Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
37 lines
1.2 KiB
Markdown
37 lines
1.2 KiB
Markdown
# PHP-FPM FastCGI Unauthorized Access Leads to Remote Code Execution
|
|
|
|
[中文版本(Chinese version)](README.zh-cn.md)
|
|
|
|
PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. When misconfigured, PHP-FPM can be accessed directly through the FastCGI protocol, allowing attackers to execute arbitrary PHP code.
|
|
|
|
This vulnerability occurs when PHP-FPM is exposed to the network without proper access controls, allowing unauthorized access to the FastCGI interface.
|
|
|
|
References:
|
|
|
|
- <https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html>
|
|
- <https://www.php.net/manual/en/install.fpm.php>
|
|
|
|
## Environment Setup
|
|
|
|
Execute the following command to start the vulnerable PHP-FPM server:
|
|
|
|
```bash
|
|
docker compose up -d
|
|
```
|
|
|
|
After the server starts, the PHP-FPM server will listen on port 9000.
|
|
|
|
## Vulnerability Reproduction
|
|
|
|
A proof-of-concept exploit script is available at: https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75
|
|
|
|
The script allows you to:
|
|
|
|
1. Connect directly to the PHP-FPM port
|
|
2. Send crafted FastCGI requests
|
|
3. Execute arbitrary PHP code on the target server
|
|
|
|
Successful exploitation result:
|
|
|
|
|