Pentesterlab--cve-2012-1823

All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. —– The Art of War

This course details the exploitation of the PHP CGI bug (CVE-2012-1823) and how an attacker can use it to retrieve arbitrary code and gain code execution on a server using this bug.

Difficluty: 2/5

Forces:

  • Nmap
  • NC
  • Metasploit

Detail Assessment and Planning

  • Port scan to identify opened ports, running services and services version. —– Nmap
  • Check php version and other http headers. —– NC
  • Exploit and get the shell. —– Metasploit

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

By checking the application HTTP headers with nc, I can get php version.

1
2
GET / HTTP/1.1
Host: 192.168.79.166

Attack

I got the php version is 5.3.3. If I seach this php version’s vulnerability., I find that:

This is may be exploitable. Next I use metasploit to verify that. In msfconsole,

1
search php_cgi

Only one exploit pops up, which is exploit/multi/http/php_cgi_arg_injection

next just set RHOST, LHOST, PAYLOAD I use generic/shell_reverse_tcp. ATTACK!!!

Done.