May 5, 2012

NMAP Script - NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823)

Here is my script for detecting vulnerable PHP-CGI setups (CVE2012-1823). This is a pretty scary vuln as it affects a lot of installations. Here is the full advisory: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ I'm going to look more into it to write a reliable exploitation script too. So far it seems the -r flag is not available in all the setups and we will need to exploit via RFI to be 100% accurate.

Cheers.

-- @usage
-- nmap -sV --script http-vuln-cve2012-1823 <target>

-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>

-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2012-1823:
-- |   VULNERABLE:
-- |   PHP-CGI Remote code execution and source code disclosure
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:2012-1823
-- |     Description:
-- |       According to PHP's website, "PHP is a widely-used general-purpose

-- | scripting language that is especially suited for Web development and

-- |       can be embedded into HTML." When PHP is used in a CGI-based setup

-- | (such as Apache's mod_cgid), the php-cgi receives a processed query -- | string parameter as command line arguments which allows command-line -- | switches, such as -s, -d or -c to be passed to the php-cgi binary, -- | which can be exploited to disclose source code and obtain arbitrary

-- |       code execution.
-- |     Disclosure date: 2012-05-3
-- |     Extra information:
-- |       Proof of Concept:/index.php?-s
-- |     References:
-- |       http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
-- |_      http://ompldr.org/vZGxxaQ
--
-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn



Download : http://seclists.org/nmap-dev/2012/q2/att-239/http-vuln-cve2012-1823.nse



Source: http://seclists.org/nmap-dev/2012/q2/239

If you like my blog, Please Donate Me

No comments:

 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |