Pentesterlab--cve-2012-1823 | Bob1Bob2

Pentesterlab--cve-2012-1823

All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. —– The Art of War

This course details the exploitation of the PHP CGI bug (CVE-2012-1823) and how an attacker can use it to retrieve arbitrary code and gain code execution on a server using this bug.

Difficluty: 2/5

Forces:

Nmap
NC
Metasploit

Detail Assessment and Planning

Port scan to identify opened ports, running services and services version. —– Nmap
Check php version and other http headers. —– NC
Exploit and get the shell. —– Metasploit

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

[title manually exploit [alt text]]

By checking the application HTTP headers with nc, I can get php version.

GET / HTTP/1.1
Host: 192.168.79.166

[title manually exploit [alt text]]

Attack

I got the php version is 5.3.3. If I seach this php version’s vulnerability., I find that:

[title manually exploit [alt text]]

This is may be exploitable. Next I use metasploit to verify that. In msfconsole,

search php_cgi

Only one exploit pops up, which is exploit/multi/http/php_cgi_arg_injection

next just set RHOST, LHOST, PAYLOAD I use generic/shell_reverse_tcp. ATTACK!!!

[title manually exploit [alt text]]

Done.

[title manually exploit [alt text]]

2016-03-30 15:51:10 -0500

cve-2012-1823, pentesterlab, php-cgi