Skip to content

Latest commit

 

History

History

CVE-2017-9841

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
phpunit-shell
phpunit-shell
 
 

README.md

phpunit-shell ⭐

a simple python3 script to exploit CVE-2017-9841.

the exploit - CVE-2017-9841 ❗

simple script that exploits a remote code execution vulnerability found in PHPUnit before 4.8.28 and 5.x before 5.6.3. makes a post request to the target with user input system commands.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841.

prerequisites ✔

  • python3
  • requests module and bs4 module for python3. can be installed with:
pip3 install requests bs4

usage ℹ

After identifying a target running phpunit:

chmod +x phpunit-shell
./phpunit-shell -h

or

python3 phpunit-shell -h

the -h or --help option shows how to run the script with a few examples.
there are two positional arguments and a few optional arguments.

usage: phpunit-shell.py [-h] [-a] [-n] address

phpunit-shell.py exploits an RCE vulnerability in
applications running PHPUnit before 4.8.28 and 5.x before 5.6.3.

positional arguments:
  address           ip/hostname, port, sub-directories to the vulnerable eval-stdin.php file.

optional arguments:
  -h, --help        show this help message and exit
  -a, --accessible  turns off features which may negatively affect screen readers
  -n, --no-colour   removes colour output

example:
        phpunit-shell.py 10.10.10.10/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

--accessible argument:

phpunit-shell by default, prints in colour and with some additional formatting to the terminal output, however this is not always helpful for those that use screenreaders. using the --accessible argument will disable fancy formatting and colour from being printed to the terminal.
it will also disable ascii art.

limitations ⚠

the script cannot make assumptions about the system it is targetting or the limitations of the user/service running the vulnerable application. ie. this is not a full-shell so changing directories cannot be achieved and longer commands may not be possible.
it's more of a simple, quick half-shell 🐢 designed as a gateway to further exploitation - and eventual full-shell, privesc, etc... 👍

the script also utilises a timeout of 30 seconds for requests, this can be changed or turned off altogether by editing the script.
php code 'shell_exec' is used by default but this can also be changed if the user wishes. eg using 'system' instead.

notes 📝

the script was mainly an exercise in creating a simple python script to exploit CVE-2017-9841 and speed up further exploitation.

credits 👍

https://skerritt.blog/a11y/ - accessibility implementation.