Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-11043 PoC — Underflow in PHP-FPM can lead to RCE

Source
https://github.com/AleWong/PHP-FPM-Remote-Code-Execution-Vulnerability-CVE-2019-11043-
Associated Vulnerability
Title:Underflow in PHP-FPM can lead to RCE (CVE-2019-11043)
Description:In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Description
PHP-FPM Remote Code Execution Vulnerability (CVE-2019-11043) POC in Python
Readme
# CVE-2019-11043
1.漏洞描述
Nginx上fastcgi split path info 在处理带有%0a的请求时,会因为遇到换行符\n导致PATH INFO为空。而php-fpm在处理PATH INFO为空的情况下,存在逻辑缺陷。攻击者通过精心的构造和利用,可以导致远程代码执行。

影响范围
Nginx + php-fpm 的服务器,在使用如下配置的情况下,都可能存在远程代码执行漏洞。
location ~ [^ /小.php(/|$) {
fastcgi split path info ^(.+ ?\.php)(.*)$;
fastcgi param PATH INFO $fastcgi path info;fastcgi pass php:9000;
}

2.漏洞检测
方案一:利用 phuip-fpizdam脚本检测

0x01 安装 phuip-fpizdam-Mac
go get github.com/neex/phuip-fpizdam
go install github.com/neex/phuip-fpizdam
➜  ~ cd ./go
➜  go go get github.com/neex/phuip-fpizdam
➜  go go install github.com/neex/phuip-fpizdam
➜  go ls
bin src
➜  go cd bin
➜  bin ls
phuip-fpizdam
➜  bin file phuip-fpizdam 
phuip-fpizdam: Mach-O 64-bit executable x86_64

➜  bin ls -lah phuip-fpizdam 
-rwxr-xr-x  1 alewong  staff   9.3M 10 24 10:54 phuip-fpizdam

![step 2](https://github.com/AleWong/CVE-2019-11043/blob/master/2.png)
bin ./phuip-fpizdam

Error: accepts 1 arg(s), received 0
Usage:
  phuip-fpizdam [url] [flags]

Flags:

      --cookie string       send this cookie
  -h, --help                help for phuip-fpizdam
      --kill-count int      how many times to send the worker killing payload (default 50)
      --kill-workers        just kill php-fpm workers (requires only QSL)
      --method string       detect method (see detect_methods.go) (default "session.auto_start")
      --only-qsl            stop after QSL detection, use this if you just want to check if the server is vulnerable
      --pisos int           pisos hint
      --qsl int             qsl hint
      --reset-retries int   how many retries to do for --reset-setting, -1 means a lot (default 50)
      --reset-setting       try to reset setting (requires attack params)
      --setting string      specify custom php.ini setting for --reset-setting
      --skip-attack         skip attack phase
      --skip-detect         skip detection phase
2019/10/24 10:56:18 accepts 1 arg(s), received 0



0x03 检验目标网址

![step 3](https://github.com/AleWong/CVE-2019-11043/blob/master/3.png)
可以看见返回结果为202,成功

0x04 查看网页情况
![step 4](https://github.com/AleWong/CVE-2019-11043/blob/master/4.png)

![step 5](https://github.com/AleWong/CVE-2019-11043/blob/master/5.png)

方案二 利用python脚本检测
![step 7](https://github.com/AleWong/CVE-2019-11043/blob/master/7.png)

![step 6](https://github.com/AleWong/CVE-2019-11043/blob/master/6.png)
脚本思路:当Q阀值到一定的时候 如1800 会返回502 则可证明漏洞存在

运行结果:
![step 8](https://github.com/AleWong/CVE-2019-11043/blob/master/8.jpeg)

和burpsuite结果一致
![step 9](https://github.com/AleWong/CVE-2019-11043/blob/master/9.png)
File Snapshot

 [4.0K]  /data/pocs/54edbc563877ceb0c5aafe86f14162d6a6470783
├── [791K]  2.png
├── [825K]  3.png
├── [101K]  4.png
├── [ 92K]  5.png
├── [ 96K]  6.png
├── [717K]  7.png
├── [266K]  8.jpeg
├── [497K]  9.png
├── [1.6K]  CVE-2019-11043.py
└── [2.9K]  README.md

0 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →