[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80916":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":15,"starSnapshotCount":15,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},80916,"NGINX_RIFT_SCAN_CVE_2026_42945","friparia\u002FNGINX_RIFT_SCAN_CVE_2026_42945","friparia","Nginx Rewrite CVE Scan(CVE-2026-42945 nginx-rift  CVE-2026-9256)","",null,"Python",34,8,33,0,1,2.86,false,"main",true,[],"2026-06-12 02:04:08","# NGINX Rift 配置扫描器\n\n语言：中文 | [English](README.en.md)\n\n这是一个用于检查 NGINX 配置是否存在 CVE-2026-42945（NGINX Rift）和 CVE-2026-9256 风险模式的轻量级脚本。\n\n该漏洞由 depthfirst 在文章 [NGINX Rift: Achieving NGINX RCE via an 18-Year-Old Vulnerability](https:\u002F\u002Fdepthfirst.com\u002Fresearch\u002Fnginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability) 中披露。根据文章和 F5\u002FNVD 描述，风险与 `ngx_http_rewrite_module` 的特定配置组合有关：在同一配置上下文中，`rewrite` 的替换字符串包含 `?`，后续 `rewrite`、`if` 或 `set` 又引用了未命名 PCRE 捕获变量，例如 `$1`、`$2`。\n\n## 检查目标\n\n本工具主要检查 NGINX 配置文件中是否存在以下高风险模式。\n\n### CVE-2026-42945\n\n类似下面的高风险序列：\n\n```nginx\nlocation ~ ^\u002Fapi\u002F(.*)$ {\n    rewrite ^\u002Fapi\u002F(.*)$ \u002Finternal?migrated=true;\n    set $original_endpoint $1;\n}\n```\n\n风险点不是单独的 `rewrite` 或 `set`，而是它们在同一上下文中的执行顺序：\n\n1. `rewrite` 使用正则捕获，并且替换字符串包含 `?`\n2. 后续 `rewrite`、`if` 或 `set` 使用 `$1`、`$2` 等未命名捕获变量\n\n这种组合可能触发 NGINX 脚本引擎长度计算和实际拷贝阶段的状态不一致，导致堆缓冲区溢出。\n\n### CVE-2026-9256\n\n类似下面的高风险 `rewrite`：\n\n```nginx\nlocation \u002F {\n    rewrite \u002Fwengine-auth-static\u002F((.*)) \u002F?$1$2 break;\n}\n```\n\n风险条件：\n\n1. 正则表达式包含重叠捕获组，例如 `^\u002F((.*))$` 中 `$1` 包含 `$2`\n2. 替换字符串在重定向（redirect）或参数（arguments）上下文中引用多个重叠捕获组，例如 `$1$2`\n\n需要注意，`break` 不会排除风险；只要多个重叠捕获组出现在 `?` 后面的参数部分，仍属于 arguments 上下文。普通 URI rewrite 例如 `\u002F$1$2 break` 不属于该 CVE 的触发条件。\n\n脚本命中该模式时会明确标记为 `CVE-2026-9256`。\n\n## 影响范围\n\ndepthfirst 文章列出的受影响范围包括：\n\n- NGINX Open Source 0.6.27 到 1.30.1\n- NGINX Plus R32 到 R36\n- 部分基于 NGINX 的 F5 \u002F NGINX 产品\n\n实际修复版本和产品矩阵请以 F5 官方公告或发行版安全公告为准。即使版本处于受影响范围内，也通常还需要存在特定 `rewrite` 配置序列才会触发该漏洞。\n\n脚本会同时输出当前 NGINX 版本和配置扫描结果：\n\n- 版本在 `0.6.27 - 1.30.1` 且配置命中风险序列：必须升级 NGINX 或调整配置。\n- 版本在 `0.6.27 - 1.30.1` 但配置未命中风险序列：建议升级，但本工具未发现配置触发条件。\n- 配置命中风险序列但版本不在受影响范围：建议复核配置并保持已修复版本。\n\n## 使用方法\n\n直接扫描当前机器的完整 NGINX 配置：\n\n```bash\npython3 scan_rift.py\n```\n\n脚本会执行：\n\n```bash\nnginx -T\n```\n\n如果当前用户没有权限读取完整配置，请使用 `sudo`：\n\n```bash\nsudo python3 scan_rift.py\n```\n\n也可以扫描一个已经导出的配置文件：\n\n```bash\npython3 scan_rift.py \u002Fpath\u002Fto\u002Fnginx-full.conf\n```\n\n例如先导出配置再扫描：\n\n```bash\nsudo nginx -T > nginx-full.conf\npython3 scan_rift.py nginx-full.conf\n```\n\n## 输出说明\n\n未发现风险序列时：\n\n```text\n--- NGINX Rift Config Scanner (CVE-2026-42945 \u002F CVE-2026-9256) ---\nCurrent NGINX Version: nginx version: nginx\u002F1.23.3\nVersion Status: Affected version range for NGINX Open Source (0.6.27 - 1.30.1)\n\n[+] No vulnerable CVE-2026-42945 sequences or CVE-2026-9256 patterns detected.