned storage medium can include but not limited to: USB flash disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.
Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium: obtain first network address, wherein, repeatedly during request access first network address, the content type that nginx server returns is consistent; Obtain the mark of adding file, wherein, the file type of adding file is different from the file type of being accessed by first network address, and interpolation file is non-existent file in the correspondence webpage of first network address; And in first network address, add the mark of file, obtain second network address.
Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium: before the first content type that acquisition nginx server response first network address returns, check the conditional code that nginx server returns; And judge that whether the request of accessing first network address is successful according to conditional code, wherein, if the request success of access first network address, the first content type that the access request then obtaining nginx server response first network address returns, if the request of access first network address is unsuccessful, then detection of end.
Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium: after the first content type that acquisition nginx server response first network address returns, leak detection method also comprises: judge that whether the first content type that nginx server returns is consistent with the content type of first network address; If the first content type content type corresponding with first network address is consistent, then request access second network address; If the content type of the content type that nginx server returns webpage corresponding to first network address is inconsistent, then detection of end.
Alternatively, in the present embodiment, processor performs according to the program code stored in storage medium: the packet capturing the first network address that nginx server returns; Resolution data bag, obtains http head response; Search the content type field in http head response; And read the first content type in http head response according to content type field.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
In the above embodiment of the present invention, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.
In several embodiments that the application provides, should be understood that, disclosed terminal, the mode by other realizes.Wherein, device embodiment described above is only schematic, the such as division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of unit or module or communication connection can be electrical or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.
If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprises all or part of step of some instructions in order to make a computer equipment (can be personal computer, server or the network equipment etc.) perform method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. a leak detection method for nginx server, is characterized in that, comprising:
Send the access request of first network address to nginx server, and obtain the first content type that access request that described nginx server responds described first network address returns;
The access request of second network address is sent to described nginx server, and obtain the second content type that access request that described nginx server responds described second network address returns, wherein, described first network address is identical with the content type of described second network address;
Judge that whether described first content type is identical with described second content type; And
If judge that described first content type is not identical with described second content type, then determine that described nginx server is leaky.
2. leak detection method according to claim 1, is characterized in that, before the access request sending second network address to described nginx server, described leak detection method also comprises:
Obtain first network address, wherein, repeatedly described in request access during first network address, the content type that described nginx server returns is consistent;
Obtain the mark of adding file, wherein, the file type of described interpolation file is different from the file type of being accessed by described first network address, and described interpolation file is non-existent file in the correspondence webpage of described first network address; And
In described first network address, add the mark of described interpolation file, obtain described second network address.
3. leak detection method according to claim 1, is characterized in that, before the first content type that acquisition nginx server response first network address returns, described leak detection method also comprises:
Check the conditional code that described nginx server returns; And
Judge that whether the request of accessing described first network address is successful according to described conditional code,
Wherein, if access the request success of described first network address, then obtain the first content type that access request that described nginx server responds described first network address returns, if the request of accessing described first network address is unsuccessful, then detection of end.
4. leak detection method according to claim 1, is characterized in that, after the first content type that acquisition nginx server response first network address returns, described leak detection method also comprises:
Judge that whether the first content type that described nginx server returns is consistent with the content type of described first network address;
If the described first content type content type corresponding with described first network address is consistent, then second network address described in request access;
If the content type that described nginx server returns is inconsistent with the content type of the corresponding webpage in described first network address, then detection of end.
5. leak detection method according to claim 1, is characterized in that, the first content type that acquisition nginx server response first network address returns comprises:
Capture the packet of the described first network address that described nginx server returns;
Resolve described packet, obtain http head response;
Search the content type field in described http head response; And
The described first content type in described http head response is read according to described content type field.
6. a Hole Detection device for nginx server, is characterized in that, comprising:
First request unit, for sending the access request of first network address to nginx server, and obtains the first content type that access request that described nginx server responds described first network address returns;
Second request unit, for sending the access request of second network address to described nginx server, and obtain the second content type that access request that described nginx server responds described second network address returns, wherein, described first network address is identical with the content type of described second network address;
First judging unit, for judging that whether described first content type is identical with described second content type; And
Determining unit, for when judging that described first content type is not identical with described second content type, determines that described nginx server is leaky.
7. Hole Detection device according to claim 6, is characterized in that, described Hole Detection device also comprises:
First acquiring unit, for before the access request sending second network address to described nginx server, obtains first network address, and wherein, repeatedly described in request access during first network address, the content type that described nginx server returns is consistent;
Second acquisition unit, for obtaining the mark of adding file, wherein, the file type of described interpolation file is different from the file type of being accessed by described first network address, and described interpolation file is non-existent file in the correspondence webpage of described first network address; And
Adding device, for adding the mark of described interpolation file in described first network address, obtains described second network address.
8. Hole Detection device according to claim 6, is characterized in that, described Hole Detection device also comprises:
Check unit, also can with obtaining before nginx server responds the first content type that first network address returns, check the conditional code that described nginx server returns; And
Second judging unit, for judging that according to described conditional code whether the request of accessing described first network address is successful,
Wherein, if access the request success of described first network address, then obtain the first content type that access request that described nginx server responds described first network address returns, if the request of accessing described first network address is unsuccessful, then detection of end.
