implement attack that uses only .php endings

[neex]

This is attempt to fix #1.

The attack works (but it needs POST requests now).

However, I haven't came up with any detection method which is short enough.

[orangetw]

The output_handler=md5 is short enough, why not?

[orangetw]

So does open_basedir=/x

[neex]

Hi @orangetw, thank you for looking into this.

The problem with output_handler=md5 is that it will corrupt the configuration of running workers to the point that it prevents the output from being shown. I guess that open_basedir=/x will do the same (not sure if it will be applied to the path of the main script itself or only to paths of the included scripts). We'll need to clear the environment somehow, and I don't have any 100% method of doing this.

I've thought about something like session.auto_start=1 that doesn't corrupt the output, but still possible to detect. Are you aware of something like this?

[orangetw]

Hi, I didn't see that in my environments. I am trying to develop my own exploit. I use /PHP_VALUE\noutput_handler=md5;.php to check if it's vulnerable and reset it back quickly by /PHP_VALUE\noutput_handler=;;;;.php.

Could you explain more about the corrupting output?

[neex]

I was afraid that the second request may go to another php-fpm worker, so the poisoned worker will remain with output_handler=md5. During my tests even ~50 reset attempts were not enough sometimes.

By "corrupted output" I meant just the fact that the worker with output_handler=md5 will print only md5 hash of the original output, so we can't get it.

[orangetw]

OK, got it! Thanks :D