CVE-2024-4577 PoC — PHP 操作系统命令注入漏洞

Source

https://github.com/manuelinfosec/CVE-2024-4577

Associated Vulnerability

Title:PHP 操作系统命令注入漏洞 (CVE-2024-4577)
Description:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞，该漏洞源于在特定条件下，Windows系统使用“Best-Fit”行为替换命令行中的字符，这可能导致PHP CGI模块错误地将这些字符解释为PHP选项，从而泄露脚本的源代码，在服务器上运行任意PHP代码等。以下版本受到影响：8.1至8.1.29之前版本，8.3至8.3.8之前版本，8.2至8.2.20之前版本。

Description

Proof Of Concept RCE exploit for critical vulnerability in PHP <8.2.15 (Windows), allowing attackers to execute arbitrary commands.

Readme

# CVE-2024-4577: Critical Vulnerability in PHP's CGI Configurations

A severe security flaw exists in PHP's CGI mode that allows attackers to run arbitrary commands by manipulating URL parameters.

### Impacted Versions

- PHP versions before 7.4.29 and 8.0.19 on Windows running php-cgi.

### Attack Methodology

- Attackers can leverage this vulnerability by sending specially crafted requests to the PHP CGI script. These requests inject malicious parameters, enabling the execution of arbitrary commands. This can potentially result in complete system compromise.

## Usage Instructions

### Prerequisites

Before running the script, ensure you have Python 3 installed on your system. Additionally, you need the `requests` library for handling HTTP requests.

### Installing Dependencies

You can install the required dependencies using `pip`. If `pip` is not installed, follow the instructions [here](https://pip.pypa.io/en/stable/installation/).

1. Open your terminal or command prompt.
2. Run the following command to install the `requests` library:

```sh
pip install requests
```

### Running the Script

To check a target URL for the CVE-2024-4577 vulnerability, follow these steps:

- Execute the script using python3 with the target URL as an argument.

```sh
python3 exploit.py <target>
```

For instance, to test the URL http://example.com, run:

```sh
python3 exploit.py http://example.com
```

### Script Output

The script will test the provided target URL for the vulnerability and print the results to the console. It will indicate whether a potential vulnerability was found or if no vulnerability was detected.

```
(+) Potential vulnerability found at: http://example.com/cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input
(-) No vulnerability found at: http://example.com/php-cgi/php-cgi.exe?%ADd+allow_url_include
```

### Remediation Steps

1. Update PHP to the latest version.
2. Ensure input parameters are properly sanitized and validated.
3. Apply secure configuration settings to restrict CGI parameter processing.

## Credits

This vulnerability was found by Orange Tsai (@orange_8361)

File Snapshot


 [4.0K]  /data/pocs/84fffd19cde8a326967b2a4a330ced07e45d91d3
├── [2.3K]  exploit.py
├── [1.0K]  LICENSE
├── [2.1K]  README.md
└── [  16]  requirements.txt

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!