PHPUnit eval-stdin.php Remote Code Execution

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a Python-based scanner and exploit for CVE-2017-9841, a remote code execution vulnerability in PHPUnit's eval-stdin.php file. The main script, CVE-2017-9841.py, is a multi-threaded tool that takes a list of target URLs/domains and attempts to access several common paths where the vulnerable eval-stdin.php file may be exposed. For each accessible path, it sends a PHP payload (<?php echo md5('phpunit_rce'); ?>) and checks the response for the expected MD5 hash, confirming code execution. Vulnerable sites are logged to a timestamped file, and errors are similarly logged. The tool is designed for efficient mass scanning and validation, with configurable threading and robust output. The repository also includes a README.md with usage instructions and a requirements.txt listing Python dependencies. The exploit is a proof-of-concept scanner that demonstrates the vulnerability and identifies targets for potential further exploitation.

This repository contains a Go-based exploit for CVE-2017-9841, a remote code execution vulnerability in PHPUnit (versions <4.8.28 and 5.x <5.6.3). The exploit targets web servers with publicly accessible PHPUnit installations, specifically the eval-stdin.php file, which allows arbitrary PHP code execution via HTTP POST requests. The main file, CVE-2017-9841.go, first checks for vulnerability by sending a PHP payload that echoes an MD5 hash, confirming code execution if the hash is returned. If vulnerable, it provides an interactive shell interface, allowing the attacker to execute arbitrary system commands on the target server. The exploit scans for several common paths where eval-stdin.php may be located, covering various PHP frameworks (Laravel, Yii, Zend, etc.). The repository also includes a README.md with background, impact, affected versions, and remediation advice. The exploit is operational, providing a working shell but requiring manual command input.

This repository is a proof-of-concept exploit for CVE-2017-9841, a remote code execution vulnerability in PHPUnit. The exploit is implemented as a Python Flask web application (app.py) that provides a web interface (templates/index.html) for users to test remote servers for the vulnerability. The user supplies a target domain, and the application sends a POST request to the target's /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php endpoint with a PHP payload that executes the 'id' command. If the target is vulnerable, the output of the command is displayed in the web interface. The README provides setup instructions, including running a local vulnerable Docker container for testing. The repository contains three files: a README, the main Flask application, and an HTML template for the web interface. The exploit demonstrates remote code execution but does not provide a weaponized or customizable payload beyond the 'id' command.

This repository provides an operational exploit and scanner for the Remote Code Execution (RCE) vulnerability in PHPUnit's eval-stdin.php (affecting versions before 4.8.28 and 5.x before 5.6.3). The main file, exploit.py, implements both mass scanning (from a list of URLs) and an interactive shell for single-target exploitation. The exploit works by sending a specially crafted PHP payload via HTTP POST to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php endpoint, which executes arbitrary system commands on the server and returns their output. The tool uses multi-threading for efficient scanning and provides colorized output and export features. The requirements.txt lists necessary Python dependencies. The README.md gives detailed usage instructions and describes the vulnerability. The exploit is not part of a framework and is a standalone operational tool for both detection and exploitation of the vulnerability.

This repository is a mass-scanner and exploit tool targeting CVE-2017-9841, a remote code execution vulnerability in the phpunit component commonly found in Laravel installations. The tool is written in Python and is structured with a main entry point (main.py) that accepts input as a file of hostnames, a range of IP addresses, or a single hostname. It uses multi-threading to scan multiple targets in parallel. The core exploit logic is in modules/executor.py and modules/request_module.py, where it constructs requests to the known vulnerable endpoint (/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php) and sends a PHP payload (<?php system('id');?>) to test for code execution. If the response contains evidence of command execution (such as 'uid='), the target is logged as vulnerable. The repository also includes a dorks.txt file with search queries to help find potentially vulnerable targets. The tool is operational and automates both scanning and exploitation, providing clear output logs for vulnerable and error cases.

This repository contains a Python3 script ('phpunit-shell') that exploits CVE-2017-9841, a remote code execution vulnerability in PHPUnit (versions before 4.8.28 and 5.x before 5.6.3). The exploit works by sending a POST request to the exposed 'eval-stdin.php' file on the target server, injecting a PHP payload that executes arbitrary system commands provided by the attacker. The script provides an interactive shell-like interface, allowing the user to enter commands that are executed on the remote server. The README.md provides detailed usage instructions, prerequisites, and notes on accessibility features. The main fingerprintable endpoint is the path to 'eval-stdin.php', which must be accessible on the target for exploitation. The exploit is operational, providing a basic but functional command execution capability, and is intended as a gateway to further exploitation such as privilege escalation or obtaining a full shell.

This repository contains a Python-based exploit and checker for CVE-2017-9841, a remote code execution vulnerability in PHPUnit. The main file, 'phpunit.py', is heavily obfuscated but is designed to scan for and exploit vulnerable PHPUnit installations accessible over the network. The exploit works by sending crafted requests to web servers hosting the vulnerable PHPUnit test script, allowing the attacker to execute arbitrary PHP code remotely. The repository includes a requirements.txt for dependencies (requests, colorama, pycryptodome) and a README.md with usage instructions and an overview. No hardcoded endpoints or IP addresses are present in the code; targets are likely specified by the user at runtime. The exploit is operational and can be used to both check for and exploit the vulnerability.

This repository contains a single Python script (cve-2017-9841.py) that exploits CVE-2017-9841, a remote code execution vulnerability in PHPUnit 5.6.2. The script targets a specific URL (http://store.djewelry.htb:80) and attempts to access the eval-stdin.php file within the PHPUnit vendor directory. It provides an interactive shell-like interface, allowing the user to input arbitrary system commands, which are then sent to the vulnerable PHP file for execution. The output of the command is displayed to the user. The exploit is unauthenticated and leverages a PHP payload to execute commands. The repository is straightforward, containing only the exploit script, and is operational for attacking vulnerable PHPUnit installations where the eval-stdin.php file is exposed.