stark0de/nginxpwner stark0de/nginxpwner

  • Stars
    star
    1,453
  • Rank 32,372 (Top 0.7 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 3 years ago
  • Updated 9 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
stark0de/nginxpwner
github

stark0de

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.

Nginxpwner

Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.

Install:

cd /opt
git clone https://github.com/stark0de/nginxpwner
cd nginxpwner
chmod +x install.sh
./install.sh

Install using Docker

git clone https://github.com/stark0de/nginxpwner
cd nginxpwner
sudo docker build -t nginxpwner:latest .

Run the image

sudo docker run -it nginxpwner:latest /bin/bash

Usage:

Target tab in Burp, select host, right click, copy all URLs in this host, copy to a file

cat urllist | unfurl paths | cut -d"/" -f2-3 | sort -u > /tmp/pathlist 

Or get the list of paths you already discovered in the application in some other way. Note: the paths should not start with /

Finally:

python3 nginxpwner.py https://example.com /tmp/pathlist

Notes:

It actually checks for:

-Gets Ngnix version and gets its possible exploits using searchsploit and tells if it is outdated

-Throws a wordlist specific to Nginx via gobuster

-Checks if it is vulnerable to CRLF via a common misconfiguration of using $uri in redirects

-Checks for CRLF in all of the paths provided

-Checks if the PURGE HTTP method is available from the outside

-Checks for variable leakage misconfiguration

-Checks for path traversal vulnerabilities via merge_slashes set to off

-Tests for differences in the length of responses when using hop-by-hop headers (ex: X-Forwarded-Host)

-Uses Kyubi to test for path traversal vulnerabilities via misconfigured alias

-Tests for 401/403 bypass using X-Accel-Redirect

-Shows the payload to check for Raw backend reading response misconfiguration

-Checks if the site uses PHP and suggests some nginx-specific tests for PHP sites

-Tests for the common integer overflow vulnerability in Nginx's range filter module (CVE-2017-7529)

The tool uses the Server header in the response to do some of the tests. There are other CMS and so which are built on Nginx like Centminmod, OpenResty, Pantheon or Tengine for example which don't return that header. In that case please use nginx-pwner-no-server-header.py with the same parameters than the other script

Also, for the exploit search to run correctly you should do: searchsploit -u in Kali from time to time

The tool does not check for web cache poisoning/deception vulnerabilities nor request smuggling, you should test that with specific tools for those vulnerabilities. NginxPwner is mainly focused in misconfigurations developers may have introduced in the nginx.conf without being aware of them.

Credit to shibli2700 for his awesome tool Kyubi https://github.com/shibli2700/Kyubi and to all the contributors of gobuster. Credits also to Detectify (which actually discovered many of this misconfigurations in NGINX)

More Repositories

1

ocr-recon

This tool is useful to find a particular string in a list of URLs using tesseract's OCR (Optical Character Recognition) capabilities
Python
31
star
2

regsave

This tool is useful in case you want to evade the detection based on simple rules when trying to dump the SAM, SYSTEM or SECURITY hives using the typical reg.exe save command.
C++
10
star
3

zip-symlink-payload-creator

This is a simple tool to create ZIP payloads using a provided wordlist for the symlink attack (present in some file upload vulnerabilities)
Python
8
star
4

ippsec-cli

This a simple tool to query the awesome ippsec.rocks website from your terminal
Python
7
star
5

pe-tools

This repository contains various tools useful for offensive operations (reversing, etc) regarding the PE (Portable Executable) format
Python
6
star
6

internalipcheck

Python
4
star
7

tokenpriv

A simple script to check the privileges included in your access token
Python
3
star
8

taller-bugbounty-honeysec

Python
3
star
9

emailissuescheck

Simple tool to check for SPF, DMARC and DKIM issues in a list of domains
Python
2
star
10

ciphercheck

This tool checks if a specific TLS ciphersuite is able to bypass a WAF
Python
2
star
11

logcat-strings

Simple tool to look in real time for possible information leaks in an Android app's logs
Python
2
star
12

azure-finder

Simple script to find all Azure-based assets given a domain list
Python
2
star
13

endpointpdfextractor

Simple file to create wordlists out of PDF documents (for example of PDFs of some product's docs)
Shell
1
star
14

msrpcbruteforce

Simple tool to perform bruteforce and dictionary attacks to MS-RPC services
Python
1
star