关联漏洞
标题:
PHP 操作系统命令注入漏洞
(CVE-2024-4577)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
描述
Delivering PHP RCE (CVE-2024-4577) to the Local Network Servers
介绍
# PHP-CGI-INTERNAL-RCE
<div align="center">
<img width="400" height="400" alt="image" src="https://github.com/user-attachments/assets/cb74a312-7854-471f-ad94-11935f7ed4ae" />
</div>
##
* This PoC demonstrates how an attacker can chain [Orange Tsai's](https://x.com/orange_8361) `CVE-2024-4577` with DNS rebinding to achieve remote code execution on internal network infrastructure directly through the victim’s web browser. By bypassing `Same-Origin Policy (SOP)` and exploiting vulnerable `PHP-CGI` instances running on `local XAMPP servers`, internal development environments, or corporate networks, this attack enables full code execution on systems never intended to be exposed to the internet.
# BLOG
* https://www.hackandhide.com/your-browser-is-now-your-enemy-delivering-php-rce-to-your-local-servers/
# Setup
* Register at [duckdns](https://www.duckdns.org/)
* Create a subdomain (e.g., example.duckdns.org)
* Note your DuckDNS token from the dashboard
* Configure server.py:
```python pythonPUBLIC_IP = "YOUR_PUBLIC_IP" # Your server's public IP
DUCKDNS_DOMAIN = "your-subdomain" # Your DuckDNS subdomain
DUCKDNS_TOKEN = "your-token-here" # Your DuckDNS token
```
* to configure a custom payload, locate this line in `client.html` and replace it with your payload.
```js
const payload = `<?php system('calc');?>;echo 1337; die;`;
```
* Also, you can modify the list of IPs. As we explained in the article, if you want to implement internal network scanning, you can use the JavaScript snippet I showed there. In this PoC, I’ll be using a predefined list of common IPs to keep it simple and fast
## Dependencies:
* requests
# VIDEO
https://github.com/user-attachments/assets/90abef27-28d0-4473-88e9-5e285a5cc667
##
* It never needed to be offline… to be safe."
文件快照
[4.0K] /data/pocs/828655a10633d93bcb1567b17a03e7705e65669b
├── [7.8K] client.html
├── [1.8K] README.md
└── [4.7K] server.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。