nuclei-templates/vulnerabilities/php/php-xdebug-rce.yaml

id: php-xdebug-rce

info:
  name: Xdebug remote code execution via xdebug.remote_connect_back
  author: pwnhxl
  severity: high
  description: |
    The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
    - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
    - https://paper.seebug.org/397/
    - https://github.com/D3Ext/XDEBUG-Exploit
  tags: php,debug,xdebug,oast,rce

requests:
  - raw:
      - |
        GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: {{interactsh-url}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: header
        words:
          - 'Set-Cookie: XDEBUG_SESSION={{randstr}}'

      - type: status
        status:
          - 200
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
+								id: php-xdebug-rce
 								info:
-												fix-template
											
										
										
											2023-03-16 21:01:48 +00:00
+								  name: Xdebug remote code execution via xdebug.remote_connect_back
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
+								  author: pwnhxl
 								  severity: high
-												fix-template
											
										
										
											2023-03-16 21:01:48 +00:00
+								  description: |
 								    The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
+								  reference:
 								    - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
 								    - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
 								    - https://paper.seebug.org/397/
-												fix-template
											
										
										
											2023-03-16 21:01:48 +00:00
+								    - https://github.com/D3Ext/XDEBUG-Exploit
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
+								  tags: php,debug,xdebug,oast,rce
 								requests:
 								  - raw:
 								      - |
 								        GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
 								        Host: {{Hostname}}
 								        X-Forwarded-For: {{interactsh-url}}
 								    matchers-condition: and
 								    matchers:
 								      - type: word
 								        part: interactsh_protocol
 								        words:
 								          - "dns"
 								      - type: word
 								        part: header
 								        words:
 								          - 'Set-Cookie: XDEBUG_SESSION={{randstr}}'
 								      - type: status
 								        status:
 								          - 200