Share
## https://sploitus.com/exploit?id=834AA37A-EE2D-5B39-88FC-8D7E4C703CBE
# CVE-2024-44902 - ThinkPHP Insecure Deserialization RCE

Vulnerable test environment for [nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) validation.

## Vulnerability Details

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2024-44902 |
| **Severity** | Critical (CVSS 9.8) |
| **Product** | ThinkPHP |
| **Affected Versions** | 6.1.3 - 8.0.4 |
| **Type** | Insecure Deserialization โ†’ RCE |
| **CWE** | CWE-502 |

### Description

ThinkPHP versions 6.1.3 through 8.0.4 contain an insecure deserialization vulnerability. When the Memcached PHP extension is installed, attackers can execute arbitrary code by sending malicious serialized data to an endpoint that calls `unserialize()` on user input.

The exploit leverages a gadget chain through ThinkPHP's internal classes:
```
ResourceRegister โ†’ DbManager โ†’ Memcached โ†’ Pivot โ†’ Model
```

## Quick Start

### One-liner
```bash
docker compose up -d && nuclei -t CVE-2024-44902.yaml -u http://localhost:8080
```

### Step by Step
```bash
# Start vulnerable environment
docker compose up -d

# Wait for container to be ready (~30 seconds on first build)
sleep 30

# Verify it's running
curl http://localhost:8080

# Test with nuclei template
nuclei -t path/to/CVE-2024-44902.yaml -u http://localhost:8080 -debug

# Cleanup
docker compose down
```

## Environment Details

- **Base Image**: php:8.0.7-apache
- **Framework**: ThinkPHP 8.0.4
- **PHP Extension**: Memcached 3.2.0
- **Vulnerable Endpoint**: `/?data=`
- **Port**: 8080

## Expected Results

### Vulnerable Target (should detect)
```bash
$ nuclei -t CVE-2024-44902.yaml -u http://localhost:8080
[CVE-2024-44902] [http] [critical] http://localhost:8080/?data=...
```

### Clean Target (should NOT detect)
```bash
$ nuclei -t CVE-2024-44902.yaml -u http://localhost:8090  # httpd:latest
# No results
```

## References

- [NVD CVE-2024-44902](https://nvd.nist.gov/vuln/detail/CVE-2024-44902)
- [GitHub Advisory GHSA-f4wh-359g-4pq7](https://github.com/advisories/GHSA-f4wh-359g-4pq7)
- [GitLab Advisory](https://advisories.gitlab.com/pkg/composer/topthink/framework/CVE-2024-44902/)

## Disclaimer

โš ๏ธ **This is a DELIBERATELY VULNERABLE environment for security testing ONLY.**

- Do NOT deploy in production
- Do NOT expose to the internet
- Use only for authorized security testing
- Intended for nuclei template validation

## Author

Created by [KrE80r](https://github.com/KrE80r) for nuclei-templates bounty validation.