first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
phpunit/CVE-2017-9841/1.png
Normal file
BIN
phpunit/CVE-2017-9841/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 52 KiB |
34
phpunit/CVE-2017-9841/README.md
Normal file
34
phpunit/CVE-2017-9841/README.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# PHPUnit Remote Code Execution (CVE-2017-9841)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
PHPUnit is a programmer-oriented testing framework for PHP.
|
||||
|
||||
`Util/PHP/eval-stdin.php` in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a `<?php` substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the `/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php` URI.
|
||||
|
||||
The `Util/PHP/eval-stdin.php`'s vulnerable code:
|
||||
|
||||
```php
|
||||
eval('?>'.file_get_contents('php://input'));
|
||||
```
|
||||
|
||||
Reference links:
|
||||
|
||||
- http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/
|
||||
- https://www.ovh.com/blog/cve-2017-9841-what-is-it-and-how-do-we-protect-our-customers/
|
||||
|
||||
## Vulnerable environment
|
||||
|
||||
Execute following command to start a Apache web server, which contains the PHPUnit 5.6.2 in the Web directory.
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
Open the `http://your-ip:8080` to see the index page util Web server is running.
|
||||
|
||||
## Exploit
|
||||
|
||||
Send the request to `http://your-ip:8080/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`, which contains any PHP code within the body:
|
||||
|
||||
|
||||
33
phpunit/CVE-2017-9841/README.zh-cn.md
Normal file
33
phpunit/CVE-2017-9841/README.zh-cn.md
Normal file
@@ -0,0 +1,33 @@
|
||||
# phpunit 远程代码执行漏洞(CVE-2017-9841)
|
||||
|
||||
composer是php包管理工具,使用composer安装扩展包将会在当前目录创建一个vendor文件夹,并将所有文件放在其中。通常这个目录需要放在web目录外,使用户不能直接访问。
|
||||
|
||||
phpunit是php中的单元测试工具,其4.8.19 ~ 4.8.27和5.0.10 ~ 5.6.2版本的`vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`文件有如下代码:
|
||||
|
||||
```php
|
||||
eval('?>'.file_get_contents('php://input'));
|
||||
```
|
||||
|
||||
如果该文件被用户直接访问到,将造成远程代码执行漏洞。
|
||||
|
||||
参考链接:
|
||||
|
||||
- http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/
|
||||
- https://www.ovh.com/blog/cve-2017-9841-what-is-it-and-how-do-we-protect-our-customers/
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动一个php环境,其中phpunit被安装在web目录下。
|
||||
|
||||
```
|
||||
docker compose build
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
web环境将启动在`http://your-ip:8080`。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
直接将PHP代码作为POST Body发送给`http://your-ip:8080/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`:
|
||||
|
||||
|
||||
6
phpunit/CVE-2017-9841/docker-compose.yml
Normal file
6
phpunit/CVE-2017-9841/docker-compose.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
version: '2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/phpunit:5.6.2
|
||||
ports:
|
||||
- "8080:80"
|
||||
Reference in New Issue
Block a user