module
PHP CGI Argument Injection
| Disclosed | Created |
|---|---|
| 2012-05-03 | 2018-05-30 |
Disclosed
2012-05-03
Created
2018-05-30
Description
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to
an argument injection vulnerability. This module takes advantage of
the -d flag to set php.ini directives to achieve code execution.
From the advisory: "if there is NO unescaped '=' in the query string,
the string is split on '+' (encoded space) characters, urldecoded,
passed to a function that escapes shell metacharacters (the "encoded in
a system-defined manner" from the RFC) and then passes them to the CGI
binary." This module can also be used to exploit the plesk 0day disclosed
by kingcope and exploited in the wild on June 2013.
an argument injection vulnerability. This module takes advantage of
the -d flag to set php.ini directives to achieve code execution.
From the advisory: "if there is NO unescaped '=' in the query string,
the string is split on '+' (encoded space) characters, urldecoded,
passed to a function that escapes shell metacharacters (the "encoded in
a system-defined manner" from the RFC) and then passes them to the CGI
binary." This module can also be used to exploit the plesk 0day disclosed
by kingcope and exploited in the wild on June 2013.
Authors
egypt egypt@metasploit.com
hdm x@hdm.io
jjarmoc
kingcope
juan vazquez juan.vazquez@metasploit.com
hdm x@hdm.io
jjarmoc
kingcope
juan vazquez juan.vazquez@metasploit.com
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.