Published: 11/05/2012 Updated: 18/01/2018
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 770
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

sapi/cgi/cgi_main.c in PHP prior to 5.3.13 and 5.4.x prior to 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote malicious users to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

Vulnerability Trend

Affected Products

Vendor Product Versions
PhpPhp1.0, 2.0, 2.0b10, 3.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 4.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.16, 5.2.17, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.4.0, 5.4.1

Vendor Advisories

Standalone PHP CGI scripts could be made to execute arbitrary code with the privilege of the web server ...
Debian Bug report logs - #671880 php5: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@listsaliothdebianorg>; Source for php5 is src:php5 (PTS, buildd, popcon) Reported by: Henri Salo <henri@nervfi& ...
De Eindbazen discovered that PHP, when run with mod_cgi, will interpret a query string as command line parameters, allowing to execute arbitrary code Additionally, this update fixes insufficient validation of upload name which lead to corrupted $_FILES indices For the stable distribution (squeeze), this problem has been fixed in version 533-7+s ...


###################################################################################### # Exploit Title: Cve-2012-1823 PHP CGI Argument Injection Exploit # Date: May 4, 2012 # Author: rayh4c[0x40]80sec[0x2e]com # Exploit Discovered by wofeiwo[0x40]80sec[0x2e]com ###################################################################################### ...
/* Apache Magica by Kingcope */ /* gcc apache-magikac -o apache-magika -lssl */ /* This is a code execution bug in the combination of Apache and PHP On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package When the php5-cgi package is installed on Debian and Ubuntu or php-cgi is installed manually the php- ...
#!/usr/bin/env python # # ap-unlock-v1337py - apache + php 5* rem0te c0de execution exploit # # NOTE: # - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :((( # - for connect back shell start netcat/nc and bind port on given host:port # - is ip-range scanner not is multithreaded, but iz multithreaded iz in # random scanner and is scann ...
## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking includ ...

