关联漏洞
标题:
PHP 操作系统命令注入漏洞
(CVE-2024-4577)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
介绍
# CVE-2024-4577: PHP CGI Argument Injection (XAMPP) 💀
## Features ✨
- Multi-threaded scanning
- Single URL or bulk URL checks from a file
- Interactive exploitation shell
## Installation 💻
Get started by cloning the repository and installing dependencies:
```bash
git clone https://github.com/Chocapikk/CVE-2024-4577.git
cd CVE-2024-4577
pip install -r requirements.txt
```
## Usage 🔑
Run CVE-2024-4577 with these examples:
```bash
# Test a single URL
python exploit.py --url "http://example.com/"
# Test multiple URLs from a file
python exploit.py --file urls.txt
# Save vulnerable URLs
python exploit.py --file urls.txt --output vulnerable_urls.txt
```
## Ethical Disclaimer ⚠️
This tool is intended for ethical security testing only. Using it without authorization is illegal and unethical. Users are responsible for adhering to all relevant laws.
## Personal Note on Public Disclosure 📘
I released my code publicly to address the irresponsible ways critical vulnerabilities are often disclosed. People have already shared the correct method to exploit this vulnerability, but many are still publishing flawed or fabricated exploits for attention. Additionally, media outlets tend to create unnecessary fear by broadcasting incorrect or unverified claims. This misleads everyone from the people who need to patch systems to researchers, and it negatively impacts the defensive side of cybersecurity. The lack of accuracy and accountability in these practices is very troubling to me.
文件快照
[4.0K] /data/pocs/b4c8659b7be7d60f7d0996985b9229e3ce856567
├── [6.2K] exploit.py
├── [1.5K] README.md
└── [ 96] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。