Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-vuln-cve2012-1823

Script types: portrule
Categories: exploit, vuln, intrusive
Download: http://nmap.org/svn/scripts/http-vuln-cve2012-1823.nse

User Summary

Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely.

The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern "<span style=.*>&lt;?" to detect vulnerable installations.

CHANGELOG: - Added new detection mechanism by trying to perform a "echo" command - Added exploitation script that allows you to define your command (default: uname -a).

Script Arguments

http-vuln-cve2012-1823.uri

URI. Default: /index.php

http-vuln-cve2012-1823.cmd

CMD. Default: uname -a

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sV --script http-vuln-cve2012-1823 <target>
nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2012-1823:
|   VULNERABLE:
|   PHP-CGI Remote code execution and source code disclosure
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:2012-1823
|     Description:
|       According to PHP's website, "PHP is a widely-used general-purpose
|       scripting language that is especially suited for Web development and
|       can be embedded into HTML." When PHP is used in a CGI-based setup
|       (such as Apache's mod_cgid), the php-cgi receives a processed query
|       string parameter as command line arguments which allows command-line
|       switches, such as -s, -d or -c to be passed to the php-cgi binary,
|       which can be exploited to disclose source code and obtain arbitrary
|       code execution.
|     Disclosure date: 2012-05-03
|     Extra information:
|       Proof of Concept:/index.php?-s
|     References:
|       http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
|_      http://ompldr.org/vZGxxaQ

Requires


Author: Paulino Calderon <calderon@websec.mx>, Paul AMAR <aos.paul@gmail.com>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]