Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823)
From: Paulino Calderon <paulino () calderonpale com>
Date: Tue, 08 May 2012 00:57:46 -0500

On 04/05/2012 12:30 p.m., Paulino Calderon wrote:
Hi list,

Here is my script for detecting vulnerable PHP-CGI setups (CVE2012-1823). This is a pretty scary vuln as it affects a lot of installations. Here is the full advisory: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ I'm going to look more into it to write a reliable exploitation script too. So far it seems the -r flag is not available in all the setups and we will need to exploit via RFI to be 100% accurate.

Cheers.

-- @usage
-- nmap -sV --script http-vuln-cve2012-1823 <target>
-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2012-1823:
-- |   VULNERABLE:
-- |   PHP-CGI Remote code execution and source code disclosure
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:2012-1823
-- |     Description:
-- | According to PHP's website, "PHP is a widely-used general-purpose -- | scripting language that is especially suited for Web development and -- | can be embedded into HTML." When PHP is used in a CGI-based setup -- | (such as Apache's mod_cgid), the php-cgi receives a processed query -- | string parameter as command line arguments which allows command-line -- | switches, such as -s, -d or -c to be passed to the php-cgi binary, -- | which can be exploited to disclose source code and obtain arbitrary
-- |       code execution.
-- |     Disclosure date: 2012-05-3
-- |     Extra information:
-- |       Proof of Concept:/index.php?-s
-- |     References:
-- |       http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
-- |_      http://ompldr.org/vZGxxaQ
--
-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
This was commited as r28545.
Cheers!

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault