39 lines
1.5 KiB
YAML
39 lines
1.5 KiB
YAML
id: CVE-2017-9841
|
|
|
|
info:
|
|
name: CVE-2017-9841
|
|
author: Random-Robbie
|
|
severity: high
|
|
description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
|
|
tags: cve,cve2017,php,phpunit,rce
|
|
|
|
# Reference to exploit
|
|
# https://github.com/cyberharsh/Php-unit-CVE-2017-9841
|
|
# https://github.com/RandomRobbieBF/phpunit-brute
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/laravel_api/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/api/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/apps/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/backup/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/oldsite/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/lib/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/modules/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/old/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/zend/vendor/phpunit/phpunit/phpunit"
|
|
- "{{BaseURL}}/yii/vendor/phpunit/phpunit/phpunit"
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "this version of phpunit requires php 5"
|
|
part: body
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|