Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4577 PoC — Argument Injection in PHP-CGI

Source
https://github.com/PhinehasNarh/CVE-2024-4577-Defend
Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)
Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Readme
## Incident Response Walkthrough: Mitigating a Zero-Day Attack (CVE-2024-4577)

[LetsDefend Write-up] PHP-CGI (CVE-2024–4577)


**Scenario:** Our Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) identified a potential attack targeting a critical system component at 12:05 PM UTC. This write-up details the investigation process to confirm the exploitation attempt and understand the attacker's actions.

**Investigation:**

1. **Understanding the Vulnerability (CVE-2024-4577):** 
    - Resources provided valuable insights into the vulnerability and potential exploitation methods.

2. **Identifying the Vulnerable PHP Version:**
    - Two methods were employed:
        - Analyzing `news.txt` for PHP update history.
        - Directly running `php.exe -v` to determine the version. 
    - **Vulnerable Version:** 8.2.19 

3. **Verifying PHP-CGI Configuration:**
    - Analyzed `httpd.conf` to confirm the directive enabling exploitability through `php-cgi.exe`.

4. **Identifying Attacker's IP:**
    - Examined `access.log` within the Apache logs directory.
    - **Attacker IP:** 192.168.110.1 

5. **Targeted Page:**
    - While the application primarily uses `upload.php`, the attacker might have used an `index.html` for testing purposes.
    - **Targeted Page:** ( Likely upload.php)

6. **Apache Version:**
    - Inspected `error.log` to determine the Apache version.
    - **Apache Version:** 2.4.59 

7. **Analyzing Executed Processes:**
    - Initial investigation using PECmd and Timeline Explorer revealed no suspicious activity.
    - Correlating access and error logs identified successful attack attempts.
    - Timeline Explorer identified the following processes executed after successful exploitation:
        - whoami.exe
        - calc.exe

**Exploit Identification:** The attacker exploited the zero-day vulnerability (CVE-2024-4577).

**Learning Outcomes:**

- This challenge provided hands-on experience with:
    - Investigating zero-day vulnerabilities (CVE-2024-4577)
    - Identifying vulnerable software versions
    - Analyzing exploit methods
    - Utilizing Prefetch for potential command detection

**Note:** This write-up excludes specific details like vulnerable version, attacker IP, and targeted page to avoid providing a blueprint for attackers. 



Badge Acquired
Cve 2024 4577
Php Cgi
Cybersecurity
Lets Defend
Letsdefendio

## Writeup By: ph1n3y
File Snapshot

 [4.0K]  /data/pocs/e6102c8ebd8ed161d0694600c931903974df53cf
└── [2.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →