Hacktricks-skills fastcgi-pentesting
Pentest FastCGI services (typically port 9000) for enumeration, RCE, and SSRF exploitation. Use this skill whenever you need to test FastCGI/PHP-FPM services, probe for misconfigurations, craft FastCGI payloads for RCE, or leverage SSRF to reach internal FastCGI listeners. Trigger on mentions of FastCGI, PHP-FPM, port 9000, FPM status pages, or when you need to exploit FastCGI misconfigurations.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/network-services-pentesting/9000-pentesting-fastcgi/SKILL.MDFastCGI Pentesting Skill
A skill for enumerating and exploiting FastCGI services, particularly PHP-FPM instances running on port 9000.
When to Use This Skill
Use this skill when:
- You discover port 9000 open on a target
- You need to test FastCGI/PHP-FPM services for vulnerabilities
- You have an SSRF primitive and want to reach internal FastCGI listeners
- You suspect Nginx FastCGI misconfigurations (cgi.fix_pathinfo issues)
- You need to craft FastCGI payloads for RCE
- You're investigating PHP-FPM related vulnerabilities
Quick Reference
| Task | Command/Script |
|---|---|
| Port scan | |
| Probe FPM status | |
| FastCGI RCE | |
| SSRF payload | |
Enumeration
1. Initial Reconnaissance
FastCGI typically runs on port 9000 and often only listens on localhost. Start with:
nmap -sV -p9000 <target>
Note: nmap often shows "unknown" service for FastCGI. Manual testing is required.
2. Probe FPM Status Page
PHP-FPM often exposes a status page at
/status./scripts/probe-fpm-status.sh <host>
Or manually:
SCRIPT_FILENAME=/status SCRIPT_NAME=/status REQUEST_METHOD=GET \ cgi-fcgi -bind -connect <host>:9000
3. SSRF to FastCGI
If you have an SSRF vulnerability in an HTTP service, you can reach internal FastCGI listeners:
./scripts/build-gopher-payload.py <host> <port> <script-path>
This generates a gopher:// payload you can use in your SSRF.
4. Check for Nginx Misconfigurations
Look for
cgi.fix_pathinfo=1fastcgi_split_path_info/.phpExploitation
RCE via FastCGI Request
The most reliable RCE method is sending a crafted FastCGI request with PHP payload injection:
./scripts/fastcgi-rce.sh <host> <existing-php-file-path>
How it works:
- Sets
viaauto_prepend_file
environment variablePHP_VALUE - Prepends a base64-encoded PHP payload to every request
- Executes arbitrary commands via
system()
Example:
./scripts/fastcgi-rce.sh 192.168.1.100 /var/www/html/index.php
SSRF/Gopher Payload for Internal FastCGI
When port 9000 isn't directly reachable but you have SSRF:
./scripts/build-gopher-payload.py 127.0.0.1 9000 /var/www/html/index.php
The script outputs a URL-safe payload. Use it like:
gopher://<host>:9000/_<base64-payload>
Known Vulnerabilities
libfcgi <= 2.4.4 Integer Overflow (2024)
- Crafted
/nameLen
in FastCGI records can overflow on 32-bit buildsvalueLen - Common in embedded/IoT devices
- Yields heap RCE when FastCGI socket is reachable
PHP-FPM Log Manipulation (CVE-2024-9026)
- When
, attackers can truncate/inject up to 4 bytes per log linecatch_workers_output = yes - Useful for erasing indicators or poisoning logs
Classic Nginx + cgi.fix_pathinfo
- If
lacks file existence checksfastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - Any path ending in
gets executed.php - Enables path traversal or source overwrite attacks
Scripts Reference
probe-fpm-status.sh
Probes the PHP-FPM status page to confirm service and gather info.
fastcgi-rce.sh
Sends a FastCGI request with PHP payload injection for RCE.
build-gopher-payload.py
Builds a gopher:// payload for SSRF-based FastCGI exploitation.
Workflow
- Scan - Identify port 9000 with nmap
- Probe - Test FPM status page with
probe-fpm-status.sh - Exploit - Use
for direct access orfastcgi-rce.sh
for SSRFbuild-gopher-payload.py - Verify - Check output for command execution confirmation