Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How php-fpm can execute arbitrary code in nginx specific environment

2025-01-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Share

Shulou(Shulou.com)06/02 Report--

This article introduces php-fpm how to execute arbitrary code vulnerabilities in a specific nginx environment, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Introduction of 0x01 vulnerabilities

In the Real World CTF organized by Changting Technology, when solving a CTF problem, foreign security researcher Andrew Danau found that when sending the% 0a symbol to the target server URL, the service returned abnormal and was suspected to have a loophole.

On nginx, when fastcgi_split_path_info processes a request with% 0a, the PATH_INFO is empty because it encounters a newline character\ n, and when php-fpm processes PATH_INFO, there is a logic problem with processing when its value is empty, resulting in a remote code execution vulnerability

The problem can be clearly seen in line 1150 of the fpm_main.c file.

Https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1150

Impact of 0x02 vulnerabilities

The server environment is nginx + php-fpm, and the configuration of nginx is like this

Location ~ [^ /]\ .php (/ | $) {. Fastcgi_split_path_info ^ (. +?\ .php) (/. *) $; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php:9000;.}

In addition, PHP version 5.6 is also affected by this vulnerability, but currently it can only be Crash, not remote code execution:

PHP V7. 0 PHP 7. 1 PHP 7. 2 PHP 7. 3

If the default configuration provided by nginx is used, it will be affected.

Https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/

Recurrence of 0x03 vulnerabilities

There is already a vulnerability environment that can be exploited on vulhub, so you can directly pull it and reproduce it.

The exp used is the go version of the foreign researcher.

Https://github.com/neex/phuip-fpizdam

Just go to the pull environment on your own.

After that, there is a reproduction operation.

Visit http://your-ip:8080/index.php

Then deploy exp locally and take advantage of

Successful utilization

It should also be noted here that since only part of the php- FPM subprocess is contaminated, please execute the command a few more times.

On how php-fpm in the nginx specific environment of arbitrary code execution vulnerabilities are shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Internet Technology

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report