<h2 id="0x00-前言"><a href="#0x00-前言" class="headerlink" title="0x00 前言"></a>0x00 前言</h2><p>2019年9月26日,PHP官方发布了<a href="https://bugs.php.net/bug.php?id=78599" target="_blank" rel="noopener noreferrer">Ngnix+php-fpm在错误配置下造成的远程代码执行漏洞</a>(CVE-2019-11043),2019年10月22日,漏洞poc被公开:<a href="https://github.com/neex/phuip-fpizdam" target="_blank" rel="noopener noreferrer"> https://github.com/neex/phuip-fpizdam </a></p>
<h2 id="0x01-漏洞复现"><a href="#0x01-漏洞复现" class="headerlink" title="0x01 漏洞复现"></a>0x01 漏洞复现</h2><h3 id="漏洞原因"><a href="#漏洞原因" class="headerlink" title="漏洞原因"></a>漏洞原因</h3><p>在Ngnix+php-fpm环境下,如果Ngnix有如下配置,将会产生漏洞</p>
<figure class="highlight crmsh"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">location</span> <span class="title">~ [^/]\.php</span>(/|$) {</span><br><span class="line"> fastcgi_split_path_<span class="literal">inf</span>o ^(.+?\.php)(/.*)$;</span><br><span class="line"> fastcgi_param PATH_<span class="literal">INF</span>O $fastcgi_path_<span class="literal">inf</span>o;</span><br><span class="line"> fastcgi_pass php:<span class="number">9000</span>;</span><br><span class="line"> ...</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<h3 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h3><p>使用docker搭建漏洞,vubhub已有漏洞环境<a href="https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043" target="_blank" rel="noopener noreferrer">https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043</a></p>
<p>docker-compose.yml</p>
<figure class="highlight dockerfile"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">version: <span class="string">'2'</span></span><br><span class="line">services:</span><br><span class="line"> nginx:</span><br><span class="line"> image: nginx:<span class="number">1</span></span><br><span class="line"> volumes:</span><br><span class="line"> - ./www:/usr/share/nginx/html</span><br><span class="line"> - ./default.conf:/etc/nginx/conf.d/default.conf</span><br><span class="line"> depends_on:</span><br><span class="line"> - php</span><br><span class="line"> ports:</span><br><span class="line"> - <span class="string">"8080:80"</span></span><br><span class="line"> php:</span><br><span class="line"> image: php:<span class="number">7.2</span>.<span class="number">10</span>-fpm</span><br><span class="line"> volumes:</span><br><span class="line"> - ./www:/var/www/html</span><br></pre></td></tr></tbody></table></figure>
<p>ngnix配置文件 default.conf</p>
<figure class="highlight nginx"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">server</span> {</span><br><span class="line"> <span class="attribute">listen</span> <span class="number">80</span> default_server;</span><br><span class="line"> <span class="attribute">listen</span> [::]:<span class="number">80</span> default_server;</span><br><span class="line"></span><br><span class="line"> <span class="attribute">root</span> /usr/share/nginx/html;</span><br><span class="line"></span><br><span class="line"> <span class="attribute">index</span> index.html index.php;</span><br><span class="line"></span><br><span class="line"> <span class="attribute">server_name</span> _;</span><br><span class="line"></span><br><span class="line"> <span class="attribute">location</span> / {</span><br><span class="line"> <span class="attribute">try_files</span> <span class="variable">$uri</span> <span class="variable">$uri</span>/ =<span class="number">404</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="attribute">location</span> <span class="regexp">~ [^/]\.php(/|$)</span> {</span><br><span class="line"> <span class="attribute">fastcgi_split_path_info</span><span class="regexp"> ^(.+?\.php)(/.*)$</span>;</span><br><span class="line"> <span class="attribute">include</span> fastcgi_params;</span><br><span class="line"></span><br><span class="line"> <span class="attribute">fastcgi_param</span> PATH_INFO <span class="variable">$fastcgi_path_info</span>;</span><br><span class="line"> <span class="attribute">fastcgi_index</span> index.php;</span><br><span class="line"> <span class="attribute">fastcgi_param</span> REDIRECT_STATUS <span class="number">200</span>;</span><br><span class="line"> <span class="attribute">fastcgi_param</span> SCRIPT_FILENAME /var/www/html<span class="variable">$fastcgi_script_name</span>;</span><br><span class="line"> <span class="attribute">fastcgi_param</span> DOCUMENT_ROOT /var/www/html;</span><br><span class="line"> <span class="attribute">fastcgi_pass</span> php:<span class="number">9000</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<p>然后<code>docker-compose up -d</code>启动漏洞环境</p>
<p><a href="https://i.loli.net/2019/10/24/AX4JFgGafVwCMYd.png" class="fancybox fancybox.image" rel="group"><img src="https://i.loli.net/2019/10/24/AX4JFgGafVwCMYd.png" alt=""></a></p>
<h3 id="安装-phuip-fpizdam"><a href="#安装-phuip-fpizdam" class="headerlink" title="安装 phuip-fpizdam"></a>安装 phuip-fpizdam</h3><figure class="highlight vim"><table><tbody><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">go</span> <span class="built_in">get</span> github.<span class="keyword">com</span>/neex/phuip-fpizdam</span><br><span class="line"></span><br><span class="line"><span class="keyword">go</span> install github.<span class="keyword">com</span>/neex/phuip-fpizdam</span><br></pre></td></tr></tbody></table></figure>
<p><a href="https://i.loli.net/2019/10/24/eyJmW6SpdnUZL9c.png" class="fancybox fancybox.image" rel="group"><img src="https://i.loli.net/2019/10/24/eyJmW6SpdnUZL9c.png" alt=""></a></p>
<p>然后使用phuip-fpizdam进行利用<code>./phuip-fpizdam url</code>,成功如下。</p>
<p><a href="https://i.loli.net/2019/10/24/Eh6g9I7tG3CTHbj.png" class="fancybox fancybox.image" rel="group"><img src="https://i.loli.net/2019/10/24/Eh6g9I7tG3CTHbj.png" alt=""></a></p>
<p>然后加参数<code>?a=cmd</code>即可执行任意命令。</p>
<p><a href="https://i.loli.net/2019/10/24/3WokGrzdgXAtU1y.png" class="fancybox fancybox.image" rel="group"><img src="https://i.loli.net/2019/10/24/3WokGrzdgXAtU1y.png" alt=""></a></p>
<h2 id="0x02-修复建议"><a href="#0x02-修复建议" class="headerlink" title="0x02 修复建议"></a>0x02 修复建议</h2><ul>
<li><p>在业务不需要的情况下删除配置<code>fastcgi_split_path_info ^(.+?\.php)(/.*)$;</code> <code>fastcgi_param PATH_INFO $fastcgi_path_info;</code></p>
</li>
<li><p>ngnix配置文件存在检查 <code>try_files $uri =404</code> 或者 <code>if (-f $uri)</code> </p>
</li>
</ul>
CVE-2019-11043复现