I'm trying to use the "Php reverse shell" for school purposes on my clean installed Ubuntu 14.04. I configured my Apache/PHP/MySQL as I do normally.
I need to get the php-function "pcntl_fork()" working. In order to get it working, I need to use PHP-CGI, but I'm not able to get it work after 6 hours of trying.
This is the last tutorial I followed: http://www.binarytides.com/setup-apache-php-cgi-ubuntu/
I had some troubles and now I'm trying to solve them. This is how my .conf-file looks like at the moment:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port t$
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ScriptAlias /cgi-bin/ /usr/bin/
Action cgi-handler /cgi-bin/php-cgi
AddHandler cgi-handler .php
<Directory /usr/bin>
Require all granted
Options FollowSymLinks
</Directory>
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
I'm getting this error:
404-Not Found
The requested URL /cgi-bin/php-cgi/test.php was not found on this server.
Someone who can help me? Thank you in advance.
Edit: I already tried FastCGI, but pcntl_fork() still refused to work.
Best Answer
Short version:
Supposing the requested URL was http://some.host/test.php, with your apache configuration a php-cgi executable should be placed in the /usr/bin folder and should be executable by the Apache user. Also, the test.php script should be present in /var/www/html
Long/Complete version:
Based on the configuration you reported, when requesting the URL http://some.host/test.php , among lots of other things, your Apache will:
see that it's a request ending in ".php", and hence, due to the AddHandler directive and related Action, decide it need to launch a "/cgi-bin/php-cgi" CGI application;
as for the ScriptAlias directive, decide that the "/cgi-bin/php-cgi" CGI application is mapped, within the underlying file-system, to the "/usr/bin/php-cgi" full pathname. Hence...
Apache will launch "/usr/bin/php-cgi" (that should exist and be executable by Apache), taking care to add reference to the real script to be executed (by PHP; in your case "test.php") by defining several environment variables (PATH_INFO, PATH_TRANSLATED, QUERY_STRING, SCRIPT_NAME and others).
Due to the above, supposing "/usr/bin/php-cgi" exists in your file-systems and is executable by your Apache:
with above environment, /usr/bin/php-cgi is launched;
once started, php-cgi will search for the script to execute, as specified by the PATH_TRANSLATED environment variable;
php-cgi will try to open and read "/var/www/html/test.php" and...
execute it.
As your Apache is searching /cgi-bin/php-cgi/test.php, I suspect it's not recognizing the php-cgi executable within the /usr/bin folder.
I suggest to double-check your whole configuration ensuring that:
A final note
I strongly disagree in having the whole /usr/bin accessible for CGI applications: please consider storing your CGIs somewhere else (/var/www/cgi-bin or /usr/lib/cgi-bin or whatever), expecially if yours is a "public" web-server.