How to understand PHP-CGI remote code execution vulnerability and CVE-2012-1823 vulnerability recurrence 04/01 Update SLTechnology News&Howtos

How to understand PHP-CGI remote code execution vulnerability and CVE-2012-1823 vulnerability recurrence

2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to understand PHP-CGI remote code execution vulnerabilities and the recurrence of CVE-2012-1823 vulnerabilities. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

I. introduction of loopholes

To put it simply, the querystring requested by the user (querystring literally means query string, usually parses the data contained in the http request, and here is only the data in the http request) is used as a parameter of the php-cgi, resulting in a series of results.

Scope of influence:

Vulnerability affects version php

< 5.3.12 or php < 5.4.2 PS:CVE-2012-1823是在php-cgi运行模式下出现的漏洞，其漏洞只出现在以cgi模式运行的php中二、PHP运行的四种模式 1）cgi 通用网关接口（Common Gateway Interface)） CGI即通用网关接口(Common Gateway Interface)，它是一段程序, 通俗的讲CGI就象是一座桥，把网页和WEB服务器中的执行程序连接起来，它把HTML接收的指令传递给服务器的执行程序，再把服务器执行程序的结果返还给HTML页。 2） fast-cgi 常驻 (long-live) 型的 CGI 【php-fpm:PHP的FastCGI进程管理器】 fast-cgi 是cgi的升级版本，FastCGI 像是一个常驻 (long-live) 型的 CGI，它可以一直执行着，只要激活后，不会每次都要花费时间去 fork 一次 (这是 CGI 最为人诟病的 fork-and-execute 模式)。 3） cli 命令行运行（Command Line Interface） cli是php的命令行运行模式，大家经常会使用它，但是可能并没有注意到（例如：我们在linux下经常使用 "php -m"查找PHP安装了那些扩展就是PHP命令行运行模式；有兴趣的同学可以输入php -h去深入研究该运行模式） 4）web模块模式（apache等web服务器运行的模块模式）模块模式是以mod_php5模块的形式集成，此时mod_php5模块的作用是接收Apache传递过来的PHP文件请求，并处理这些请求，然后将处理后的结果返回给Apache。三、漏洞复现 1、使用vulhub搭建漏洞环境 2、访问ip+端口访问漏洞环境 3、访问http:ip+端口/index.php/?-s，返回源码说明存在漏洞过返回结果可以看到我们的命令已经被执行 4、使用抓包工具截包构造playload Cgi模式下命令行参数有如下一些参数可用 -c 指定php.ini文件的位置 -n 不要加载php.ini文件 -d 指定配置项 -b 启动fastcgi进程 -s 显示文件源码 -T 执行指定次该文件 -h和-? 显示帮助 5、通过返回结果可以看到我们的命令已经被执行四、POC

Poc runs the result and executes the ls command

The above is how to understand PHP-CGI remote code execution vulnerabilities and CVE-2012-1823 vulnerabilities that Xiaobian shared with you. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.