Github Repositories

master 1 branch 0 tags Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit W3rni0 Added GI Joe … 10de582 5 minutes ago Added GI Joe 10de582 Git stats 6 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time assets/images Added GI Joe 5 minutes ago readme.md Added GI Joe 5 minutes ago View code readme.md H@cktivityCon CTF 2020 This is my writeup for the challenges in H@cktivityCon CTF 2020, I'll try adding as many challenges as I can during the next few days, as of now it contains the only challenge I managed to write about during the CTF. Table of Content Web Ladybug Bite G.I Joe Web Ladybug Want to check out the new Ladybug Cartoon? It's still in production, so feel free to send in suggestions! Connect here: http://jh2i.com:50018 flag{weurkzerg_the_worst_kind_of_debug} Solution: With the challenge we are given a url to a website: The page seems pretty bare, there are some links to other pages in the webserver and an option to search the website or to contact ladybug using a form, I first tried checking if there's an XXS vulnerability in the contact page or an SQLi vulnerability / file inclusion vulnerability in the search option, that didn't seem to work, then I tried looking in the other pages in the hope I'll discover something there, none of them seemed very interesting, but, their location in the webserver stood out to me, all of them are in the film/ directory, the next logical step was to fuzz the directory, by doing so I got an Error on the site: This is great because we now know that the site is in debugging mode (we could infer that also from the challenge description but oh well), also we now know that the site is using Flask as a web framework, Flask is a web framework which became very popular in recent years mostly due to it simplicity, the framework depends on a web server gateway interface (WSGI) library called Werkzeug, A WSGI is a calling convention for web servers to request to web frameworks (in our case Flask). Werkzeug also provides a web server with a debugger and a console to execute Python expression from, we can navigate to the console using by navigating to /console: ` From this console we can execute commands on the server (RCE), let's first see which user we are on the server, I used the following commands for that: import subprocess;out = subprocess.Popen(['whoami'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT);stdout,stderr = out.communicate();print(stdout); the command simply imports the subprocess library, creates a new process which execute whoami and prints the output of the command, by doing so we get: The command worked!, now we can executels by changing the command in order to see which files are in the current directory, by doing so we see that there's a file called flag.txt in there, and by using cat on the file we get the flag: Resources: Flask: https://en.wikipedia.org/wiki/Flask_(web_framework) Flask RCE Debug Mode: http://ghostlulz.com/flask-rce-debug-mode/ Bite Want to learn about binary units of information? Check out the "Bite of Knowledge" website! Connect here: http://jh2i.com:50010 flag{lfi_just_needed_a_null_byte} Solution: With the challenge we get a url for a website: the site is about binary units, a possible clue for the exploit we need to use, it's seems we can search the site or navigate to other pages, by looking at the url we can see that it uses a parameter called page for picking which resource to display, so the format is: http://jh2i.com:50010/index.php?page=<resource> we possibly have a local file inclusion vulnerability (LFI), as I explained in my writeup for nahamCon CTF: php allows the inclusion of files from the server as parameters in order to extend the functionality of the script or to use code from other files, but if the script is not sanitizing the input as needed (filtering out sensitive files) an attacker can include any arbitrary file on the web server or at least use what's not filtered to his advantage let's first try including the php file itself, this will create some kind of a loop where the file included again and again and will probably cause the browser to crash...but it's a good indicator that we have an LFI vulnerability, navigating to /index.php?page=index.php gives us: index.php.php? it's seems that the php file includes a resource with a name matching the parameter given appended to .php, lets try /index.php?page=index : It worked! so we know that we have an LFI vulnerability where the parameter given is appended to a php extension, appending a string to the parameter's value is a common defense mechanism against arbitrary file inclusion as we are now limited only to a small scope of files, hopefully only files that are safe to display, but there are ways to go around this. In older versions of php by adding a null byte at the end of the parameter we can terminate the parameter's string, a null byte or null character is a character with the code \x00, this character signifies the end of a string in C and as such strings in C are often called null-terminated strings, because PHP uses C functions for filesystem related operations adding a null byte in the parameter will cause the C function to only consider the string before the null byte. with that in mind let's check if we can use a null byte to display an arbitrary file, to mix things we'll try to include /etc/passwd, this file exists in all linux servers and is commonly accessible by all the users in the system (web applications running are considered as users in linux) as such it's common to display the content of this file in order to prove access to a server (as proof of concept), we can represent a null byte in url encoding using %00, navigating to /index.php?page=/etc/passwd%00 gives us: We can use null bytes!...but where is the flag located? At this point I tried a lot of possible locations until I discovered that the flag is located in the root directory in a file called file.txt by navigating to /index.php?page=/flag.txt%00 we get the flag: Resources: File Inclusion Vulnerabilities: https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/ Payload all the things - File Inclusion: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion Null byte: https://en.wikipedia.org/wiki/Null_character Null byte issues in PHP: https://www.php.net/manual/en/security.filesystem.nullbytes.php GI Joe The real American hero! Connect here: http://jh2i.com:50008 Post-CTF Writeup flag{old_but_gold_attacks_with_cgi_joe} Solution: With the challenge we get a url to a website about G.I joe's movies called See GI Joe: By the name of the challenge we can assume it has something to do with Common Gateway Interface or CGI (See GI), Common Gateway Interface are interface specification for communication between a web server (which runs the website) and other programs on the server, this allows webserver to execute commands on the server (such as querying a database), and is mostly used to generate webpages dynamically, this type of communication is handled by CGI scripts which are often stored in a directory called cgi-bin in the root directory of the web server. Looking around in the web site I didn't find any other interesting thing, but by looking at the headers of the server responses using the inspect tool I discovered that the website is using PHP version 5.4.1 and Apache version 2.4.25, this are quite old versions of both PHP (current version is 7.3) and Apache (current version is 2.4.43) so I googled php 5.4.1 exploit cgi and discovered this site, according to it there is a vulnerability in this version which allows us to execute arbitrary code on the server, this vulnrability is often refered to by CVE-2012-2311. In more details when providing vulnrable website with a value with no parameter (lacks the = symbol) the value is interpreted as options for the php-cgi program which handles communication with the web server related to PHP, the options avaliable are listed in the man page in the resources, so for example by using the -s flag we can output the source code for a php file and so by adding ?-s to the url for a php file located on a vulnrable server we can view the source code of the file, let's try it on the index page (which is a php file) by navigating to /index.php?-s we get the following: It worked! and we now know that the flag is a file called flag.txt in the root directory of the server, as I mentioned before this vulnerability allows us to execute commands on the server, this can be done by using the -d option, this option allows us to change and define INI entries, or in other words change the configuration files of PHP, we need to change the option auto_prepend_file to php://input, this will force PHP to parse the HTTP request and include the output in the response, also we need to change the option allow_url_include to 1 to allow the usage of php://input, so by navigating to ?-d allow_url_include=1 -d auto_prepend_file=php://input and adding to the HTTP request a php code to execute commands on the system <?php system(<command>) ?> we can achieve arbitrary code execution on the server. let's try doing that to view the flag, we can use cURL with -i option to include the HTTP headers and --data-binary option to add the php code, in the php code we'll use cat /flag.txt to output the content of the file, the command is: curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" and by executing this command we get the flag: Resources: Common Gateway Interface: https://en.wikipedia.org/wiki/Common_Gateway_Interface CVE-2012-2311: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311 a detailed explanation on CVE-2012-2311: https://pentesterlab.com/exercises/cve-2012-1823/course man page for php-cgi: https://www.systutorials.com/docs/linux/man/1-php-cgi/ About Writeup for the challenges in H@cktivityCon CTF 2020 Resources Readme Releases No releases published

Recent Articles

Another Set of PHP Releases Pushed Out to Fix CVE-2012-1823 Flaw
Threatpost • Dennis Fisher • 09 May 2012

For the second time in less than a week, the developers of PHP have released new versions of the language that include a fix for the remotely exploitable vulnerability that was disclosed last week. The group is encouraging users to upgrade to PHP 5.4.3 or 5.3.13 immediately. 
The vulnerability affects PHP sites in CGI-based setups and can enable an attacker to get access to the site’s source code by passing certain queries to the PHP binary as command-line arguments. The bug...

PHP Group Releases New Versions, But Patch Doesn’t Fix CVE-2012-1823 Bug
Threatpost • Dennis Fisher • 04 May 2012

UPDATE–The developers of PHP have released new versions of the scripting language to fix a remotely exploitable vulnerability announced earlier this week that enables an attacker to pass command-line arguments to the PHP binary. The flaw has been in the code for more than eight years and The PHP Group was working on a patch for it when the bug was disclosed accidentally on Reddit. However, the team that found the bug says the new versions of PHP don’t actually fix the vulnerability.