The Nginx FastCGI split path info vulnerability is a security bug that occurs when a malicious attacker crafts a specially formatted request that takes advantage of a flaw in the way Nginx handles FastCGI. Specifically, the vulnerability arises when an attacker includes a newline character (%0a) in the request, which breaks the FastCGI split path info regular expression, resulting in an empty PATH_INFO variable. This in turn causes PHP-FPM to logically fail, allowing an attacker to execute remote code.
To trigger this vulnerability, a specific configuration must be present in the nginx.conf file. This configuration includes a location directive that matches any URL ending with '.php' and a fastcgi_split_path_info directive that is used to split the path information from the PHP file. The fastcgi_param directive is then used to pass the PATH_INFO variable to PHP-FPM.
An attacker can exploit this vulnerability by crafting a request that includes a newline character (%0a) in the URL, which breaks the regular expression used by the fastcgi_split_path_info directive. This causes the PATH_INFO variable to be empty, triggering the vulnerability.
To demonstrate this vulnerability, the following steps can be taken:
1. Install the VulnHub image on Kali and create a directory for the experiment.
2. Access the webpage at 192.168.19.128:8080.
3. Clone the publicly available proof-of-concept (POC) repository from GitHub, which includes the vulnerability exploit.
4. Compile the Go language environment on Kali and install the POC package.
5. Run the exploit using the command `go run . http://192.168.19.128:8080/index.php`.
6. Use the parameter `a` to pass a command to the webpage, which can be used to execute arbitrary system commands.
For example, to view the contents of /etc/passwd, the following URL can be used: `http://192.168.19.128:8080/?a=cat%20/etc/passwd.
Note: To install the Go language environment on Kali, refer to the provided CSDN link: https://blog.csdn.net/WHQ556677/article/details/122283509