# CVE-2024-4577
## Overview
CVE-2024-4577 is a security vulnerability that affects PHP servers in the following versions:
- PHP 8.3.x (8.3.8 and earlier)
- PHP 8.2.x (8.2.20 and earlier)
- PHP 8.1.x (8.1.29 and earlier)
- All versions prior to 8.0
- Unsupported versions 7.x and 5.x
This vulnerability is a remote code execution (RCE) flaw that occurs when using PHP CGI (Common Gateway Interface) on Windows servers. The issue arises from Windows misinterpreting certain characters due to the use of "Best Fit" character mapping in some language settings. In this case, the PHP CGI module interprets malicious characters as PHP options, allowing attackers to execute malicious commands on the server.
## Exploitation Process
1. **Initial Attack Vector:**
To exploit the vulnerability, append the following string to the URL of the vulnerable site:
`?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input`
Use Burp Suite to intercept this request and send it to the Repeater.
2. **Change the Request Method:**
Convert the intercepted request to a POST method and execute a simple PHP code, for example:
`<?php phpinfo();`
## Continuation of the Exploitation Process
If the vulnerability exists, the output will display information related to the PHP version.
### Executing Malicious Code
Various methods can be applied depending on the attacker's objectives. My preferred method was to define an execution in the Windows startup directory using Burp Suite. I converted the `reverseshell.ps1` script into an executable (exe) and placed it there.
### Ransomware Deployment
Similarly, I uploaded the `ransomware.ps1` file to the system and successfully exfiltrated documents, leaving behind only their encrypted versions.
## Analysis Phase
Before starting the attack, it is necessary to activate the 4688 logs. Upon analyzing the 4688 security logs on my Windows machine, I found that the attack originated from Apache under XAMPP. When I checked the `Access.log` files, I encountered an abnormal request that returned a 200 status code, prompting me to search for this URL in my browser. I identified the vulnerability and took precautions, such as updating the PHP version or disabling the PHP CGI feature.
### Security Log Examination
Since the ransomware I created was not obfuscated, my code is visible in the PowerShell logs. This shows how I encrypted the data. To recover my data, I run the `encoded.ps1` file.
## Conclusion
This simulation highlights the potential risks associated with CVE-2024-4577 and emphasizes the importance of securing PHP installations. Keeping PHP updated and preventing misconfigurations of CGI settings can effectively reduce such vulnerabilities.
[4.0K] /data/pocs/19f418e072c9e031e6a1b984073293972540f8b6
├── [ 605] encoded.ps1
├── [2.0K] ransomware.ps1
├── [2.7K] README.md
└── [ 739] reverseshell.ps1
0 directories, 4 files