nuclei-templates/cves/2017/CVE-2017-9841.yaml

37 lines
1.5 KiB
YAML

id: CVE-2017-9841
info:
name: CVE-2017-9841
author: Random-Robbie
severity: high
description: Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI
# Reference to exploit
# https://github.com/cyberharsh/Php-unit-CVE-2017-9841
# https://github.com/RandomRobbieBF/phpunit-brute
requests:
- method: GET
path:
- "{{BaseURL}}/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/laravel_api/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/api/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/apps/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/backup/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/oldsite/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/lib/phpunit/phpunit/phpunit"
- "{{BaseURL}}/modules/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/old/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/zend/vendor/phpunit/phpunit/phpunit"
- "{{BaseURL}}/yii/vendor/phpunit/phpunit/phpunit"
matchers-condition: and
matchers:
- type: word
words:
- "this version of phpunit requires php 5"
part: body
- type: status
status:
- 200