Associated Vulnerability
Title:Argument Injection in PHP-CGI (CVE-2024-4577)Description:In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Description
CVE-2024-4577 RCE PoC
Readme
# CVE-2024-4577-RCE-PoC
*While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.*
**This vulnerability was found by [Orange Tsai (@orange_8361)](https://x.com/orange_8361) of [DEVCORE (@d3vc0r3)](https://x.com/d3vc0r3). Make sure to follow his outstanding research, our role was to only recreate and develop the exploit for this issue.**
* *Why is it necessary to rewrite the exploit script when there are already many publicly available PoCs online?*
1. Since many publicly available PoCs are based on the same original exploit, many vendors have used these PoCs as references and blocked certain keywords to prevent their exploitation. However, they often overlook blocking all potential exploit vectors. To address this, the script includes a simple mechanism for generating random parameters, as well as different LFI-to-RCE exploitation methods, to enhance the success rate of PHP CGI injection leading to RCE.
2. During a test where I was attempting to reproduce an environmental vulnerability, I discovered that my PoC consistently triggered an HTTP 500 error, regardless of adjustments. Since I was working in a vulnerable environment, I started investigating the cause of the error. Then, I recalled an [article by Devcore](https://devco.re/blog/2020/03/11/play-with-dotnet-viewstate-exploit-and-create-fileless-webshell/) mentioning that, in certain exploit scenarios, the server would return an HTTP 500 error, even though the RCE exploit was actually successful. With this in mind, I decided to test whether I could spawn calc.exe locally, and to my surprise, it worked—it was a blind RCE!
However, when I checked the Apache error log, I found an error referencing allow_url_include, despite the fact that the attack had executed successfully (and I still don't fully understand the root cause; if you have insights, please contact me). This led me to create an exploit that includes an option to test for blind RCE as well😊.
3. If your target is an operating system version prior to Windows 7, you can still escalate to a visible RCE or reverse shell through other methods. However, these techniques are outside the scope of this article, so we won’t go into detail. As a penetration tester or red team specialist, you should be able to find alternative solutions fairly quickly, which can be an interesting process😊.
File Snapshot
[4.0K] /data/pocs/fa15cfbd7dc1052c0b0af71c7da991ea699c7959
└── [2.6K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →