http/vulnerabilities/php/php-xdebug-rce.yaml

id: php-xdebug-rce

info:
  name: Xdebug remote code execution via xdebug.remote_connect_back
  author: pwnhxl
  severity: high
  description: |
    The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
    - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
    - https://paper.seebug.org/397/
    - https://github.com/D3Ext/XDEBUG-Exploit
  metadata:
    max-request: 1
  tags: oast,rce,vulhub,php,debug,xdebug,intrusive

http:
  - raw:
      - |
        GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: {{interactsh-url}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: header
        words:
          - 'Set-Cookie: XDEBUG_SESSION={{randstr}}'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f04a01e1dd706067d32dd90ac376c5a6da4a966528517c77f8b142422ab831ca022100c6f77edf523f24759579ed5460000bd68cb33b13a30cd8d891bc7d42149af23a:922c64590222798bb761d5b6d8e72950
-												add php-xdebug-rce

											
										
										
											2023-03-13 20:40:41 +08:00
+								id: php-xdebug-rce
 								info:
-												fix-template
											
										
										
											2023-03-17 02:31:48 +05:30
+								  name: Xdebug remote code execution via xdebug.remote_connect_back
-												add php-xdebug-rce

											
										
										
											2023-03-13 20:40:41 +08:00
+								  author: pwnhxl
 								  severity: high
-												fix-template
											
										
										
											2023-03-17 02:31:48 +05:30
+								  description: |
 								    The XDebug extension <= v2.6.0 for PHP is designed to expand the debugging capabilities of developers, including the ability to perform remote debugging. A misconfigured server, with ‘xdebug.remote_connect_back’ enabled, exposed to the internet could allow an unauthenticated remote attacker to trigger a debugging session using any IP via a simple web request. With a remote debugging session established, the attacker effectively has remote code execution (RCE) capabilities with which to establish persistence, exfiltrate data, or launch further attacks against the system or network.
-												add php-xdebug-rce

											
										
										
											2023-03-13 20:40:41 +08:00
+								  reference:
 								    - https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce
 								    - https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
 								    - https://paper.seebug.org/397/
-												fix-template
											
										
										
											2023-03-17 02:31:48 +05:30
+								    - https://github.com/D3Ext/XDEBUG-Exploit
-												Added max request counter of each template

											
										
										
											2023-04-28 13:41:21 +05:30
+								  metadata:
 								    max-request: 1
-												templateman update

											
										
										
											2023-10-14 16:57:55 +05:30
+								  tags: oast,rce,vulhub,php,debug,xdebug,intrusive
-												add php-xdebug-rce

											
										
										
											2023-03-13 20:40:41 +08:00
-												Refactoring the directory structure based on protocols (#7137)

* moving http templates

* updated cves.json

* moved network CVEs

* updated scripts

* updated workflows

* updated requests to http

* replaced network to tcp

---------

Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
											
										
										
											2023-04-27 09:58:59 +05:30
+								http:
-												add php-xdebug-rce

											
										
										
											2023-03-13 20:40:41 +08:00
+								  - raw:
 								      - |
 								        GET /?XDEBUG_SESSION_START={{randstr}} HTTP/1.1
 								        Host: {{Hostname}}
 								        X-Forwarded-For: {{interactsh-url}}
 								    matchers-condition: and
 								    matchers:
 								      - type: word
 								        part: interactsh_protocol
 								        words:
 								          - "dns"
 								      - type: word
 								        part: header
 								        words:
 								          - 'Set-Cookie: XDEBUG_SESSION={{randstr}}'
 								      - type: status
 								        status:
 								          - 200
-												chore: sign templates 🤖

											
										
										
											2024-12-01 13:57:55 +00:00
+								# digest: 4b0a00483046022100f04a01e1dd706067d32dd90ac376c5a6da4a966528517c77f8b142422ab831ca022100c6f77edf523f24759579ed5460000bd68cb33b13a30cd8d891bc7d42149af23a:922c64590222798bb761d5b6d8e72950