Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-1874 PoC — Command injection via array-ish $command parameter of proc_open()

Source
https://github.com/Tgcohce/CVE-2024-1874
Associated Vulnerability
Title:Command injection via array-ish $command parameter of proc_open() (CVE-2024-1874)
Description:In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
Description
Proof Of Concept for CVE-2024-1874
Readme
# CVE-2024-1874
Proof Of Concept for CVE-2024-1874 [https://nvd.nist.gov/vuln/detail/CVE-2024-1874]

### Command Injection via Array-ish $command Parameter of proc_open() (bypass CVE-2024-1874 fix)

***The CVE:*** In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

I have created 2 different simple proof of concept exploits for the CVE 2024-1874 in Python and in PHP
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →