Published: 11/05/2012 Updated: 18/01/2018

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 805

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

sapi/cgi/cgi_main.c in PHP prior to 5.3.12 and 5.4.x prior to 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote malicious users to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

Vulnerable Product	Search on Vulmon	Subscribe to Product
php php
php php 5.3.10
php php 5.3.3
php php 5.3.2
php php 5.3.1
php php 5.2.12
php php 5.2.13
php php 5.2.4
php php 5.2.7
php php 5.1.6
php php 5.1.4
php php 5.0.0
php php 5.3.5
php php 5.3.4
php php 5.3.9
php php 5.3.8
php php 5.3.0
php php 5.2.5
php php 5.2.0
php php 5.2.3
php php 5.2.15
php php 5.2.16
php php 5.1.5
php php 5.2.6
php php 5.2.9
php php 5.2.17
php php 5.2.10
php php 5.1.2
php php 5.1.1
php php 5.1.0
php php 5.0.4
php php 5.0.3
php php 5.3.7
php php 5.3.6
php php 5.2.11
php php 5.2.8
php php 5.2.1
php php 5.2.2
php php 5.2.14
php php 5.1.3
php php 5.0.5
php php 5.0.2
php php 5.0.1
php php 5.4.1
php php 5.4.0

Debian Bug report logs - #671880 php5: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@listsaliothdebianorg>; Source for php5 is src:php5 (PTS, buildd, popcon) Reported by: Henri Salo <henri@nervfi& ...

Standalone PHP CGI scripts could be made to execute arbitrary code with the privilege of the web server ...

De Eindbazen discovered that PHP, when run with mod_cgi, will interpret a query string as command line parameters, allowing to execute arbitrary code Additionally, this update fixes insufficient validation of upload name which lead to corrupted $_FILES indices For the stable distribution (squeeze), this problem has been fixed in version 533-7+s ...

Synopsis Moderate: php security update Type/Severity Security Advisory: Moderate Topic Updated php packages that fix multiple security issues are now availablefor Red Hat Enterprise Linux 6The Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerability Scori ...

Synopsis Moderate: php security update Type/Severity Security Advisory: Moderate Topic Updated php packages that fix multiple security issues are now availablefor Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerability Scori ...

Synopsis Critical: php security update Type/Severity Security Advisory: Critical Topic Updated php packages that fix one security issue are now available forRed Hat Enterprise Linux 53 Long Life, and Red Hat Enterprise Linux 56,60 and 61 Extended Update SupportThe Red Hat Security Response Team has rat ...

Synopsis Critical: php security update Type/Severity Security Advisory: Critical Topic Updated php packages that fix one security issue are now available forRed Hat Enterprise Linux 5 and 6The Red Hat Security Response Team has rated this update as having criticalsecurity impact A Common Vulnerability Sco ...

Synopsis Critical: php53 security update Type/Severity Security Advisory: Critical Topic Updated php53 packages that fix one security issue are now available forRed Hat Enterprise Linux 56 Extended Update SupportThe Red Hat Security Response Team has rated this update as having criticalsecurity impact A ...

Synopsis Moderate: php53 security update Type/Severity Security Advisory: Moderate Topic Updated php53 packages that fix multiple security issues are now availablefor Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerability S ...

Synopsis Critical: php53 security update Type/Severity Security Advisory: Critical Topic Updated php53 packages that fix one security issue are now available forRed Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as having criticalsecurity impact A Common Vulnerability Scori ...

A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments This could lead to the disclosure of the script's source code or a ...

###################################################################################### # Exploit Title: Cve-2012-1823 PHP CGI Argument Injection Exploit # Date: May 4, 2012 # Author: rayh4c[0x40]80sec[0x2e]com # Exploit Discovered by wofeiwo[0x40]80sec[0x2e]com ###################################################################################### ...

#!/usr/bin/env python # # ap-unlock-v1337py - apache + php 5* rem0te c0de execution exploit # # NOTE: # - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :((( # - for connect back shell start netcat/nc and bind port on given host:port # - is ip-range scanner not is multithreaded, but iz multithreaded iz in # random scanner and is scann ...

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking includ ...

/* Apache Magica by Kingcope */ /* gcc apache-magikac -o apache-magika -lssl */ /* This is a code execution bug in the combination of Apache and PHP On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package When the php5-cgi package is installed on Debian and Ubuntu or php-cgi is installed manually the php- ...

Apache and PHP remote command execution exploit that leverages php5-cgi ...

This exploits abuses an argument injection in the PHP-CGI wrapper to execute code as the PHP user/webserver user ...

PHP CGI argument injection remote exploit version 03 Works on versions up to 5312 and 542 ...

PHP CGI argument injection exploit that executes phpinfo ...

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.

nmap -sV --script http-vuln-cve2012-1823 <target>
nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2012-1823:
|   VULNERABLE:
|   PHP-CGI Remote code execution and source code disclosure
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:2012-1823
|     Description:
|       According to PHP's website, "PHP is a widely-used general-purpose
|       scripting language that is especially suited for Web development and
|       can be embedded into HTML." When PHP is used in a CGI-based setup
|       (such as Apache's mod_cgid), the php-cgi receives a processed query
|       string parameter as command line arguments which allows command-line
|       switches, such as -s, -d or -c to be passed to the php-cgi binary,
|       which can be exploited to disclose source code and obtain arbitrary
|       code execution.
|     Disclosure date: 2012-05-03
|     Extra information:
|       Proof of Concept:/index.php?-s
|     References:
|       http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
|_      http://ompldr.org/vZGxxaQ

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.

nmap -sV --script http-vuln-cve2012-1823 <target>
nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2012-1823:
|   VULNERABLE:
|   PHP-CGI Remote code execution and source code disclosure
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:2012-1823
|     Description:
|       According to PHP's website, "PHP is a widely-used general-purpose
|       scripting language that is especially suited for Web development and
|       can be embedded into HTML." When PHP is used in a CGI-based setup
|       (such as Apache's mod_cgid), the php-cgi receives a processed query
|       string parameter as command line arguments which allows command-line
|       switches, such as -s, -d or -c to be passed to the php-cgi binary,
|       which can be exploited to disclose source code and obtain arbitrary
|       code execution.
|     Disclosure date: 2012-05-03
|     Extra information:
|       Proof of Concept:/index.php?-s
|     References:
|       http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
|_      http://ompldr.org/vZGxxaQ

Automatic Mass FTP Exploitation

[DARKVOID V12] Mass FTP exploitation tool, automates vulnerbility scanning and exploiting FTP servers Features: Detects FTP service version and alerts you if server is vulnerable to RCE(Remote Code Execution) Automatic exploitation Built in exploits Tries anonymous login Tries to upload a shell if anonymous login is successful Bruteforce default creds If bruteforce is succe

Python tutorials

python系列教程(翻译) ~# python >>> import urllib >>> from bs4 import BeautifulSoup >>> url = urlliburlopen("wwwprimalsecuritynet") >>> output = BeautifulSoup(urlread(), 'lxml') >>> outputtitle <title>Primal Security Podcast

LazyScan 本项目基于fscan进行拓展，仅供学习交流，请勿非法利用。功能概述：在PoC验证的基础上实现了Exploit利用常见服务利用 SSH弱口令 MySQL弱口令 Redis未授权/弱口令 MSSQL弱口令 PostgreSQL弱口令 etcd未授权 Kube API Server未授权 Docker Daemon未授权 Kubelet未授权 SMB弱口令 WMI横向 Web PoC插件 PHP-C

CVE-2012-1823 autoCheck

PHP CGI Argument Injection.

PHP CGI Argument Injection (CVE-2012-1823) Description sapi/cgi/cgi_mainc in PHP before 5312 and 54x before 542, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary > code by placing command-line options in the query string, related to la

Autosploit = Automating Metasploit Modules.

Autosploit = Automating Metasploit Modules Execute MSF Modules on a target machine MS08_067 MS17_010 MS03_026 MS12_020 MS10_061 MS09_050 MS06_040 MS05_039 MS12_020 OSVDB-73573 CVE-2017-5689 CVE-2012-1823 CVE-2006-2369 CVE-2009-3843 SMB Session Pipe Auditor Gathering GPP Saved Passwords Checks for multiple auxiliary modules Execute MSF Modules on a target machine if applicati

Writeup for the challenges in H@cktivityCon CTF 2020

H@cktivityCon CTF 2020 This is my writeup for the challenges in H@cktivityCon CTF 2020, for more wr

Some exploits and exploit development stuff.

exploits Some exploits and exploit development stuff nodejsshellpy - NodeJS Reverse Shell Generator carpwnedpy - Carberp Botnet Control Panel PHP Code Execution exploit plesk-phppy - Plesk PHP Remote Code Execution exploit, as disclosed by KingCope php-cgipy - PHP-CGI PHP Remote Code Execution exploit, CVE-2012-1823 lotus_evalpy - LotusCMS 30 PHP Remote Code Execution ex

A simple ruby tool to automate metasploit modules

autosploit A simple ruby tool to automate metasploit modules Installation git clone githubcom/krishpranav/autosploit cd autosploit bash autosploitsh Execute MSF Modules on a target machine MS08_067 MS17_010 MS03_026 MS12_020 MS10_061 MS09_050 MS06_040 MS05_039 MS12_020 OSVDB-73573 CVE-2017-5689 CVE-2012-1823 CVE-2006-2369 CVE-

Covid v2 Botnet Disclaimers: this botnet is for educational purpose and ethical use only! any other use is on the user's own responsibility, and we are not responsible for any of the user's usage of it! What can it do? attack targets by a list attack targets on local network with a scanner spread through CVE-2012-1823 (php-cgi Argument Injection) spread through CVE-2

A public list of URLs generally useful to webapp testers and pentesters

Web App Defaults URL list A public list of URLs generally useful to webapp testers and pentesters This will start off as a single list but could certainly grow into a much more organized set of lists Started here: etherpadmozillaorg/weburl-easywins The List /bzr/README /git/config /hg/requires /htaccess /htpasswd /svn/wcdb /?Workshop/valid_page_name_in_curren

Dockersploit Application via CLI Application via GUI Dockersploit is a Python3 script used to automatically deploy Docker containers vulnerable to a CVE of choice You can also use it with GUI for a better user experience Installation Clone this repository: git clone githubcom/Vibragence/Dockersploitgit in

##python系列教程(翻译) ~# python >>> import urllib >>> from bs4 import BeautifulSoup >>> url = urlliburlopen("wwwprimalsecuritynet") >>> output = BeautifulSoup(urlread(), 'lxml') >>> outputtitle <title>Primal Security Podca

PHP-CGI远程代码执行漏洞（CVE-2012-1823）原理参考文章 eindbazennet/2012/05/php-cgi-advisory-cve-2012-1823/ 影响版本 php < 5312 or php < 542 测试环境编译及运行环境： docker-compose build docker-compose up -d 环境启动后，访问your-ip:8080/可见“Hello”�

Writes Up Prérequis : Pour pouvoir démarrer ce challenge, il faut d'abord ouvrir un compte dans le site web wechallnet Après cela, il faut s'authentifié Après l'authentification dans le terminal telle que le nom d'utilisateur et le mot de passe SSH, rediriger vous dans votre répertoire personnel en utilisant cd ~

Web hacking assistance toolkit

libpywebhack A class with a plenty of useful instruments for web application analysis See libpywebhackhtml for pydoc-generated documentation Installation Run $ python setuppy install or just put your scripts in the same directory License Creative Commons Attribution Non-Commercial Share Alike Key features Detecting a web-server, platform, links, some sensitive files (meth

IT Threat Evolution: Q2 2013

Securelist • Christian Funk Denis Maslennikov • 15 Aug 2013

In early June, Kaspersky Lab announced a discovery that opened a whole new chapter in the field of cyber-espionage. Named NetTraveler, this is family of malicious programs used by APT actors to successfully compromise more than 350 high-profile victims in 40 countries. The NetTraveler group infected victims across both the public and private sector including government institutions, embassies, the oil and gas industry, research centers, military contractors and activists. The threat, which has b...

CVE-2012-1823

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Nmap Scripts

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect