关联漏洞
标题:
PHP 操作系统命令注入漏洞
(CVE-2024-4577)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
描述
CVE-2024-4577 Exploit POC
介绍
# CVE-2024-4577 PoC Exploit
## Description
This repository contains a proof-of-concept (PoC) exploit for CVE-2024-4577, a critical vulnerability affecting all versions of PHP running on Windows. The vulnerability allows attackers to execute arbitrary code remotely. The flaw also impacts the XAMPP development environment installed on Windows systems. Researchers have observed active scanning for this vulnerability, making it crucial for affected organizations to update their PHP installations promptly.
## Vulnerability Details
The vulnerability stems from an argument injection bug resulting from an incomplete fix for a separate vulnerability dating back to 2012 (CVE-2012-1823). The PHP development team overlooked the Best-Fit feature of encoding conversion within the Windows operating system, allowing unauthenticated attackers to bypass previous protections. This oversight enables attackers to execute arbitrary code on remote PHP servers through an argument injection attack.
## Exploitation Scenarios
1. **PHP Running in CGI Mode:** Attackers can exploit this vulnerability directly when PHP is configured in CGI mode, commonly used in web server setups.
2. **Exposed PHP Binary in CGI Directory (XAMPP):** The default mode for XAMPP, a popular PHP development environment, exposes the PHP binary in the CGI directory, making it vulnerable to exploitation.
## Usage
1. Install the tool using the command:
```
go install -v github.com/zomasec/CVE-2024-4577/cmd/CVE-2024-4577
```
2. Use the tool with the following flags:
```
CVE-2024-4577 -l/-d <hostsFile>/<host> -c <concurrency> -timeout <timeout>
```
- `-l`: File containing a list of hosts to scan.
- `-d`: Single host to scan.
- `-c`: Number of concurrent scans (default is 10).
- `-timeout`: Request timeout in seconds (default is 5).
Example:
```
CVE-2024-4577 -l hosts.txt -c 20 -timeout 10
```
3. You can use these dorks :
Hunter:```header.server="PHP"```
FOFA: ```server="PHP"```
SHODAN: ```server: PHP os:Windows```
---
## Resources
1. [Tenable Blog - CVE-2024-4577 Proof of Concept Available for PHP CGI Argument Injection Vulnerability](https://www.tenable.com/blog/cve-2024-4577-proof-of-concept-available-for-php-cgi-argument-injection-vulnerability)
2. [Duo Decipher - Critical PHP Flaw CVE-2024-4577 Patched](https://duo.com/decipher/critical-php-flaw-cve-2024-4577-patched)
文件快照
[4.0K] /data/pocs/252ff8265651e6b0454a1f668c54d0e48da8fc8d
├── [4.0K] cmd
│ └── [4.0K] CVE-2024-4577
│ └── [1.1K] main.go
├── [4.0K] config
│ └── [ 401] config.go
├── [ 129] go.mod
├── [ 332] go.sum
├── [1.0K] LICENSE
├── [4.0K] pkg
│ ├── [4.0K] client
│ │ └── [ 673] client.go
│ ├── [4.0K] exploit
│ │ └── [1.0K] exploit.go
│ ├── [4.0K] runner
│ │ └── [ 839] runner.go
│ └── [4.0K] utils
│ └── [ 709] utils.go
├── [2.4K] README.md
└── [4.0K] static
└── [325K] cve.png
9 directories, 11 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。