Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-9841 PoC — PHPUnit 安全漏洞

Source
https://github.com/p1ckzi/CVE-2017-9841
Associated Vulnerability
Title:PHPUnit 安全漏洞 (CVE-2017-9841)
Description:TYPO3是瑞士TYPO3协会维护的一套免费开源的内容管理系统。PHPUnit是其中的一个基于PHP的测试框架。 PHPUnit 4.8.28之前的版本和5.6.3之前的5.x版本中的Util/PHP/eval-stdin.php文件存在安全漏洞。远程攻击者可通过发送以‘<?php’字符串开头的HTTP POST数据利用该漏洞执行任意PHP代码。
Description
phpunit-shell | CVE_2017-9841
Readme
# phpunit-shell ⭐
a simple python3 script to exploit CVE-2017-9841.

## the exploit - CVE-2017-9841 ❗
simple script that exploits a remote code execution vulnerability found in
PHPUnit before 4.8.28 and 5.x before 5.6.3. makes a post request to the
target with user input system commands.  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841.
***

## prerequisites ✔
* python3
* requests module and bs4 module for python3. can be installed with:
```
pip3 install requests bs4
```
***

## usage ℹ
After identifying a target running phpunit:
```
chmod +x phpunit-shell
./phpunit-shell -h
```
or
```
python3 phpunit-shell -h
```
the -h or --help option shows how to run the script with a few examples.  
there are two positional arguments and a few optional arguments.
```
usage: phpunit-shell.py [-h] [-a] [-n] address

phpunit-shell.py exploits an RCE vulnerability in
applications running PHPUnit before 4.8.28 and 5.x before 5.6.3.

positional arguments:
  address           ip/hostname, port, sub-directories to the vulnerable eval-stdin.php file.

optional arguments:
  -h, --help        show this help message and exit
  -a, --accessible  turns off features which may negatively affect screen readers
  -n, --no-colour   removes colour output

example:
        phpunit-shell.py 10.10.10.10/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
```
### --accessible argument:
`phpunit-shell` by default, prints in colour and with some additional formatting to the terminal output, however this is not always helpful for those that use screenreaders. using the `--accessible` argument will disable fancy formatting and colour from being printed to the terminal.  
it will also disable ascii art.
***

## limitations ⚠
the script cannot make assumptions about the system it is targetting or the limitations of the user/service running the vulnerable application. ie. this is not a full-shell so changing directories cannot be achieved and longer commands may not be possible.  
it's more of a simple, quick half-shell 🐢 designed as a gateway to further exploitation - and eventual full-shell, privesc, etc... 👍

the script also utilises a timeout of 30 seconds for requests, this can be changed or turned off altogether by editing the script.  
php code 'shell_exec' is used by default but this can also be changed if the user wishes. eg using 'system' instead.

## notes 📝
the script was mainly an exercise in creating a simple python script to exploit CVE-2017-9841 and speed up further exploitation.
***

## credits 👍
https://skerritt.blog/a11y/ - accessibility implementation.
File Snapshot

 [4.0K]  /data/pocs/c95c8a9512e8f4dc540f5326f927d870fbbcc112
├── [5.1K]  phpunit-shell
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.