Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — PHP 操作系统命令注入漏洞

Source
https://github.com/a1ex-var1amov/ctf-cve-2024-4577
Associated Vulnerability
Title:PHP 操作系统命令注入漏洞 (CVE-2024-4577)
Description:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
Readme
# CVE-2024-4577 CTF Challenge

## Overview
This CTF challenge demonstrates CVE-2024-4577, a critical PHP CGI argument injection vulnerability affecting PHP versions 8.1.x < 8.1.21, 8.2.x < 8.2.8, and 8.3.x < 8.3.1.

## Vulnerability Details
CVE-2024-4577 is a PHP CGI argument injection vulnerability that occurs when PHP is configured to run as a CGI handler. Attackers can inject command-line arguments to the PHP interpreter through crafted HTTP requests, potentially leading to remote code execution.

## Challenge Description
You are given access to a vulnerable PHP application running on a web server. Your goal is to exploit the CVE-2024-4577 vulnerability to read the flag file located at `/flag.txt`.

## Files
- `vulnerable-app/` - The vulnerable PHP application
- `attack-scripts/` - Automated attack scripts
- `kubernetes/` - Kubernetes deployment manifests
- `docker/` - Docker configuration files

## Getting Started

### For Local Testing
1. Deploy the vulnerable application using the provided Kubernetes manifests
2. Use the attack scripts to exploit the vulnerability
3. Read the flag file to complete the challenge

### For Internet Deployment
1. Follow the [Internet Deployment Guide](INTERNET_DEPLOYMENT.md)
2. Deploy to GKE/EKS with LoadBalancer service
3. Configure DNS to point to your external IP
4. The CTF will be accessible worldwide for participants

## Learning Objectives
- Understand PHP CGI argument injection vulnerabilities
- Learn about HTTP request smuggling techniques
- Practice web application security testing
- Gain experience with containerized application security

## Disclaimer
This CTF is for educational purposes only. Do not use these techniques against systems you don't own or have explicit permission to test.
File Snapshot

 [4.0K]  /data/pocs/513b58295952a544e8f10a5e0b354685dc9f1eb7
├── [4.0K]  attack-scripts
│   ├── [ 11K]  container-escape.py
│   ├── [5.1K]  exploit.py
│   ├── [4.9K]  exploit.sh
│   └── [  33]  requirements.txt
├── [7.7K]  CTF_WALKTHROUGH.md
├── [ 11K]  deploy-internet.sh
├── [7.6K]  DEPLOYMENT_GUIDE.md
├── [6.7K]  deploy.sh
├── [4.0K]  docker
│   ├── [4.0K]  ctf-frontend
│   │   ├── [7.4K]  index.html
│   │   └── [ 626]  nginx.conf
│   └── [ 900]  docker-compose.yml
├── [6.7K]  EKS_CHECKLIST.md
├── [ 11K]  EKS_DEPLOYMENT.md
├── [8.7K]  INTERNET_DEPLOYMENT.md
├── [4.0K]  kubernetes
│   ├── [ 850]  aws-credentials.yaml
│   ├── [4.2K]  configmap.yaml
│   ├── [3.6K]  deployment.yaml
│   ├── [1.9K]  ingress.yaml
│   ├── [ 132]  namespace.yaml
│   ├── [1.5K]  public-dns.yaml
│   └── [ 421]  service.yaml
├── [1.7K]  README.md
└── [4.0K]  vulnerable-app
    ├── [ 681]  Dockerfile
    ├── [ 948]  index.php
    ├── [  70]  info.php
    ├── [ 929]  nginx.conf
    └── [ 115]  start.sh

5 directories, 27 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.