CVE-2019-11043 PHP RCE 复现

这里用的是Docker 镜像

docker pull php:7.2.3-fpm
docker pull nginx

然后启动一个php 

 echo '<?php phpinfo();>' /var/www/html/index.php
docker run --name phpfpm -d -v /var/www/html:/app docker.io/php

然后配置然后是Nginx 的配置文件

文件放在/root/nginx.conf

user  root root;
worker_processes auto;
error_log  /tmp/nginx_error.log  crit;
pid        /tmp/nginx.pid;
worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept on;
    }

http
    {
        include       mime.types;
        default_type  application/octet-stream;
        server_names_hash_bucket_size 512;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

server
    {
        listen 80;
        server_name www.test.cn;
        index index.html index.htm index.php;
        root  /app;
        
		location ~ [^/]\.php(/|$){
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        include fastcgi_params;

        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_index index.php;
        fastcgi_param  REDIRECT_STATUS    200;
        fastcgi_param  SCRIPT_FILENAME /app$fastcgi_script_name;
        fastcgi_param  DOCUMENT_ROOT /app;
        fastcgi_pass phpfpm:9000;
		}

        access_log  /tmp/access.log;
    }
}

启动Nginx

docker run --name nginx_server -d -p 8080:80 --link phpfpm:phpfpm -v /root/nginx.conf:/etc/nginx/nginx.conf --volumes-from phpfpm  nginx

访问一下测试OK

然后下载工具

https://github.com/neex/phuip-fpizdam:

然后访问

http://your-ip:8080/index.php?a=id