来源

关联漏洞

描述

phpunit-shell | CVE_2017-9841

介绍

# phpunit-shell ⭐
a simple python3 script to exploit CVE-2017-9841.

## the exploit - CVE-2017-9841 ❗
simple script that exploits a remote code execution vulnerability found in
PHPUnit before 4.8.28 and 5.x before 5.6.3. makes a post request to the
target with user input system commands.  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841.
***

## prerequisites ✔
* python3
* requests module and bs4 module for python3. can be installed with:
```
pip3 install requests bs4
```
***

## usage ℹ
After identifying a target running phpunit:
```
chmod +x phpunit-shell
./phpunit-shell -h
```
or
```
python3 phpunit-shell -h
```
the -h or --help option shows how to run the script with a few examples.  
there are two positional arguments and a few optional arguments.
```
usage: phpunit-shell.py [-h] [-a] [-n] address

phpunit-shell.py exploits an RCE vulnerability in
applications running PHPUnit before 4.8.28 and 5.x before 5.6.3.

positional arguments:
  address           ip/hostname, port, sub-directories to the vulnerable eval-stdin.php file.

optional arguments:
  -h, --help        show this help message and exit
  -a, --accessible  turns off features which may negatively affect screen readers
  -n, --no-colour   removes colour output

example:
        phpunit-shell.py 10.10.10.10/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
```
### --accessible argument:
`phpunit-shell` by default, prints in colour and with some additional formatting to the terminal output, however this is not always helpful for those that use screenreaders. using the `--accessible` argument will disable fancy formatting and colour from being printed to the terminal.  
it will also disable ascii art.
***

## limitations ⚠
the script cannot make assumptions about the system it is targetting or the limitations of the user/service running the vulnerable application. ie. this is not a full-shell so changing directories cannot be achieved and longer commands may not be possible.  
it's more of a simple, quick half-shell 🐢 designed as a gateway to further exploitation - and eventual full-shell, privesc, etc... 👍

the script also utilises a timeout of 30 seconds for requests, this can be changed or turned off altogether by editing the script.  
php code 'shell_exec' is used by default but this can also be changed if the user wishes. eg using 'system' instead.

## notes 📝
the script was mainly an exercise in creating a simple python script to exploit CVE-2017-9841 and speed up further exploitation.
***

## credits 👍
https://skerritt.blog/a11y/ - accessibility implementation.

文件快照

 [4.0K]  /data/pocs/c95c8a9512e8f4dc540f5326f927d870fbbcc112
├── [5.1K]  phpunit-shell
└── [2.5K]  README.md

0 directories, 2 files

备注