first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
php/fpm/1.jpg
Normal file
BIN
php/fpm/1.jpg
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 114 KiB |
36
php/fpm/README.md
Normal file
36
php/fpm/README.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# PHP-FPM FastCGI Unauthorized Access Leads to Remote Code Execution
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. When misconfigured, PHP-FPM can be accessed directly through the FastCGI protocol, allowing attackers to execute arbitrary PHP code.
|
||||
|
||||
This vulnerability occurs when PHP-FPM is exposed to the network without proper access controls, allowing unauthorized access to the FastCGI interface.
|
||||
|
||||
References:
|
||||
|
||||
- <https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html>
|
||||
- <https://www.php.net/manual/en/install.fpm.php>
|
||||
|
||||
## Environment Setup
|
||||
|
||||
Execute the following command to start the vulnerable PHP-FPM server:
|
||||
|
||||
```bash
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server starts, the PHP-FPM server will listen on port 9000.
|
||||
|
||||
## Vulnerability Reproduction
|
||||
|
||||
A proof-of-concept exploit script is available at: https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75
|
||||
|
||||
The script allows you to:
|
||||
|
||||
1. Connect directly to the PHP-FPM port
|
||||
2. Send crafted FastCGI requests
|
||||
3. Execute arbitrary PHP code on the target server
|
||||
|
||||
Successful exploitation result:
|
||||
|
||||
|
||||
34
php/fpm/README.zh-cn.md
Normal file
34
php/fpm/README.zh-cn.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# PHP-FPM FastCGI 未授权访问漏洞
|
||||
|
||||
PHP-FPM(FastCGI 进程管理器)是一个替代性的 PHP FastCGI 实现,为各种规模的网站提供了额外的功能特性,特别适用于高负载网站。当配置不当时,PHP-FPM 可能被直接通过 FastCGI 协议访问,允许攻击者执行任意 PHP 代码。
|
||||
|
||||
此漏洞发生在 PHP-FPM 在没有适当访问控制的情况下暴露在网络中,导致 FastCGI 接口可被未经授权访问。
|
||||
|
||||
参考链接:
|
||||
|
||||
- <https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html>
|
||||
- <https://www.php.net/manual/zh/install.fpm.php>
|
||||
|
||||
## 环境搭建
|
||||
|
||||
执行如下命令启动PHP-FPM服务器:
|
||||
|
||||
```bash
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
服务启动后,PHP-FPM 服务器将监听 9000 端口。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
漏洞利用脚本可在以下地址获取:https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75
|
||||
|
||||
该脚本允许你:
|
||||
|
||||
1. 直接连接到 PHP-FPM 端口
|
||||
2. 发送精心构造的 FastCGI 请求
|
||||
3. 在目标服务器上执行任意 PHP 代码
|
||||
|
||||
成功利用结果:
|
||||
|
||||
|
||||
5
php/fpm/docker-compose.yml
Normal file
5
php/fpm/docker-compose.yml
Normal file
@@ -0,0 +1,5 @@
|
||||
services:
|
||||
php:
|
||||
image: php:fpm
|
||||
ports:
|
||||
- "9000:9000"
|
||||
Reference in New Issue
Block a user