来源

关联漏洞

描述

Delivering PHP RCE (CVE-2024-4577) to the Local Network Servers

介绍

# PHP-CGI-INTERNAL-RCE

* This PoC demonstrates how an attacker can chain [Orange Tsai's](https://x.com/orange_8361) `CVE-2024-4577` with DNS rebinding to achieve remote code execution on internal network infrastructure directly through the victim’s web browser. By bypassing `Same-Origin Policy (SOP)` and exploiting vulnerable `PHP-CGI` instances running on `local XAMPP servers`, internal development environments, or corporate networks, this attack enables full code execution on systems never intended to be exposed to the internet.

# BLOG 

* https://www.hackandhide.com/your-browser-is-now-your-enemy-delivering-php-rce-to-your-local-servers/

# Setup

* Register at [duckdns](https://www.duckdns.org/)
* Create a subdomain (e.g., example.duckdns.org)
* Note your DuckDNS token from the dashboard
* Configure server.py:

  ```python pythonPUBLIC_IP = "YOUR_PUBLIC_IP"           # Your server's public IP
  DUCKDNS_DOMAIN = "your-subdomain"      # Your DuckDNS subdomain
  DUCKDNS_TOKEN = "your-token-here"      # Your DuckDNS token  
  ```

* to configure a custom payload, locate this line in `client.html` and replace it with your payload.
  ```js
  const payload = `<?php system('calc');?>;echo 1337; die;`;
  ```
* Also, you can modify the list of IPs. As we explained in the article, if you want to implement internal network scanning, you can use the JavaScript snippet I showed there. In this PoC, I’ll be using a predefined list of common IPs to keep it simple and fast
  
##  Dependencies:
  * requests

# VIDEO

https://github.com/user-attachments/assets/90abef27-28d0-4473-88e9-5e285a5cc667

##
* It never needed to be online… to be safe."

文件快照

 [4.0K]  /data/pocs/4f0320f38fd5fab266e6019b94da4731ff1b23d4
├── [7.8K]  client.html
├── [1.6K]  README.md
└── [4.7K]  server.py

0 directories, 3 files

备注