Trying to install php-cgi / Apache / Ubuntu 14.04

apache-2.4php-cgivirtualhost

I'm trying to use the "Php reverse shell" for school purposes on my clean installed Ubuntu 14.04. I configured my Apache/PHP/MySQL as I do normally.

I need to get the php-function "pcntl_fork()" working. In order to get it working, I need to use PHP-CGI, but I'm not able to get it work after 6 hours of trying.

This is the last tutorial I followed: http://www.binarytides.com/setup-apache-php-cgi-ubuntu/

I had some troubles and now I'm trying to solve them. This is how my .conf-file looks like at the moment:

<VirtualHost *:80>
            # The ServerName directive sets the request scheme, hostname and port t$
            # the server uses to identify itself. This is used when creating
            # redirection URLs. In the context of virtual hosts, the ServerName
            # specifies what hostname must appear in the request's Host: header to
            # match this virtual host. For the default virtual host (this file) this
            # value is not decisive as it is used as a last resort host regardless.
            # However, you must set it for any further virtual host explicitly.
            #ServerName www.example.com

            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/html
            ScriptAlias /cgi-bin/ /usr/bin/

            Action cgi-handler /cgi-bin/php-cgi
            AddHandler cgi-handler .php

            <Directory /usr/bin>
                    Require all granted
                    Options FollowSymLinks
            </Directory>

            <Directory /var/www/html/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Order Allow,Deny
                    Allow from all
            </Directory>

            # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
            # error, crit, alert, emerg.
            # It is also possible to configure the loglevel for particular
            # modules, e.g.
            #LogLevel info ssl:warn

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            # For most configuration files from conf-available/, which are
            # enabled or disabled at a global level, it is possible to
            # include a line for only one particular virtual host. For example the
            # following line enables the CGI configuration for this host only
            # after it has been globally disabled with "a2disconf".
            #Include conf-available/serve-cgi-bin.conf
    </VirtualHost>

I'm getting this error:

404-Not Found

The requested URL /cgi-bin/php-cgi/test.php was not found on this server.

Someone who can help me? Thank you in advance.

Edit: I already tried FastCGI, but pcntl_fork() still refused to work.

Best Answer

Short version:

Supposing the requested URL was http://some.host/test.php, with your apache configuration a php-cgi executable should be placed in the /usr/bin folder and should be executable by the Apache user. Also, the test.php script should be present in /var/www/html

Long/Complete version:

Based on the configuration you reported, when requesting the URL http://some.host/test.php , among lots of other things, your Apache will:

see that it's a request ending in ".php", and hence, due to the AddHandler directive and related Action, decide it need to launch a "/cgi-bin/php-cgi" CGI application;
as for the ScriptAlias directive, decide that the "/cgi-bin/php-cgi" CGI application is mapped, within the underlying file-system, to the "/usr/bin/php-cgi" full pathname. Hence...
Apache will launch "/usr/bin/php-cgi" (that should exist and be executable by Apache), taking care to add reference to the real script to be executed (by PHP; in your case "test.php") by defining several environment variables (PATH_INFO, PATH_TRANSLATED, QUERY_STRING, SCRIPT_NAME and others).

Due to the above, supposing "/usr/bin/php-cgi" exists in your file-systems and is executable by your Apache:

following environment-variables are defined (by Apache):

SCRIPT_NAME: /cgi-bin/php-cgi
PATH_INFO: /test.php
PATH_TRANSLATED: /var/www/html/test.php

with above environment, /usr/bin/php-cgi is launched;
once started, php-cgi will search for the script to execute, as specified by the PATH_TRANSLATED environment variable;
php-cgi will try to open and read "/var/www/html/test.php" and...
execute it.

As your Apache is searching /cgi-bin/php-cgi/test.php, I suspect it's not recognizing the php-cgi executable within the /usr/bin folder.

I suggest to double-check your whole configuration ensuring that:

php-cgi is an executable within /usr/bin. Please note that common Ubuntu does use a /usr/bin/php5-cgi binary (with an added "5");
your PHP scripts are stored within /var/www/html
your URL are in the form: http://some.host/test.php
in case of further problems, check your logfile, commonly located at /var/log/apache/error.log

A final note

I strongly disagree in having the whole /usr/bin accessible for CGI applications: please consider storing your CGIs somewhere else (/var/www/cgi-bin or /usr/lib/cgi-bin or whatever), expecially if yours is a "public" web-server.

Related Solutions

Apache: Setting DocumentRoot to cgi directory results in downloading file instead of executing it

You need to specify the cgi handler for the file if you do not use ScriptAlias. IN the directory section, add something like

AddHandler cgi-script .cgi

This is what the documentation says:

Any file that has the handler cgi-script will be treated as a CGI script, and run by the server, with its output being returned to the client. Files acquire this handler either by having a name containing an extension defined by the AddHandler directive, or by being in a ScriptAlias directory.

Why the php-cgi wrapper script for php-fpm? (Using virtualhost and suexec.)

As an example, on a Redhat/centos machines, the php-fpm is actually a binary in /usr/sbin/ directory. It intercepts call from the server (apache/nginx) to process php requests. The settings of php-fpm can be adjusted in php-fpm.conf (http://php-fpm.org/wiki/Configuration_File), which lets you fine-tune your system. php-fpm is quite advanced and gives you a lot of control to your system.

Somehow, the php-fpm file on your system seems to be more like a normal fastcgi/cgi wrapper. If you want to bypass using "your version of php-fpm" and use php-cgi directly, you can use a custom fastcgi wrapper. An example of a custom fastcgi wrapper is:

#!/bin/bash
### Set PATH ###
PHP_CGI=/usr/bin/php-cgi
PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_MAX_REQUESTS
exec $PHP_CGI

One of the options that can be set in php-fpm.conf is to let you execute php scripts as another user. Suexec also provides this function and it can be called by Apache to pass request to the fastcgi wrapper which will handle php files. Together, suexec + fastcgi provide some of key functions of php-fpm and thus can be used as an alternative.