2

I'm trying to use the "Php reverse shell" for school purposes on my clean installed Ubuntu 14.04. I configured my Apache/PHP/MySQL as I do normally.

I need to get the php-function "pcntl_fork()" working. In order to get it working, I need to use PHP-CGI, but I'm not able to get it work after 6 hours of trying.

This is the last tutorial I followed: http://www.binarytides.com/setup-apache-php-cgi-ubuntu/

I had some troubles and now I'm trying to solve them. This is how my .conf-file looks like at the moment:

<VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port t$ # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html ScriptAlias /cgi-bin/ /usr/bin/ Action cgi-handler /cgi-bin/php-cgi AddHandler cgi-handler .php <Directory /usr/bin> Require all granted Options FollowSymLinks </Directory> <Directory /var/www/html/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order Allow,Deny Allow from all </Directory> # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost>

I'm getting this error:

404-Not Found

The requested URL /cgi-bin/php-cgi/test.php was not found on this server.

Someone who can help me? Thank you in advance.

Edit: I already tried FastCGI, but pcntl_fork() still refused to work.

Improve this question

1 Answer 1

Reset to default
1

Short version:

Supposing the requested URL was http://some.host/test.php, with your apache configuration a php-cgi executable should be placed in the /usr/bin folder and should be executable by the Apache user. Also, the test.php script should be present in /var/www/html

Long/Complete version:

Based on the configuration you reported, when requesting the URL http://some.host/test.php , among lots of other things, your Apache will:

  • see that it's a request ending in ".php", and hence, due to the AddHandler directive and related Action, decide it need to launch a "/cgi-bin/php-cgi" CGI application;

  • as for the ScriptAlias directive, decide that the "/cgi-bin/php-cgi" CGI application is mapped, within the underlying file-system, to the "/usr/bin/php-cgi" full pathname. Hence...

  • Apache will launch "/usr/bin/php-cgi" (that should exist and be executable by Apache), taking care to add reference to the real script to be executed (by PHP; in your case "test.php") by defining several environment variables (PATH_INFO, PATH_TRANSLATED, QUERY_STRING, SCRIPT_NAME and others).

Due to the above, supposing "/usr/bin/php-cgi" exists in your file-systems and is executable by your Apache:

  • following environment-variables are defined (by Apache):
SCRIPT_NAME: /cgi-bin/php-cgi PATH_INFO: /test.php PATH_TRANSLATED: /var/www/html/test.php

  • with above environment, /usr/bin/php-cgi is launched;

  • once started, php-cgi will search for the script to execute, as specified by the PATH_TRANSLATED environment variable;

  • php-cgi will try to open and read "/var/www/html/test.php" and...

  • execute it.

As your Apache is searching /cgi-bin/php-cgi/test.php, I suspect it's not recognizing the php-cgi executable within the /usr/bin folder.

I suggest to double-check your whole configuration ensuring that:

  • php-cgi is an executable within /usr/bin. Please note that common Ubuntu does use a /usr/bin/php5-cgi binary (with an added "5");
  • your PHP scripts are stored within /var/www/html
  • your URL are in the form: http://some.host/test.php
  • in case of further problems, check your logfile, commonly located at /var/log/apache/error.log

A final note

I strongly disagree in having the whole /usr/bin accessible for CGI applications: please consider storing your CGIs somewhere else (/var/www/cgi-bin or /usr/lib/cgi-bin or whatever), expecially if yours is a "public" web-server.

Improve this answer
10
  • Hey, thanks for the large explanation. When I try your short version, I go to localhost/test.php. I get: The requested URL /cgi-bin/php-cgi/test.php was not found on this server. I go to localhost/cgi-bin/test.php, I get: The requested URL /cgi-bin/php-cgi/cgi-bin/test.php was not found on this server. I really don't understand what's going on and why it's handling that way... :/ Commented Dec 27, 2014 at 8:49
  • @JVos: can you confirm /usr/bin/php-cgi exists on your filesystem? Please note that, as far as I know, common ubuntu provides /usr/bin/php5-cgi (so, with a "5" added). Commented Dec 27, 2014 at 8:56
  • /usr/bin/php-cgi exists, it's not a folder, it's a directive (I don't know how it's called in English :p ) to /etc/alternatives/php-cgi, do I have to change it? /usr/bin/php5-cgi does exist. I tried to change my cof-file: "Action cgi-handler /cgi-bin/php5-cgi" When I navigate to localhost/test.php, error 404: "The requested URL /cgi-bin/php5-cgi/test.php was not found on this server." I don't understand why it won't convert /cgi-bin/ into /usr/bin/... Thank you for helping me. Commented Dec 27, 2014 at 11:41
  • After changing the conf file, have you restarted apache (so to load the new config)? Commented Dec 27, 2014 at 11:48
  • 1
    Thanks for being my hero! :D ServerAdmin webmaster@localhost DocumentRoot /var/www/html ScriptAlias /cgi-bin/ /usr/bin/ Action cgi-handler /cgi-bin/php5-cgi AddHandler cgi-handler .php <Directory /usr/bin/> Require all granted Options FollowSymLinks </Directory> <Directory /var/www/html/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order Allow,Deny Allow from all </Directory> Commented Dec 27, 2014 at 12:52

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.