Shulou(Shulou.com)06/02 Report--

It is believed that many inexperienced people are at a loss about how to solve the remote code execution vulnerability in PHP. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Overview of 0x01 vulnerabilities

When fastcgi_split_path_info on Nginx processes a request with% 0a, it encounters a newline character\ nthat causes PATH_INFO to be empty. However, php-fpm has a logic flaw when dealing with the case where PATH_INFO is empty. Attackers can cause remote code execution through careful construction and exploitation.

0x02 affects version

Remote code execution vulnerabilities may exist on Nginx + php-fpm servers using the following configuration.

Location ~ [^ /]\ .php (/ | $) {fastcgi_split_path_info ^ (. +?\ .php) (/. *) $; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php:9000;...}}

Can't execute code remotely: PHP 7.0ax 7.1max 7.2max 7.3

0x03 environment building

Online environment:

Forward to moments and send screenshots to official account

Build on your own:

Build directly with one click of vulhub (update really fast)

Git clone https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043cd vulhub/php/CVE-2019-11043

Start the vulnerable Nginx and PHP:

Docker-compose up-d

After the environment starts, visit http://ip:8080/index.php to see a default page.

0x04 vulnerability exploitation

Download POC:

Git clone https://github.com/neex/phuip-fpizdam

Note: the go language environment needs to be installed

Https://www.runoob.com/go/go-environment.html

Go to the download poc folder and execute go build to compile

If the compilation fails and the timeout is displayed, you need to set up the proxy and execute the following statement to add the environment variable

Export GOPROXY= https://goproxy.io

Using the tool compiled by phuip-fpizdam, send the packet:

It has been successfully executed here.

Visit http://ip:8080/index.php?a=whoami to see that the command has been executed successfully

Note that because php-fpm starts multiple child processes, you need to visit / index.php?a=id several times to access the contaminated process.

0x05 repair mode

Without affecting normal business, delete the following configuration in the Nginx configuration file:

Fastcgi_split_path_info ^ (. +?\ .php) (/. *) $

Fastcgi_param PATH_INFO $fastcgi_path_info

Vulnerability patch:

Https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest, after reading the above, have you mastered how to solve remote code execution vulnerabilities in PHP? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.