关联漏洞
标题:PHP 操作系统命令注入漏洞 (CVE-2024-4577)Description:PHP是一种在服务器端执行的脚本语言。 PHP存在操作系统命令注入漏洞,该漏洞源于在特定条件下,Windows系统使用“Best-Fit”行为替换命令行中的字符,这可能导致PHP CGI模块错误地将这些字符解释为PHP选项,从而泄露脚本的源代码,在服务器上运行任意PHP代码等。以下版本受到影响:8.1至8.1.29之前版本,8.3至8.3.8之前版本,8.2至8.2.20之前版本。
介绍
# CVE-2024-4577
## Overview
CVE-2024-4577 is a security vulnerability that affects PHP servers in the following versions:
- PHP 8.3.x (8.3.8 and earlier)
- PHP 8.2.x (8.2.20 and earlier)
- PHP 8.1.x (8.1.29 and earlier)
- All versions prior to 8.0
- Unsupported versions 7.x and 5.x
This vulnerability is a remote code execution (RCE) flaw that occurs when using PHP CGI (Common Gateway Interface) on Windows servers. The issue arises from Windows misinterpreting certain characters due to the use of "Best Fit" character mapping in some language settings. In this case, the PHP CGI module interprets malicious characters as PHP options, allowing attackers to execute malicious commands on the server.
## Exploitation Process
1. **Initial Attack Vector:**
To exploit the vulnerability, append the following string to the URL of the vulnerable site:
`?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input`
Use Burp Suite to intercept this request and send it to the Repeater.
2. **Change the Request Method:**
Convert the intercepted request to a POST method and execute a simple PHP code, for example:
`<?php phpinfo();`
## Continuation of the Exploitation Process
If the vulnerability exists, the output will display information related to the PHP version.
### Executing Malicious Code
Various methods can be applied depending on the attacker's objectives. My preferred method was to define an execution in the Windows startup directory using Burp Suite. I converted the `reverseshell.ps1` script into an executable (exe) and placed it there.
### Ransomware Deployment
Similarly, I uploaded the `ransomware.ps1` file to the system and successfully exfiltrated documents, leaving behind only their encrypted versions.
## Analysis Phase
Before starting the attack, it is necessary to activate the 4688 logs. Upon analyzing the 4688 security logs on my Windows machine, I found that the attack originated from Apache under XAMPP. When I checked the `Access.log` files, I encountered an abnormal request that returned a 200 status code, prompting me to search for this URL in my browser. I identified the vulnerability and took precautions, such as updating the PHP version or disabling the PHP CGI feature.
### Security Log Examination
Since the ransomware I created was not obfuscated, my code is visible in the PowerShell logs. This shows how I encrypted the data. To recover my data, I run the `encoded.ps1` file.
## Conclusion
This simulation highlights the potential risks associated with CVE-2024-4577 and emphasizes the importance of securing PHP installations. Keeping PHP updated and preventing misconfigurations of CGI settings can effectively reduce such vulnerabilities.
文件快照
[4.0K] /data/pocs/19f418e072c9e031e6a1b984073293972540f8b6
├── [ 605] encoded.ps1
├── [2.0K] ransomware.ps1
├── [2.7K] README.md
└── [ 739] reverseshell.ps1
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →