In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/02 Report--
This article introduces php-fpm how to execute arbitrary code vulnerabilities in a specific nginx environment, the content is very detailed, interested friends can refer to, hope to be helpful to you.
Introduction of 0x01 vulnerabilities
In the Real World CTF organized by Changting Technology, when solving a CTF problem, foreign security researcher Andrew Danau found that when sending the% 0a symbol to the target server URL, the service returned abnormal and was suspected to have a loophole.
On nginx, when fastcgi_split_path_info processes a request with% 0a, the PATH_INFO is empty because it encounters a newline character\ n, and when php-fpm processes PATH_INFO, there is a logic problem with processing when its value is empty, resulting in a remote code execution vulnerability
The problem can be clearly seen in line 1150 of the fpm_main.c file.
Https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1150
Impact of 0x02 vulnerabilities
The server environment is nginx + php-fpm, and the configuration of nginx is like this
Location ~ [^ /]\ .php (/ | $) {. Fastcgi_split_path_info ^ (. +?\ .php) (/. *) $; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php:9000;.}
In addition, PHP version 5.6 is also affected by this vulnerability, but currently it can only be Crash, not remote code execution:
PHP V7. 0 PHP 7. 1 PHP 7. 2 PHP 7. 3
If the default configuration provided by nginx is used, it will be affected.
Https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/
Recurrence of 0x03 vulnerabilities
There is already a vulnerability environment that can be exploited on vulhub, so you can directly pull it and reproduce it.
The exp used is the go version of the foreign researcher.
Https://github.com/neex/phuip-fpizdam
Just go to the pull environment on your own.
After that, there is a reproduction operation.
Visit http://your-ip:8080/index.php
Then deploy exp locally and take advantage of
Successful utilization
It should also be noted here that since only part of the php- FPM subprocess is contaminated, please execute the command a few more times.
On how php-fpm in the nginx specific environment of arbitrary code execution vulnerabilities are shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.