nginx 0.6.x Arbitrary Code Execution NullByte Injection Vulnerability

ID 1337DAY-ID-20674
Type zdt
Reporter Neal Poole
Modified 2013-04-21T00:00:00


Exploit for multiple platform in category web applications

                                            # Exploit Title: nginx Arbitrary Code Execution NullByte Injection
# Date: 24/08/2011
# Exploit Author: Neal Poole
# Vendor Homepage:
# Software Link:
# Version: 0.5.*, 0.6.*, 0.7 <= 0.7.65, 0.8 <= 0.8.37
# Tested on: Ubuntu Server 10.04.1
# nginx version: 0.6.36
# Advisory:
# Description
In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h). Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
# Proof of Concept:

# [2018-03-02]  #