PHP-FPM is presented as a superior alternative to the standard PHP FastCGI, offering features that are particularly beneficial for websites with high traffic. It operates through a master process that oversees a collection of worker processes. For a PHP script request, it's the web server that initiates a FastCGI proxy connection to the PHP-FPM service. This service has the capability to receive requests either via network ports on the server or Unix sockets.
Despite the intermediary role of the proxy connection, PHP-FPM needs to be operational on the same machine as the web server. The connection it uses, while proxy-based, differs from conventional proxy connections. Upon receiving a request, an available worker from PHP-FPM processes it—executing the PHP script and then forwarding the results back to the web server. After a worker concludes processing a request, it becomes available again for upcoming requests.
But what is CGI and FastCGI?
CGI
Normally web pages, files and all of the documents which are transferred from the web server to the browser are stored in a specific public directory such as home/user/public_html. When the browser requests certain content, the server checks this directory and sends the required file to the browser.
If CGI is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public_html/cgi-bin. CGI scripts are stored in this directory. Each file in the directory is treated as an executable program. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. After the input data processing is completed, the application sends the output data to the web server which forwards the data to the HTTP client.
For example, when the CGI script http://mysitename.com/cgi-bin/file.pl is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the .pl file code itself. (explanation from here)
FastCGI
FastCGI is a newer web technology, an improved CGI version as the main functionality remains the same.
The need to develop FastCGI is that Web was arisen by applications' rapid development and complexity, as well to address the scalability shortcomings of CGI technology. To meet those requirements Open Market introduced FastCGI – a high performance version of the CGI technology with enhanced capabilities.
disable_functions bypass
It's possible to run PHP code abusing the FastCGI and avoiding the disable_functions limitations.
Via Gopherus
I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via [PEASS & HackTricks telegram group here](https://t.me/peass), or twitter [@carlospolopm](https://twitter.com/hacktricks_live).
Using Gopherus you can generate a payload to send to the FastCGI listener and execute arbitrary commands:
Uploading and accessing this script the exploit is going to be sent to FastCGI (disabling disable_functions) and the specified commands are going to be executed.
PHP exploit
I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that phpinfo() from FastCGI execution indicated that disable_functions was empty, but PHP (somehow) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via [PEASS & HackTricks telegram group here](https://t.me/peass), or twitter [@carlospolopm](https://twitter.com/hacktricks_live).
This is a php script to exploit fastcgi protocol to bypass open_basedir and disable_functions.
It will help you to bypass strict disable_functions to RCE by loading the malicious extension.
You can access it here: https://github.com/w181496/FuckFastcgi or a sligtly modified and improved version here: https://github.com/BorelEnzo/FuckFastcgi
You will find that the exploit is very similar to the previous code, but instead of trying to bypass disable_functions using PHP_VALUE, it tries to load an external PHP module to execute code using the parameters extension_dir and extension inside the variable PHP_ADMIN_VALUE.
NOTE1: You probably will need to recompile the extension with the same PHP version that the server is using (you can check it inside the output of phpinfo):
NOTE2: I managed to make this work by inserting the extension_dir and extension values inside a PHP .ini config file (something that you won't be able to do attacking a server). But for some reason, when using this exploit and loading the extension from the PHP_ADMIN_VALUE variable the process just died, so I don't know if this technique is still valid.