9. Hole Detection device according to claim 6, is characterized in that, described Hole Detection device also comprises:
3rd judging unit, for after obtaining the first content type that nginx server response first network address returns, judges that whether the first content type that described nginx server returns is consistent with the content type of described first network address;
3rd request unit, time consistent for the content type corresponding with described first network address in described first content type, second network address described in request access;
First end unit, when content type and the content type of the corresponding webpage in described first network address for returning at described nginx server are inconsistent, detection of end.
10. Hole Detection device according to claim 6, is characterized in that, described first request unit comprises:
Handling module, for capturing the packet of the described first network address that described nginx server returns;
Parsing module, for resolving described packet, obtains http head response;
Search module, for searching the content type field in described http head response; And
Read module, for reading the described first content type in described http head response according to described content type field.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410248237.1A CN105281963A (en) | 2014-06-05 | 2014-06-05 | nginx server vulnerability detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410248237.1A CN105281963A (en) | 2014-06-05 | 2014-06-05 | nginx server vulnerability detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105281963A true CN105281963A (en) | 2016-01-27 |
Family
ID=55150335
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410248237.1A Pending CN105281963A (en) | 2014-06-05 | 2014-06-05 | nginx server vulnerability detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105281963A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667687A (en) * | 2018-04-17 | 2018-10-16 | 四川长虹电器股份有限公司 | A kind of WAF test methods based on Nginx |
| CN108769070A (en) * | 2018-06-30 | 2018-11-06 | 平安科技(深圳)有限公司 | One kind is gone beyond one's commission leak detection method and device |
| CN113839957A (en) * | 2021-09-29 | 2021-12-24 | 杭州迪普科技股份有限公司 | Unauthorized vulnerability detection method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100185724A1 (en) * | 2007-06-27 | 2010-07-22 | Kumiko Ishii | Check system, information providing system, and computer-readable information recording medium containing a program |
| US20140033308A1 (en) * | 2008-04-10 | 2014-01-30 | David G. Sawyer | Data driven system for responding to security vulnerability |
-
2014
- 2014-06-05 CN CN201410248237.1A patent/CN105281963A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100185724A1 (en) * | 2007-06-27 | 2010-07-22 | Kumiko Ishii | Check system, information providing system, and computer-readable information recording medium containing a program |
| US20140033308A1 (en) * | 2008-04-10 | 2014-01-30 | David G. Sawyer | Data driven system for responding to security vulnerability |
Non-Patent Citations (2)
| Title |
|---|
| VPS侦探: "nginx文件类型错误解析漏洞", 《VPS侦探》 * |
| 红黑联盟: "nginx文件类型错误解析漏洞", 《红黑联盟》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667687A (en) * | 2018-04-17 | 2018-10-16 | 四川长虹电器股份有限公司 | A kind of WAF test methods based on Nginx |
| CN108769070A (en) * | 2018-06-30 | 2018-11-06 | 平安科技(深圳)有限公司 | One kind is gone beyond one's commission leak detection method and device |
| CN113839957A (en) * | 2021-09-29 | 2021-12-24 | 杭州迪普科技股份有限公司 | Unauthorized vulnerability detection method and device |
| CN113839957B (en) * | 2021-09-29 | 2024-02-09 | 杭州迪普科技股份有限公司 | Unauthorized vulnerability detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107783899B (en) | Method and device for testing H5 page in application program and computer equipment | |
| CN109428878B (en) | Vulnerability detection method, detection device and detection system | |
| Shwartz et al. | Reverse engineering IoT devices: Effective techniques and methods | |
| CN102970282B (en) | website security detection system | |
| CN107085549B (en) | Method and device for generating fault information | |
| CN110866258B (en) | Rapid vulnerability positioning method, electronic device and storage medium | |
| CN105282096A (en) | XSS vulnerability detection method and device | |
| CN105808399A (en) | Method and device for remote debugging | |
| CN109683997B (en) | Method for accessing application program interface through sandbox, sandbox and sandbox equipment | |
| CN111198797B (en) | Operation monitoring method and device and operation analysis method and device | |
| CN105320595A (en) | Application test method and device | |
| CN105791261A (en) | Detection method and detection device for cross-site scripting attack | |
| CN102546618A (en) | Method, device, system and website for detecting fishing website | |
| CN105373471A (en) | Detection method and apparatus for memory leak bug | |
| CN103001934B (en) | The method and system that terminal applies logs in | |
| CN105515909B (en) | A kind of data acquisition test method and apparatus | |
| CN110806965A (en) | Automatic test method, device, equipment and medium | |
| CN105281963A (en) | nginx server vulnerability detection method and device | |
| CN113079157A (en) | Method and device for acquiring network attacker position and electronic equipment | |
| CN106302011B (en) | Multi-terminal-based test method and terminal | |
| CN112286821A (en) | HTML5 page compatibility testing method, device, equipment and storage medium | |
| CN108629182A (en) | Leak detection method and Hole Detection device | |
| CN108959879A (en) | Data capture method, device, electronic equipment and the server of application program | |
| CN112817816B (en) | Embedded point processing method and device, computer equipment and storage medium | |
| CN111782291B (en) | Method and device for starting test page |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160127 |