Nginx Server Tokens Information Disclosure

漏洞信息

漏洞名称: Nginx Server Tokens Information Disclosure

漏洞类型: 信息泄露

漏洞等级: 中危

漏洞描述: 该漏洞涉及Nginx服务器的配置问题,具体表现为服务器令牌(server_tokens)未禁用,可能导致服务器版本信息泄露。Nginx是一款广泛使用的高性能Web服务器和反向代理服务器,常见于企业级服务和Web应用组件中。当’server_tokens’选项启用时,Nginx会在HTTP响应头中返回服务器版本信息,这为攻击者提供了潜在的攻击面。漏洞的技术根源在于配置不当,未遵循安全最佳实践禁用服务器令牌。虽然这本身不直接导致远程代码执行或服务中断,但泄露的版本信息可能被攻击者用于针对特定版本的已知漏洞进行攻击,从而间接增加系统被攻陷的风险。此漏洞的利用无需认证,且可通过自动化工具检测。建议管理员通过设置’server_tokens off;’在Nginx配置文件中并重启服务来修复此问题。

产品厂商: Nginx

产品名称: Nginx

来源: https://github.com/projectdiscovery/nuclei-templates/blob/804d1df949d5fbbfdee11564a2df65b6836a8d60/javascript%2Faudit%2Fwebserver%2Fnginx%2Fdisable-nginx-server-tokens.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

id: disable-nginx-server-tokens

info:
  name: Disbale Nginx Server Tokens
  author: pussycat0x
  severity: medium
  description: |
    Detects if 'server_tokens' is enabled in Nginx, which can reveal version information.
  remediation: |
    Set 'server_tokens off;' in /etc/nginx/nginx.conf and restart Nginx.
  reference:
    - https://wiki.devsecopsguides.com/docs/checklists/nginx/
    - https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
  metadata:
    verified: true
  tags: audit,nginx,auth,ssh

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      var m = require("nuclei/ssh");
      var c = m.SSHClient();
      c.Connect(Host,Port,User,Pass);
      const NginxConfig = c.Run(Code)
      NginxConfig
      let result = "";
      if (NginxConfig.includes("http") && NginxConfig.includes("events") && !NginxConfig.includes("server_tokens off")) {
      result += "Disable Server Tokens";
      } else {
      exit();
      }
      result

    args:
      Host: "{{Host}}"
      Port: "22"
      User: "{{usernames}}"
      Pass: "{{passwords}}"
      Code: cat {{path}}

    payloads:
      path:
        - /etc/nginx/nginx.conf
        - /usr/local/etc/nginx/nginx.conf

    matchers:
      - type: dsl
        dsl:
          - "success == true"

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 490a0046304402203d6e6973a58ff089b317b1a96a42af59c55fa029f669b138e7ffd18b86b0e1530220665102c65294c87370c1be7ba467b4bf412a36abc0cbbd7c01e8c405115b333f:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #信息泄露
Nginx Server Tokens Information Disclosure
http://example.com/2025/07/27/github_2633210510/
作者
lianccc
发布于
2025年7月27日
许可协议