http-vuln-cve2012-1823
脚本使用类型:
portrule
脚本所属分类:
exploit, vuln, intrusive
脚本下载地址: http://nmap.org/svn/scripts/http-vuln-cve2012-1823.nse
Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.
The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern "<span style=.*><?" to detect vulnerable installations.
TODO: -Improve detection mechanism ( Execute certain payload and look for it in the response to confirm exploitability) -Add exploitation script
URI. Default: /index.php
执行格式
nmap -sV --script http-vuln-cve2012-1823 <target> nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-vuln-cve2012-1823: | VULNERABLE: | PHP-CGI Remote code execution and source code disclosure | State: VULNERABLE (Exploitable) | IDs: CVE:2012-1823 | Description: | According to PHP's website, "PHP is a widely-used general-purpose | scripting language that is especially suited for Web development and | can be embedded into HTML." When PHP is used in a CGI-based setup | (such as Apache's mod_cgid), the php-cgi receives a processed query | string parameter as command line arguments which allows command-line | switches, such as -s, -d or -c to be passed to the php-cgi binary, | which can be exploited to disclose source code and obtain arbitrary | code execution. | Disclosure date: 2012-05-3 | Extra information: | Proof of Concept:/index.php?-s | References: | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823 |_ http://ompldr.org/vZGxxaQ
Author: Paulino Calderon
License: VER007 整理 http://www.ver007.com