Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — PHP 操作系统命令注入漏洞

Source
https://github.com/PhinehasNarh/CVE-2024-4577-LetsDefend-walkthrough
Associated Vulnerability
Title:PHP 操作系统命令注入漏洞 (CVE-2024-4577)
Description:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
Description
This is an Incident Response Walkthrough: Mitigating a Zero-Day Attack (CVE-2024-4577)
Readme
## Incident Response Walkthrough: Mitigating a Zero-Day Attack (CVE-2024-4577)

[LetsDefend Write-up] PHP-CGI (CVE-2024–4577)


**Scenario:** Our Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) identified a potential attack targeting a critical system component at 12:05 PM UTC. This write-up details the investigation process to confirm the exploitation attempt and understand the attacker's actions.

**Investigation:**

1. **Understanding the Vulnerability (CVE-2024-4577):** 
    - Resources provided valuable insights into the vulnerability and potential exploitation methods.

2. **Identifying the Vulnerable PHP Version:**
    - Two methods were employed:
        - Analyzing `news.txt` for PHP update history.
        - Directly running `php.exe -v` to determine the version. 
    - **Vulnerable Version:** 8.2.19 

3. **Verifying PHP-CGI Configuration:**
    - Analyzed `httpd.conf` to confirm the directive enabling exploitability through `php-cgi.exe`.

4. **Identifying Attacker's IP:**
    - Examined `access.log` within the Apache logs directory.
    - **Attacker IP:** 192.168.110.1 

5. **Targeted Page:**
    - While the application primarily uses `upload.php`, the attacker might have used an `index.html` for testing purposes.
    - **Targeted Page:** ( Likely upload.php)

6. **Apache Version:**
    - Inspected `error.log` to determine the Apache version.
    - **Apache Version:** 2.4.59 

7. **Analyzing Executed Processes:**
    - Initial investigation using PECmd and Timeline Explorer revealed no suspicious activity.
    - Correlating access and error logs identified successful attack attempts.
    - Timeline Explorer identified the following processes executed after successful exploitation:
        - whoami.exe
        - calc.exe

**Exploit Identification:** The attacker exploited the zero-day vulnerability (CVE-2024-4577).

**Learning Outcomes:**

- This challenge provided hands-on experience with:
    - Investigating zero-day vulnerabilities (CVE-2024-4577)
    - Identifying vulnerable software versions
    - Analyzing exploit methods
    - Utilizing Prefetch for potential command detection

**Note:** This write-up excludes specific details like vulnerable version, attacker IP, and targeted page to avoid providing a blueprint for attackers. 



Badge Acquired
Cve 2024 4577
Php Cgi
Cybersecurity
Lets Defend
Letsdefendio

## Writeup By: ph1n3y
File Snapshot

 [4.0K]  /data/pocs/d901d3072ee8b267ea4b17eb12eced7243e1907c
└── [2.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.