Exploit for Command Injection in Php CVE-2012-1823

Name: Exploit for Command Injection in Php CVE-2012-1823
Rating: 5 (10 reviews)
2026-06-30 | CVSS 9.8
## https://sploitus.com/exploit?id=539AF710-2749-5930-885F-F827F584855E
# CVE-2012-1823 - PHP CGI Argument Injection Remote Code Execution (RCE)

> **Severity:** Critical (CVSS 9.8)
>
> **CVE:** CVE-2012-1823  
> **Published:** May 11, 2012  
> **Affected Software:** PHP running in CGI mode (`php-cgi`)  
> **Vulnerability Type:** Argument Injection / Remote Code Execution (RCE)  
> **Attack Vector:** Network  
> **Authentication Required:** None

---

CVE-2012-1823 is one of the most significant Remote Code Execution vulnerabilities ever discovered in PHP. The vulnerability affects PHP installations configured to execute through the Common Gateway Interface (CGI), allowing an unauthenticated attacker to execute arbitrary PHP code remotely.

Unlike vulnerabilities that require flaws inside a web application, this issue exists within PHP itself when deployed using **php-cgi**. Because the vulnerability exists at the interpreter level, **every PHP application hosted on an affected server becomes vulnerable**, regardless of whether the application contains coding flaws.

The vulnerability became highly publicized in 2012 due to its simplicity, reliability, and widespread exploitation across the Internet. Even years after disclosure, internet-wide scans continue to identify vulnerable systems, and the vulnerability remains included in exploitation frameworks and defensive detection tools. :contentReference[oaicite:0]{index=0}

---

# Technical Summary

The vulnerability exists inside PHP's CGI implementation (`php-cgi`).

Normally, HTTP query parameters are intended to be passed to PHP scripts as user input.

However, PHP incorrectly processes specially crafted query strings that **do not contain an equals (`=`) character**.

Instead of treating the query string purely as user data, PHP mistakenly interprets portions of it as **command-line arguments** passed directly to the PHP executable.

Because PHP supports numerous command-line switches (such as `-d`), an attacker can override PHP runtime configuration options during request processing.

This allows the attacker to:

- Enable dangerous PHP directives
- Disable security restrictions
- Automatically prepend attacker-controlled PHP code
- Execute arbitrary PHP commands
- Obtain complete control over the web server process

The root cause is improper handling of `php_getopt()` inside:

```
sapi/cgi/cgi_main.c
```

Specifically, PHP failed to correctly ignore command-line parsing when processing malicious query strings lacking an equals sign (`=`). :contentReference[oaicite:1]{index=1}

---

# Root Cause

The CGI executable accepts command-line parameters.

For example:

```
php-cgi -d allow_url_include=1
```

Normally these parameters should only originate from the operating system.

Instead, PHP incorrectly allowed HTTP requests to inject those parameters through specially crafted URLs.

The attacker could therefore manipulate PHP runtime configuration before the target script executed.

This effectively transformed a simple HTTP request into command-line execution against php-cgi.

---

# Affected Versions

The following PHP releases are vulnerable:

| Version | Status |
|---------|--------|
| PHP < 5.3.12 | Vulnerable |
| PHP 5.4.x < 5.4.2 | Vulnerable |

Only installations using **CGI mode (`php-cgi`)** are affected.

PHP running as:

- Apache Module (mod_php)
- PHP-FPM
- FastCGI implementations that are not vulnerable to this parsing flaw

are generally not affected by CVE-2012-1823 itself. :contentReference[oaicite:2]{index=2}

---

# Attack Requirements

An attacker only requires:

- Network connectivity to the target
- PHP running as CGI
- No authentication
- No valid user account
- No interaction from a victim

The vulnerability is fully exploitable remotely.

---

# Exploitation Process

The attack typically follows these stages:

1. Discover PHP CGI endpoint.
2. Send specially crafted HTTP request.
3. Inject PHP command-line arguments.
4. Override PHP runtime settings.
5. Execute attacker-controlled PHP code.
6. Gain Remote Code Execution.

Once code execution is obtained, attackers commonly:

- Upload web shells
- Execute system commands
- Read sensitive files
- Dump databases
- Install malware
- Establish persistence
- Pivot deeper into internal networks

---

# Impact

Successful exploitation results in complete compromise of the PHP application.

Potential consequences include:

- Remote Code Execution
- Full website compromise
- Database theft
- Credential disclosure
- Malware deployment
- Web shell installation
- Server takeover
- Lateral movement
- Privilege escalation (depending on server configuration)

If PHP executes with elevated privileges, system-level compromise may also be possible.

---

# CVSS v3.1

| Metric | Value |
|---------|------|
| Base Score | 9.8 |
| Severity | Critical |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality | High |
| Integrity | High |
| Availability | High | :contentReference[oaicite:3]{index=3}

---

# Why This Vulnerability Was So Dangerous

Several characteristics made CVE-2012-1823 particularly impactful:

- Exploitable over HTTP.
- No authentication required.
- Reliable exploitation.
- Interpreter-level vulnerability.
- Affects all hosted PHP applications.
- Public exploit code became available shortly after disclosure.
- Supported by penetration testing frameworks.
- Widely used in automated internet scanning campaigns.

Its combination of ease of exploitation and severe impact led to extensive real-world attacks and its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog. :contentReference[oaicite:4]{index=4}

---

# Detection

Administrators should verify:

- PHP version
- Deployment mode
- Presence of php-cgi
- Web server configuration

Indicators include:

- CGI executable exposed through HTTP
- Unexpected PHP runtime directives
- Suspicious requests containing encoded command-line switches
- Requests lacking '=' in query strings

Security scanners such as Nuclei, Nessus, OpenVAS, and Metasploit modules can detect vulnerable configurations. :contentReference[oaicite:5]{index=5}

---

# Mitigation

Recommended mitigations include:

- Upgrade PHP to:
  - 5.3.12 or newer
  - 5.4.2 or newer
- Disable CGI mode where possible.
- Migrate to PHP-FPM.
- Restrict access to php-cgi executables.
- Apply vendor security patches.
- Deploy a Web Application Firewall (WAF) capable of blocking malicious CGI argument injection attempts.

---

# Timeline

| Date | Event |
|------|-------|
| May 2012 | Vulnerability publicly disclosed |
| May 2012 | Security patches released |
| 2012 | Public exploits released |
| 2012 | Metasploit module published |
| Following years | Mass internet exploitation observed |
| Present | Continues to appear in vulnerability scans and legacy systems | :contentReference[oaicite:6]{index=6}

---

# Disclaimer

This repository is intended **solely for educational purposes, security research, vulnerability analysis, and defensive testing**. Any information contained herein should only be used on systems for which you have explicit authorization. Unauthorized exploitation of vulnerable systems is illegal and unethical.