PHP-CGI Query String Argument Injection RCE

This repository is a small standalone Python proof-of-concept exploit for CVE-2012-1823, a PHP-CGI argument injection vulnerability that can lead to remote code execution. The repository contains only two files: a README with usage instructions and vulnerability context, and a single executable script, exploit.py. The Python script uses argparse for CLI input and requests for HTTP communication. Its core logic builds a malicious URL by appending a crafted query string to /index.php that injects php-cgi directives: allow_url_include=1 and auto_prepend_file=php://input. It then sends a POST request whose body contains PHP code invoking system() with an attacker-controlled command. If successful, the target executes the command and returns the output in the HTTP response. The exploit is operational but basic: it supports arbitrary command execution, has a hardcoded target path (/index.php), and does not include advanced features such as vulnerability checking, shell staging, authentication handling, or payload obfuscation beyond simple inline PHP. No external C2, callback infrastructure, or hardcoded remote IP/domain endpoints are present; the only network target is the user-supplied URL.

This repository contains two Python scripts and a README file. The main exploit script, 'CVE-2012-1823.py', targets the PHP CGI Argument Injection vulnerability (CVE-2012-1823). It allows the user to specify a target URL, HTTP Basic Auth credentials, and an arbitrary command to execute on the target server. The script constructs a request to the '/cgi-bin/test-cgi' endpoint, appending the user-supplied command as a query parameter, and attempts to execute it via the vulnerable CGI interface. The script prints the HTTP response and indicates whether the exploit was likely successful. The second script, 'CVE-2012-1823,CVE-2021-2291.py', is a detection tool that checks if a target is vulnerable to CVE-2012-1823 (by testing for partial content responses to a Range header) and CVE-2021-2291 (by checking for the 'X-Powered-By' header in the HTTP response). Both scripts require the user to provide a URL and HTTP Basic Auth credentials. The README provides brief usage instructions and notes that the scripts were tested on Kali Linux. No hardcoded IP addresses or domains are present; the scripts require user-supplied targets. The main attack vector is network-based, exploiting web server endpoints via HTTP requests.

This repository contains a Bash script (php_cgi.sh) that exploits the PHP CGI Argument Injection vulnerability (CVE-2012-1823). The exploit targets PHP versions before 5.3.12 and 5.4.2 when configured as a CGI script (php-cgi) and accessible over HTTP. The script takes a target URL and a command as arguments, then sends a specially crafted HTTP POST request to the target, injecting a PHP payload via the 'auto_prepend_file' directive using 'php://input'. This payload executes the supplied system command on the target server. The repository also includes a README.md with usage instructions and a description of the vulnerability. The main entry point is the php_cgi.sh script, and the exploit is operational, providing remote command execution on vulnerable servers.

This repository provides a proof-of-concept (POC) environment for exploiting the PHP-CGI remote code execution vulnerability (CVE-2012-1823). The structure includes a Dockerfile and docker-compose.yml to set up a vulnerable PHP 5.4.1-CGI environment, with web content in the 'www' directory. The main exploit capability is remote code execution via specially crafted HTTP requests that abuse the way PHP-CGI parses query strings as command-line arguments. The README.md provides detailed background, exploitation steps, and example payloads. The main vulnerable endpoint is 'http://your-ip:8080/index.php', which can be exploited by appending malicious query strings and POST data. The repository is intended for educational or testing purposes, demonstrating how attackers can achieve arbitrary code execution on misconfigured or unpatched PHP-CGI servers.

This repository is a comprehensive exploit toolkit targeting multiple well-known vulnerabilities and misconfigurations in Linux-based services, primarily for educational or penetration testing purposes. It contains step-by-step walkthroughs, Metasploit module usage, and some custom scripts (notably a PHP backdoor) for exploiting services such as vsftpd 2.3.4 (CVE-2011-2523), Samba (CVE-2007-2447), distccd (CVE-2004-2687), PHP-CGI (CVE-2012-1823), UnrealIRCd (CVE-2010-2075), as well as misconfigurations in NFS, PostgreSQL, MySQL, and privilege escalation via udev. The structure is organized by target service, with each directory containing detailed attack instructions, relevant commands, and in some cases, exploit code or payloads. The main capabilities include remote code execution, reverse shell access, privilege escalation, database extraction, and persistent access via SSH key injection. The repository is operational in maturity, providing working attack chains and payloads, and is suitable for use in penetration testing labs such as Metasploitable. No fake or detection-only scripts were identified; all content is focused on exploitation.

This repository contains a Python script (cve-2012-1823_VulCheck.py) designed to check for and exploit the CVE-2012-1823 vulnerability in PHP-CGI. The script takes a target domain or IP as input, constructs HTTP requests to common PHP-CGI endpoints (/cgi-bin/php, /cgi-bin/php5, /cgi-bin/php-cgi, /cgi-bin/php.cgi), and attempts to exploit the vulnerability by sending a specially crafted payload. The payload is a PHP code snippet that, if executed, confirms remote code execution by returning a specific string. The script prints the server's response and notifies the user if the target is vulnerable. The repository also includes a minimal readme.md file. The exploit is operational and provides a clear indication of vulnerability, but does not provide a full-featured shell or post-exploitation capabilities.