2

I'm trying to use the "Php reverse shell" for school purposes on my clean installed Ubuntu 14.04. I configured my Apache/PHP/MySQL as I do normally.

I need to get the php-function "pcntl_fork()" working. In order to get it working, I need to use PHP-CGI, but I'm not able to get it work after 6 hours of trying.

This is the last tutorial I followed: http://www.binarytides.com/setup-apache-php-cgi-ubuntu/

I had some troubles and now I'm trying to solve them. This is how my .conf-file looks like at the moment:

<VirtualHost *:80>
            # The ServerName directive sets the request scheme, hostname and port t$
            # the server uses to identify itself. This is used when creating
            # redirection URLs. In the context of virtual hosts, the ServerName
            # specifies what hostname must appear in the request's Host: header to
            # match this virtual host. For the default virtual host (this file) this
            # value is not decisive as it is used as a last resort host regardless.
            # However, you must set it for any further virtual host explicitly.
            #ServerName www.example.com

            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/html
            ScriptAlias /cgi-bin/ /usr/bin/

            Action cgi-handler /cgi-bin/php-cgi
            AddHandler cgi-handler .php

            <Directory /usr/bin>
                    Require all granted
                    Options FollowSymLinks
            </Directory>

            <Directory /var/www/html/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Order Allow,Deny
                    Allow from all
            </Directory>

            # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
            # error, crit, alert, emerg.
            # It is also possible to configure the loglevel for particular
            # modules, e.g.
            #LogLevel info ssl:warn

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            # For most configuration files from conf-available/, which are
            # enabled or disabled at a global level, it is possible to
            # include a line for only one particular virtual host. For example the
            # following line enables the CGI configuration for this host only
            # after it has been globally disabled with "a2disconf".
            #Include conf-available/serve-cgi-bin.conf
    </VirtualHost>

I'm getting this error:

404-Not Found

The requested URL /cgi-bin/php-cgi/test.php was not found on this server.

Someone who can help me? Thank you in advance.

Edit: I already tried FastCGI, but pcntl_fork() still refused to work.

KingFox
  • 23
  • 1
  • 3

1 Answers1

1

Short version:

Supposing the requested URL was http://some.host/test.php, with your apache configuration a php-cgi executable should be placed in the /usr/bin folder and should be executable by the Apache user. Also, the test.php script should be present in /var/www/html

Long/Complete version:

Based on the configuration you reported, when requesting the URL http://some.host/test.php , among lots of other things, your Apache will:

  • see that it's a request ending in ".php", and hence, due to the AddHandler directive and related Action, decide it need to launch a "/cgi-bin/php-cgi" CGI application;

  • as for the ScriptAlias directive, decide that the "/cgi-bin/php-cgi" CGI application is mapped, within the underlying file-system, to the "/usr/bin/php-cgi" full pathname. Hence...

  • Apache will launch "/usr/bin/php-cgi" (that should exist and be executable by Apache), taking care to add reference to the real script to be executed (by PHP; in your case "test.php") by defining several environment variables (PATH_INFO, PATH_TRANSLATED, QUERY_STRING, SCRIPT_NAME and others).

Due to the above, supposing "/usr/bin/php-cgi" exists in your file-systems and is executable by your Apache:

  • following environment-variables are defined (by Apache):
SCRIPT_NAME: /cgi-bin/php-cgi
PATH_INFO: /test.php
PATH_TRANSLATED: /var/www/html/test.php

  • with above environment, /usr/bin/php-cgi is launched;

  • once started, php-cgi will search for the script to execute, as specified by the PATH_TRANSLATED environment variable;

  • php-cgi will try to open and read "/var/www/html/test.php" and...

  • execute it.

As your Apache is searching /cgi-bin/php-cgi/test.php, I suspect it's not recognizing the php-cgi executable within the /usr/bin folder.

I suggest to double-check your whole configuration ensuring that:

  • php-cgi is an executable within /usr/bin. Please note that common Ubuntu does use a /usr/bin/php5-cgi binary (with an added "5");
  • your PHP scripts are stored within /var/www/html
  • your URL are in the form: http://some.host/test.php
  • in case of further problems, check your logfile, commonly located at /var/log/apache/error.log

A final note

I strongly disagree in having the whole /usr/bin accessible for CGI applications: please consider storing your CGIs somewhere else (/var/www/cgi-bin or /usr/lib/cgi-bin or whatever), expecially if yours is a "public" web-server.

Damiano Verzulli
  • 3,948
  • 1
  • 20
  • 30
  • Hey, thanks for the large explanation. When I try your short version, I go to http://localhost/test.php. I get: The requested URL /cgi-bin/php-cgi/test.php was not found on this server. I go to http://localhost/cgi-bin/test.php, I get: The requested URL /cgi-bin/php-cgi/cgi-bin/test.php was not found on this server. I really don't understand what's going on and why it's handling that way... :/ – KingFox Dec 27 '14 at 08:49
  • @JVos: can you confirm /usr/bin/php-cgi exists on your filesystem? Please note that, as far as I know, common ubuntu provides /usr/bin/php5-cgi (so, with a "5" added). – Damiano Verzulli Dec 27 '14 at 08:56
  • /usr/bin/php-cgi exists, it's not a folder, it's a directive (I don't know how it's called in English :p ) to /etc/alternatives/php-cgi, do I have to change it? /usr/bin/php5-cgi does exist. I tried to change my cof-file: "Action cgi-handler /cgi-bin/php5-cgi" When I navigate to localhost/test.php, error 404: "The requested URL /cgi-bin/php5-cgi/test.php was not found on this server." I don't understand why it won't convert /cgi-bin/ into /usr/bin/... Thank you for helping me. – KingFox Dec 27 '14 at 11:41
  • After changing the conf file, have you restarted apache (so to load the new config)? – Damiano Verzulli Dec 27 '14 at 11:48
  • Also, with current config, please try http://your.host/cgi-bin/test.php – Damiano Verzulli Dec 27 '14 at 11:50
  • 1
    Thanks for being my hero! :D ServerAdmin webmaster@localhost DocumentRoot /var/www/html ScriptAlias /cgi-bin/ /usr/bin/ Action cgi-handler /cgi-bin/php5-cgi AddHandler cgi-handler .php Require all granted Options FollowSymLinks Options Indexes FollowSymLinks MultiViews AllowOverride All Order Allow,Deny Allow from all – KingFox Dec 27 '14 at 12:52
  • @JVos: does it means it worked? Please, let us know. – Damiano Verzulli Dec 27 '14 at 13:07
  • Yes, it's working! I'm now able to play around with php reverse shell. Thanks! – KingFox Dec 27 '14 at 13:45
  • @j-vos: I've rewritten my answer as... it contained errors: I was not taking into account that when running with AddHandler/Action PHP scripts can reside also outside the cgi-bin. Now it should be OK. – Damiano Verzulli Dec 27 '14 at 16:22
  • Be sure you have `mod_cgi` and `mod_actions` enabled as well – farinspace Jul 28 '19 at 14:17