The imap_open function within PHP, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.
5db80502619550a84a9d8068ff710ec5534f3d8a3239b812c7c114f85cc7972aFirebase's PHP-JWT suffers from an algorithm confusion issue. Proof of concept code included.
bb3896b28adac75139b54397d609f1fd54d05c94094f3213dbc7a00f3fa5c0c6PHP version 8.1.0-dev backdoor unauthenticated remote command injection exploit.
f51b0d373568167c85b67d4b60c1a737739975e2f231f5619d8e1b7a3a1058f6This Metasploit module exploits an underflow vulnerability in PHP-FPM versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certain Nginx + PHP-FPM configurations are exploitable. This is a port of the original neex's exploit code (see refs). First, it detects the correct parameters (Query String Length and custom header length) needed to trigger code execution. This step determines if the target is actually vulnerable (Check method). Then, the exploit sets a series of PHP INI directives to create a file locally on the target, which enables code execution through a query string parameter. This is used to execute normal payload stagers. Finally, this module does some cleanup by killing local PHP-FPM workers (those are spawned automatically once killed) and removing the created local file.
b0bb267ae212db3146c03348b75e67574095c1e4c6cca10f25f575609f95bc2fSecurity controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. Proof of concept code included.
a746a7f8973556b23ebea90b00627034fee20f44dce632fd39f31dcfa7483cebWhitepaper called PHP Source Code Analysis. Written in Turkish.
eed125e2cc2676aec303d76c9979e0735faf36491551cb904ab2c7ddf56da611In this article, the author explores ways to bypass protection methods using the PHP Stream Wrappers, which are responsible for handling protocol related tasks like downloading data from a web or ftp server and exposing it in a way in that it can be handled with PHP's stream related functions.
eb1b419125c1b9aa31bd933a42cb8186ad467dc3e63433095d4ed7b2fb2a7128This is a simple set of things to grep for that will help identify potential vulnerabilities in PHP code.
8700fa18f507e86dc84f2e92e04b5abdb40ce92fcbade4663491cd4222cd6069This is a collection of PHP backdoors to be used for testing purposes.
997ab3e72c4fbfbfe776d677c590bd7dc9957932824d7df93b620c71def18becThis Metasploit module exploits a remote code execution vulnerability in PHP Utility Belt, which is a set of tools for PHP developers and should not be installed in a production environment, since this application runs arbitrary PHP code as an intended functionality.
2e8528e3811c7d93f83ce9f7eaaa80a6321b298dc7b5c63c52212036dbd43291A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
0871a6862315dddb4b458e935baa1d9975da14b6a2a6fe621eb91c225e281bb8A use-after-free vulnerability was discovered in unserialize() with SplObjectStorage object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
671f2a7c738b31dc6a03417ab29ce95089173d2f3c6b80d8f3156839a758dae5A use-after-free vulnerability was discovered in unserialize() with SPL ArrayObject object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
bdc3dd33954af63076460ec415aa1687a2a7bb0690e51d14cc41bd321bce45d0High-Tech Bridge Security Research Lab discovered use-after-free vulnerability in a popular programming language PHP, which can be exploited to cause crash and possibly execute arbitrary code on the target system. The vulnerability resides within the 'spl_heap_object_free_storage()' PHP function when trying to dereference already freed memory. A local attacker can cause segmentation fault or possibly execute arbitrary code on the target system with privileges of webserver.
97375f017fbc6339f20309d1873f364d4f4bb2e3171ae12a6883001f4efb66fcA type confusion vulnerability was discovered in exception object's __toString()/getTraceAsString() method that can be abused for leaking arbitrary memory blocks or heap overflow.
b3a8329c29d10dca9d7ddc4c0f46af58e29999c11da31e6009cf9c41975e1db6Laravel Framework versions since 4.1 suffer from a PHP objection injection vulnerability when encryption is turned off.
77f22e2a8757288c75c6f2b204358f81cc4f63d582e81dad74eced0ce382209aThis is a proof of concept that demonstrates how the Bash shellshock vulnerability can be used in PHP to bypass disable_functions, safe_mode, etc.
b9bd9444e5105c1afeb7ec6b5e23447262e07246b635b19251ef95b61a88d237This Metasploit module exploits an arbitrary PHP code upload in the wordpress Infusionsoft Gravity Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file upload and remote code execution.
bacb9cda0dca5ce55e62347a30c31a677409efc130e924388acca709285381adPHP suffers from a user session hijacking vulnerability due to the way sessions are handled on the filesystem.
24a591c0d3dcd52cc5ebd27e0fa5e2ca669141ab9ce9ec505ab5e11991b150d3This Metasploit module exploits a vulnerability found in the the Wordpress theme OptimizePress. The vulnerability is due to an insecure file upload on the media-upload.php component, allowing an attacker to upload arbitrary PHP code. This Metasploit module has been tested successfully on OptimizePress 1.45.
d4d53ddb27b4ac9c88bb0c384c50166d149035d70c7d9ddd2d46c5aea886c1cbThis is a simple PHP backdoor using HTTP headers to inject the code as opposed to a GET or POST variable. Uses the fictional "Code: " header as an example, for learning purposes. This is not production code.
397d3f851a08bef7d13138eedf2b87ab8e732b35f14514f58a2162c103188aabThis Metasploit module exploits a PHP Code Injection vulnerability against Wordpress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on Wordpress must be unchecked for successful exploitation. This Metasploit module has been tested against Wordpress 3.5 and W3 Total Cache 0.9.2.3 on a Ubuntu 10.04 system.
e5ac9a6fad8c4d6319f7a5b50dd28589a34b1e7d2753c81dd9c0c17b9fb0bb79php_rshell is a ruby script which converts a binary backdoor to hex and creates a windows php reverse backdoor that will be executed on the server.
0fecd8cff34a4c706edcda435ad534f566cb1869bf12bb112959c918e6d7771cThis Metasploit module exploits a PHP code execution vulnerability in php-Charts version 1.0 which could be abused to allow users to execute arbitrary PHP code under the context of the webserver user. The 'url.php' script calls eval() with user controlled data from any HTTP GET parameter name.
86b5c1161bf85a443f8e4b8508791a0ee94d2cdae006c712017aee8069f71402Whitepaper called PHP Fuzzing In Action. It goes over 15 ways to fuzz PHP source code.
bb090192417591cba5b2f0df6d9d73d90eb45f0d389fde9e0870dfd689d7d9d2This Metasploit module exploits a stack based buffer overflow in the CGI version of PHP 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the HTTP headers. This Metasploit module has been tested against the thread safe version of PHP 5.4.2, from "windows.php.net", running with Apache 2.2.22 from "apachelounge.com".
9911ce27bffaa90bdbd0d7a764559440c9b73d2a107c14d2ddcf46c3708a6749
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed