Dockerfile: https://github.com/Hok1/Dockerfile
部署方法请自行浏览文件lnmp.zip中README
——————————————————————原创,转载请标明出处一.了解漏洞
1.lnmp开放目录访问漏洞是什么?
lnmp开放目录访问是在由于需求开放某目录时,将敏感信息放于其中;或者是由于nginx.conf误配导致目录访问。总结一下,lnmp开放目录访问属于信息泄露,威胁程度根据泄露的信息改变。
二.分析漏洞原理,修复方案
具体漏洞产生原因,原理以及危害是什么?
1.产生原因:
在因需开放目录时,放入敏感文件,或者配置失误未精准配置访问目录导致多目录可访问,泄露敏感信息。
2.原理:
在nginx.conf中,server后配置如下即可开放某目录
location /conf {
root /usr/share/nginx/html;#开启目录访问 autoindex on; autoindex_exact_size on; autoindex_localtime on; }如此即开放/html/conf目录。
修复方案(最简便,并非最优)
修改nginx.conf配置文件,将不需要的目录访问关闭。
三.漏洞重现与利用(dockerfile)
1、Dockerfile
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
MAINTAINER H0k
RUN yum -y install mariadb-server
#初始化mysql
ADD initmysql.sh /root/initmysql.sh
RUN chmod 777 /root/initmysql.sh
RUN /root/initmysql.sh
#安装依赖
RUN yum -y install tar bzip2-devel curl-devel freetype-devel gcc libjpeg-devel libpng-devel libxslt-devel libxml2-devel openssl-devel pcre-devel pcre-devel zlib-devel openssl make
RUN groupadd www
RUN useradd -g www -s /sbin/nologin -M www
#安装php
ADD php-7.2.8.tar.gz /usr/local/
ADD installphp.sh /root/installphp.sh
RUN chmod 777 /root/installphp.sh
RUN /root/installphp.sh
#安装nginx
RUN yum -y install nginx
RUN rm -f /etc/nginx/nginx.conf
ADD nginx.conf /etc/nginx/nginx.conf
RUN mkdir 777 /usr/share/nginx/html/conf
ADD initmysql.sh /usr/share/nginx/html/conf/initmysql.sh #泄露的mysql配置脚本
EXPOSE 80
EXPOSE 33062、initmysql.sh
2
3
4
5
6
7
8
9
mysql_install_db --user=mysql
sleep 3
mysqld_safe &
sleep 3
mysql -e "use mysql;grant all privileges on *.* to root@'%' identified by 'a1b2c3d4f5' with grant option;flush privileges;"
sleep 3
mysqladmin -u root password 'a1b2c3d4f5'3、installphp.sh
2
3
4
5
6
7
8
9
10
11
12
tar -zxf /usr/local/php-7.2.8.tar.gz
cd /usr/local/php-7.2.8
./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --enable-fpm --with-fpm-user=www --with-fpm-group=www --with-curl --with-freetype-dir --with-gd --with-gettext --with-iconv-dir --with-kerberos --with-libdir=lib64 --with-libxml-dir --with-mysqli --with-openssl --with-pcre-regex --with-pdo-mysql --with-pdo-sqlite --with-pear --with-png-dir --with-jpeg-dir --with-xmlrpc --with-xsl --with-zlib --with-bz2 --with-mhash --enable-bcmath --enable-libxml --enable-inline-optimization --enable-mbregex --enable-mbstring --enable-opcache --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvsem --enable-sysvshm --enable-xml --enable-zip
sleep 3
make&&make install
sleep 3
cp /usr/local/php-7.2.8/php.ini-development /usr/local/php/php.ini
cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf
cp /usr/local/php/etc/php-fpm.d/www.conf.default /usr/local/php/etc/php-fpm.d/www.conf4、nginx.conf
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
server {
location /conf {
root /usr/share/nginx/html;
#开启目录访问
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
}
listen 80;
server_name localhost;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
root /usr/share/nginx/html;
index index.html index.htm index.php;
}
#配置php
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name;
include fastcgi_params;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
四、漏洞利用
在部署后docker后,访问泄露的目录即能读到initmysql.sh,从而读取mysql用户名密码,然后远程连接mysql。