003_crlf注入漏洞

一、

(1)

线上收到一个crlf 注入的漏洞. 同时启用80和443才会暴露,配置如下:

server {
    listen      80;
    listen      443 ssl;
    server_name www.jyall.cn;
    access_log  /data/log/nginx/www.jyall.cn.access.log ngx_main;
    error_log   /data/log/nginx/www.jyall.cne.error.log;

    charset utf-8;
    underscores_in_headers on;

    ssl_certificate           ssl/www.jyall.cn-2019-12-13.crt;
    ssl_certificate_key       ssl/www.jyall.cn-2019-12-13.key;
    ssl_session_timeout       5m;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers               ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

    set $rewrite_status 0;

    if ($https_status = off) {
        set $rewrite_status "${rewrite_status}1";
    }

    if ($scheme = http) {
        set $rewrite_status "${rewrite_status}2";
    }

    if ($https = on) {
        set $https_status $https;
    }

    if ($rewrite_status = 012) {
        rewrite / https://$host$request_uri permanent;
        break;
    }

    location  / {
            allow 0.0.0.0/24;
        deny all;
        proxy_pass http://www.baidu.com;
    }

    location  /test {
        default_type application/json;
        return 200 '{"status":"success","result_https":$scheme-$server_name$request_uri}';
    }

}

(2)

rewrite / https://$host$uri permanent; 改成 rewrite / https://$host$request_uri permanent; 就可以解决。