{"id":13611546,"url":"https://github.com/stark0de/nginxpwner","last_synced_at":"2025-04-08T02:42:31.040Z","repository":{"id":44921294,"uuid":"355239629","full_name":"stark0de/nginxpwner","owner":"stark0de","description":"Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.","archived":false,"fork":false,"pushed_at":"2024-03-04T21:16:15.000Z","size":55,"stargazers_count":1528,"open_issues_count":16,"forks_count":148,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-04-01T01:42:15.114Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stark0de.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-06T15:29:33.000Z","updated_at":"2025-03-31T12:57:59.000Z","dependencies_parsed_at":"2024-08-01T19:45:10.190Z","dependency_job_id":"cd68dc7c-e970-46a9-8319-8ede9541373f","html_url":"https://github.com/stark0de/nginxpwner","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stark0de%2Fnginxpwner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stark0de%2Fnginxpwner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stark0de%2Fnginxpwner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stark0de%2Fnginxpwner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stark0de","download_url":"https://codeload.github.com/stark0de/nginxpwner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247767232,"owners_count":20992538,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T19:01:57.407Z","updated_at":"2025-04-08T02:42:31.020Z","avatar_url":"https://github.com/stark0de.png","language":"Python","funding_links":[],"categories":["Python","其他_安全与渗透","Web Servers","Network Tools","漏洞扫描"],"sub_categories":["网络服务_其他","Web Vulnerability Scanners","Vulnerable Apps"],"readme":"# Nginxpwner\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://i.postimg.cc/vm3LWFj4/nginxpwner.png\" /\u003e\u003c/p\u003e\n\nNginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.\n\n## Install:\n\n```\ncd /opt\ngit clone https://github.com/stark0de/nginxpwner\ncd nginxpwner\nchmod +x install.sh\n./install.sh\n```\n\n## Install using Docker\n```\ngit clone https://github.com/stark0de/nginxpwner\ncd nginxpwner\nsudo docker build -t nginxpwner:latest .\n```\n\nRun the image\n```\nsudo docker run -it nginxpwner:latest /bin/bash\n```\n\n\n## Usage:\n\n```\nTarget tab in Burp, select host, right click, copy all URLs in this host, copy to a file\n\ncat urllist | unfurl paths | cut -d\"/\" -f2-3 | sort -u \u003e /tmp/pathlist \n\nOr get the list of paths you already discovered in the application in some other way. Note: the paths should not start with /\n\nFinally:\n\npython3 nginxpwner.py https://example.com /tmp/pathlist\n```\n## Notes:\n\nIt actually checks for:\n\n-Gets Ngnix version and gets its possible exploits using searchsploit and tells if it is outdated\n\n-Throws a wordlist specific to Nginx via gobuster\n\n-Checks if it is vulnerable to CRLF via a common misconfiguration of using $uri in redirects\n\n-Checks for CRLF in all of the paths provided\n\n-Checks if the PURGE HTTP method is available from the outside\n\n-Checks for variable leakage misconfiguration\n\n-Checks for path traversal vulnerabilities via merge_slashes set to off\n\n-Tests for differences in the length of responses when using hop-by-hop headers (ex: X-Forwarded-Host)\n\n-Uses Kyubi to test for path traversal vulnerabilities via misconfigured alias\n\n-Tests for 401/403 bypass using X-Accel-Redirect\n\n-Shows the payload to check for Raw backend reading response misconfiguration \n\n-Checks if the site uses PHP and suggests some nginx-specific tests for PHP sites\n\n-Tests for the common integer overflow vulnerability in Nginx's range filter module (CVE-2017-7529)\n\nThe tool uses the Server header in the response to do some of the tests. There are other CMS and so which are built on Nginx like Centminmod, OpenResty, Pantheon or Tengine for example which don't return that header. In that case please use nginx-pwner-no-server-header.py with the same parameters than the other script\n\nAlso, for the exploit search to run correctly you should do: searchsploit -u in Kali from time to time\n\nThe tool does not check for web cache poisoning/deception vulnerabilities nor request smuggling, you should test that with specific tools for those vulnerabilities. NginxPwner is mainly focused in misconfigurations developers may have introduced in the nginx.conf without being aware of them.\n\nCredit to shibli2700 for his awesome tool Kyubi https://github.com/shibli2700/Kyubi and to all the contributors of gobuster. Credits also to Detectify (which actually discovered many of this misconfigurations in NGINX)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstark0de%2Fnginxpwner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstark0de%2Fnginxpwner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstark0de%2Fnginxpwner/lists"}