for url in $(cat targets.txt); do curl -s -X POST -d "<?php echo md5('test'); ?>" "$url/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" | grep -q "098f6bcd4621d373cade4e832627b4f6" && echo "$url is vulnerable" done
When left accessible on production servers, this file allows remote attackers to execute arbitrary PHP code without authentication. Anatomy of the Vulnerability
: If a web server's /vendor directory is exposed to the public internet, an attacker can send a POST request containing PHP code (starting with
Prevent future exposure by configuring your web server to show directory listings.
Delete eval-stdin.php from the server:
echo "Options -Indexes" >> /var/www/html/.htaccess
PHPUnit is a unit testing framework for the PHP programming language. It is an instance of the xUnit architecture for unit testing frameworks. PHPUnit was written by Sebastian Bergmann and is now maintained by the PHPUnit Development Team.
Because CVE-2017-9841 is heavily automated by botnets, an exposed file has a high probability of having been targeted. Run these security checks immediately:
[ Detect Exposed Directory ] │ ▼ [ Remove PHPUnit from Production ] │ ▼ [ Update Dependencies / Run Composer ] │ ▼ [ Restrict Public Folder Access ] 1. Remove Test Frameworks from Production index of vendor phpunit phpunit src util php eval-stdin.php
To ensure smooth functionality and security when working with PHPUnit and eval-stdin.php , follow these best practices:
If the server returns the word Test , the file is present and executable. In that case, assume the server is already compromised.
The file eval-stdin.php is a ticking time bomb when left accessible on a public web server. Its presence signals a critical remote code execution vulnerability that can lead to full server compromise. If you found this article because you saw the telltale index of directory listing, act immediately:
The core issue lies in a single line of raw PHP code inside that file: eval('?>' . file_get_contents('php://input')); Use code with caution. The Flaw Explained for url in $(cat targets
Even without directory listing, an attacker can guess or brute-force the path if Composer’s autoloader is exposed.
If an attacker can access .../vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php , they can send a crafted POST request to that URL. The server will execute the payload in the request body, leading to . Consequences of an Attack
Review your access logs for repetitive 404 or 200 HTTP responses targeting the /vendor/ pathway to identify scanning signatures. To help secure your environment, let me know: