关联漏洞
标题:
PHP 操作系统命令注入漏洞
(CVE-2024-4577)
描述:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
描述
CVE-2024-4577 RCE PoC
介绍
# CVE-2024-4577-RCE-PoC
*While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.*
**This vulnerability was found by [Orange Tsai (@orange_8361)](https://x.com/orange_8361) of [DEVCORE (@d3vc0r3)](https://x.com/d3vc0r3). Make sure to follow his outstanding research, our role was to only recreate and develop the exploit for this issue.**
* *Why is it necessary to rewrite the exploit script when there are already many publicly available PoCs online?*
1. Since many publicly available PoCs are based on the same original exploit, many vendors have used these PoCs as references and blocked certain keywords to prevent their exploitation. However, they often overlook blocking all potential exploit vectors. To address this, the script includes a simple mechanism for generating random parameters, as well as different LFI-to-RCE exploitation methods, to enhance the success rate of PHP CGI injection leading to RCE.
2. During a test where I was attempting to reproduce an environmental vulnerability, I discovered that my PoC consistently triggered an HTTP 500 error, regardless of adjustments. Since I was working in a vulnerable environment, I started investigating the cause of the error. Then, I recalled an [article by Devcore](https://devco.re/blog/2020/03/11/play-with-dotnet-viewstate-exploit-and-create-fileless-webshell/) mentioning that, in certain exploit scenarios, the server would return an HTTP 500 error, even though the RCE exploit was actually successful. With this in mind, I decided to test whether I could spawn calc.exe locally, and to my surprise, it worked—it was a blind RCE!
However, when I checked the Apache error log, I found an error referencing allow_url_include, despite the fact that the attack had executed successfully (and I still don't fully understand the root cause; if you have insights, please contact me). This led me to create an exploit that includes an option to test for blind RCE as well😊.
3. If your target is an operating system version prior to Windows 7, you can still escalate to a visible RCE or reverse shell through other methods. However, these techniques are outside the scope of this article, so we won’t go into detail. As a penetration tester or red team specialist, you should be able to find alternative solutions fairly quickly, which can be an interesting process😊.
文件快照
[4.0K] /data/pocs/fa15cfbd7dc1052c0b0af71c7da991ea699c7959
└── [2.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。