{"id":13842620,"url":"https://github.com/wofeiwo/webcgi-exploits","last_synced_at":"2026-01-19T08:04:25.493Z","repository":{"id":153625495,"uuid":"102316644","full_name":"wofeiwo/webcgi-exploits","owner":"wofeiwo","description":"Multi-language web CGI interfaces exploits.","archived":false,"fork":false,"pushed_at":"2022-08-22T12:23:35.000Z","size":43,"stargazers_count":382,"open_issues_count":0,"forks_count":66,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-08-05T17:32:24.863Z","etag":null,"topics":["cgi","exploit","scripting-language"],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wofeiwo.png","metadata":{"files":{"readme":"README-zh.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2017-09-04T03:52:28.000Z","updated_at":"2024-06-11T08:41:55.000Z","dependencies_parsed_at":"2023-05-28T17:00:26.865Z","dependency_job_id":null,"html_url":"https://github.com/wofeiwo/webcgi-exploits","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wofeiwo%2Fwebcgi-exploits","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wofeiwo%2Fwebcgi-exploits/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wofeiwo%2Fwebcgi-exploits/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wofeiwo%2Fwebcgi-exploits/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wofeiwo","download_url":"https://codeload.github.com/wofeiwo/webcgi-exploits/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225736956,"owners_count":17516259,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cgi","exploit","scripting-language"],"created_at":"2024-08-04T17:01:41.440Z","updated_at":"2026-01-19T08:04:25.487Z","avatar_url":"https://github.com/wofeiwo.png","language":"PHP","readme":"# Web CGI Exploits\n[![License](https://img.shields.io/github/license/wofeiwo/webcgi-exploits.svg)](LICENSE)\n[![README](https://img.shields.io/badge/README-English-blue.svg)](README.md)\n[![README](https://img.shields.io/badge/README-中文-blue.svg)](README-zh.md)\n\n这是我前几年写的和Web CGI相关的各种exp的集合。\n\n## 原理\n通常情况下，web的应用架构是这样分层的:\n\n1. web应用程序\n2. web框架       \n3. 脚本语言解释器\n4. web容器(服务器)\n5. web前端反向代理(通常是nginx等等.)\n\n* `4` \u0026 `5` 有可能是同一个东西，甚至有些时候`3` \u0026 `4`也可能是同一个东西。\n\n可以把上面的内容想象成一个数据管道，每一个分层做一些处理和解析。请求和返回就在这么一来一回两个管道中生存和传递。每一层和下一层如何沟通通讯？相对而言比较复杂，通常会有一些标准，包括内存共享，socket通讯等等。不同语言有不同的实现。在`3`和`4`分层之间的通讯模式，通常这种被叫做CGI，fastcgi和python的wsgi都是常见的标准协议。\n但是由于web容器和脚本语言的位置不同，因此在对通讯的使用和信任上并不完全一致。会有一些错误和误解存在。这也就给了我们很多机会，利用这里面的功能去挖掘漏洞，实现我们想要实现的功能。例如远程代码执行，端口转发等等。\n\n## Exploits\n### PHP\n\n- Fastcgi\n\n  参考文章[《PHP FastCGI 的远程利用》](php/Fastcgi/php-fastcgi-remote-exploit.md)\n\n  1. `fcgi_exp.go`：当fastcgi端口对外，或者配合`SSRF`漏洞时候，可以利用此exp进行远程代码执行.\n  2. `fcgi_jailbreak.php`：对一些基于php自身配置形成沙盒的环境，可以利用此脚本进行越狱.\n\n  参考文章[利用PHP-FPM做内存马的方法](php/Fastcgi/php-fpm-memory-shell.md)\n \n- Apache Mod_php\n\n  mod_php和其他cgi不太一致的地方在于，他是以模块形式加载在apache进程中的，因此他可以操作进程中的相关资源。而apache的工作模式又通常是fork一些worker进程，会带入主进程的一些文件句柄可供操作。利用这些可以做一些很不错的trick。具体可以参考曾经的文章：[《PHP端口复用的利用》](https://blog.wofeiwo.com/post/2011-10-09/PHPDuan-Kou-Fu-Yong-De-Li-Yong-.html)\n\n  1. `mod_php_port_reuse.php`：复用你的当前80端口链接，生成一个交互式的shell，可以绕过一些防火墙.\n  2. `mod_php_port_proxy.py` 与 `mod_php_port_reuse.php` 共用，可以直接复用当前80端口链接，进行端口转发通讯.\n\n### Python\nPython 通常来说主要使用的就是wsgi模式做统一接口。但是在具体实现上有`uwsgi`、`gunicorn`、`scgi`、`mod_python`、`fastcgi`等多种。但是最常见的还是`uwsgi`、`gunicorn`这两个。其中`uwsgi`由于支持功能较多，通过协议直接传参，因此可以被利用。\n\n- Uwsgi\n  1. `uwsgi_exp.py`：利用uwsgi协议，远程执行任意命令，原理和使用场景和php fastcgi类似.具体可以参考[《uWSGI 远程代码执行漏洞》](python/uwsgi-rce-zh.md)\n","funding_links":[],"categories":["PHP","PHP (184)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwofeiwo%2Fwebcgi-exploits","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwofeiwo%2Fwebcgi-exploits","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwofeiwo%2Fwebcgi-exploits/lists"}