Nmap Development mailing list archives
Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823)
From: Paulino Calderon <paulino () calderonpale com>
Date: Tue, 08 May 2012 00:57:46 -0500
On 04/05/2012 12:30 p.m., Paulino Calderon wrote:
Hi list,Here is my script for detecting vulnerable PHP-CGI setups (CVE2012-1823). This is a pretty scary vuln as it affects a lot of installations. Here is the full advisory: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ I'm going to look more into it to write a reliable exploitation script too. So far it seems the -r flag is not available in all the setups and we will need to exploit via RFI to be 100% accurate.Cheers. -- @usage -- nmap -sV --script http-vuln-cve2012-1823 <target>-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>-- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-vuln-cve2012-1823: -- | VULNERABLE: -- | PHP-CGI Remote code execution and source code disclosure -- | State: VULNERABLE (Exploitable) -- | IDs: CVE:2012-1823 -- | Description:-- | According to PHP's website, "PHP is a widely-used general-purpose -- | scripting language that is especially suited for Web development and -- | can be embedded into HTML." When PHP is used in a CGI-based setup -- | (such as Apache's mod_cgid), the php-cgi receives a processed query -- | string parameter as command line arguments which allows command-line -- | switches, such as -s, -d or -c to be passed to the php-cgi binary, -- | which can be exploited to disclose source code and obtain arbitrary-- | code execution. -- | Disclosure date: 2012-05-3 -- | Extra information: -- | Proof of Concept:/index.php?-s -- | References: -- | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ -- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823 -- |_ http://ompldr.org/vZGxxaQ -- -- @args http-vuln-cve2012-1823.uri URI. Default: /index.php _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
This was commited as r28545. Cheers! -- Paulino Calderón Pale Website: http://calderonpale.com Twitter: http://twitter.com/calderpwn _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Paulino Calderon (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) David Fifield (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Patrik Karlsson (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Paulino Calderon (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Patrik Karlsson (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Patrik Karlsson (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) David Fifield (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Paulino Calderon (May 07)