POC详情: 19f418e072c9e031e6a1b984073293972540f8b6

来源
关联漏洞
标题: PHP 操作系统命令注入漏洞 (CVE-2024-4577)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
介绍
# CVE-2024-4577

## Overview

CVE-2024-4577 is a security vulnerability that affects PHP servers in the following versions:
- PHP 8.3.x (8.3.8 and earlier)
- PHP 8.2.x (8.2.20 and earlier)
- PHP 8.1.x (8.1.29 and earlier)
- All versions prior to 8.0
- Unsupported versions 7.x and 5.x

This vulnerability is a remote code execution (RCE) flaw that occurs when using PHP CGI (Common Gateway Interface) on Windows servers. The issue arises from Windows misinterpreting certain characters due to the use of "Best Fit" character mapping in some language settings. In this case, the PHP CGI module interprets malicious characters as PHP options, allowing attackers to execute malicious commands on the server.

## Exploitation Process

1. **Initial Attack Vector:**
   To exploit the vulnerability, append the following string to the URL of the vulnerable site:
   `?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input`

   Use Burp Suite to intercept this request and send it to the Repeater.

2. **Change the Request Method:**
   Convert the intercepted request to a POST method and execute a simple PHP code, for example:

   `<?php phpinfo();`

## Continuation of the Exploitation Process

If the vulnerability exists, the output will display information related to the PHP version.

### Executing Malicious Code
Various methods can be applied depending on the attacker's objectives. My preferred method was to define an execution in the Windows startup directory using Burp Suite. I converted the `reverseshell.ps1` script into an executable (exe) and placed it there.

### Ransomware Deployment
Similarly, I uploaded the `ransomware.ps1` file to the system and successfully exfiltrated documents, leaving behind only their encrypted versions.

## Analysis Phase
Before starting the attack, it is necessary to activate the 4688 logs. Upon analyzing the 4688 security logs on my Windows machine, I found that the attack originated from Apache under XAMPP. When I checked the `Access.log` files, I encountered an abnormal request that returned a 200 status code, prompting me to search for this URL in my browser. I identified the vulnerability and took precautions, such as updating the PHP version or disabling the PHP CGI feature.

### Security Log Examination
Since the ransomware I created was not obfuscated, my code is visible in the PowerShell logs. This shows how I encrypted the data. To recover my data, I run the `encoded.ps1` file.

## Conclusion
This simulation highlights the potential risks associated with CVE-2024-4577 and emphasizes the importance of securing PHP installations. Keeping PHP updated and preventing misconfigurations of CGI settings can effectively reduce such vulnerabilities.
文件快照

[4.0K] /data/pocs/19f418e072c9e031e6a1b984073293972540f8b6 ├── [ 605] encoded.ps1 ├── [2.0K] ransomware.ps1 ├── [2.7K] README.md └── [ 739] reverseshell.ps1 0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。