\n\n[Recommendation]: Current NGINX version is in the affected range, but no vulnerable config pattern was detected. Upgrade is recommended, but config risk was not found by this scanner.\n```\n\n发现可疑序列时：\n\n```text\n--- NGINX Rift Config Scanner (CVE-2026-42945 \u002F CVE-2026-9256) ---\nCurrent NGINX Version: nginx version: nginx\u002F1.23.3\nVersion Status: Affected version range for NGINX Open Source (0.6.27 - 1.30.1)\n\n[!] VULNERABLE SEQUENCE FOUND (CVE-2026-42945):\n    Context: location ~ ^\u002Fapi\u002F(.*)$ {\n    [1. Rewrite With ?] rewrite ^\u002Fapi\u002F(.*)$ \u002Finternal?migrated=true;\n    [2. Follow-up $N]   set $original_endpoint $1;\n\n[Action Required]: Current NGINX version is affected and vulnerable config was found. Upgrade NGINX or adjust the reported rewrite pattern.\n```\n\n发现 CVE-2026-9256 可疑模式时：\n\n```text\n--- NGINX Rift Config Scanner (CVE-2026-42945 \u002F CVE-2026-9256) ---\nCurrent NGINX Version: nginx version: nginx\u002F1.23.3\nVersion Status: Affected version range for NGINX Open Source (0.6.27 - 1.30.1)\n\n[!] VULNERABLE PATTERN FOUND (CVE-2026-9256):\n    Context: location ^~ \u002Fwengine-auth-static\u002F {\n    [Rewrite Overlapping Captures] rewrite \u002Fwengine-auth-static\u002F((.*)) \u002F?$1$2 break;\n    [Context] arguments; overlapping refs: $1\u002F$2\n\n[Action Required]: Current NGINX version is affected and vulnerable config was found. Upgrade NGINX or adjust the reported rewrite pattern.\n```\n\n发现命中后应人工确认该配置上下文是否可被外部请求触达，并尽快升级 NGINX 或调整配置。\n\n## 处置建议\n\n- 升级到供应商发布的修复版本。\n- 检查所有 `location`、`server`、`if` 等上下文中的 `rewrite` \u002F `set` 组合。\n- 避免在带 `?` 的 `rewrite` 后继续使用 `$1`、`$2` 等未命名捕获变量。\n- 避免在 redirect 或 arguments 中拼接多个重叠捕获组，例如 `^\u002F((.*))$` 搭配 `?$1$2`。\n- 不要把 `break` 当作 CVE-2026-9256 的规避方式；`\u002F?$1$2 break` 仍会命中。\n- 可以改用命名捕获、提前保存变量、拆分处理逻辑，或移除不必要的 query string rewrite。\n- 在修复前，优先处理公网可访问的 NGINX 服务和反向代理入口。\n- 不要只依赖版本判断，配置是否包含触发序列同样关键。\n\n## 限制\n\n该脚本是配置静态扫描工具，目标是快速发现高风险模式，不等同于漏洞利用验证。\n\n- 可能存在误报，需要结合实际 NGINX 上下文人工复核。\n- 复杂的多行指令、include 展开异常或动态生成配置可能影响扫描效果。\n- 扫描不到风险不代表绝对安全，仍应升级到官方修复版本。\n\n## 参考\n\n- depthfirst: \u003Chttps:\u002F\u002Fdepthfirst.com\u002Fresearch\u002Fnginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability>\n- NVD CVE-2026-42945: \u003Chttps:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-42945>\n- F5 Advisory K000161019: \u003Chttps:\u002F\u002Fmy.f5.com\u002Fmanage\u002Fs\u002Farticle\u002FK000161019>\n","该项目是一个用于检测NGINX配置文件中是否存在CVE-2026-42945（NGINX Rift）和CVE-2026-9256漏洞风险的Python脚本。核心功能包括自动扫描指定的NGINX配置文件，识别出可能引发堆缓冲区溢出或重叠捕获组问题的特定`rewrite`指令组合，并根据当前NGINX版本判断是否位于已知受影响范围内。该工具适用于需要定期检查NGINX服务器安全性的运维人员及安全专家，在发现潜在风险后能够及时采取措施如升级软件或调整配置以防止攻击者利用这些漏洞进行远程代码执行等恶意操作。",2,"2026-06-11 04:02:50","CREATED_QUERY"]