Vendor Phpunit | Phpunit Src Util Php Eval-stdin.php Exploit

192.168.1.100 - - [12/May/2025:10:23:45 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200 1234 Look for encoded or plaintext PHP functions like system , exec , passthru , shell_exec , file_put_contents , base64_decode , or eval .

Introduction: A Developer’s Convenience Turned Attacker’s Backdoor In the world of web application security, few mistakes are as dangerous as leaving development tools exposed on a production server. Among the most infamous examples of this is a small, seemingly innocuous file: eval-stdin.php , part of the PHPUnit testing framework. vendor phpunit phpunit src util php eval-stdin.php exploit

<Directory "vendor"> Require all denied </Directory> In a CLI (command-line interface) environment, this is

In a healthy software development lifecycle (SDLC), PHPUnit lives exclusively on a developer’s local machine or within a CI/CD pipeline (like Jenkins, GitLab CI, or GitHub Actions). It should be deployed to a public-facing web server. The Culprit: eval-stdin.php Within the PHPUnit source code, specifically in versions before 4.8.28 and 5.x before 5.6.3, there exists a utility file designed to facilitate a specific type of test called a "Runnable test." The file path is: In a CLI (command-line interface) environment

The script reads anything sent to STDIN (standard input) and passes it directly to eval() . In a CLI (command-line interface) environment, this is safe because only authorized users have shell access. However, when this file is placed in a web-accessible directory, an attacker can use the php://input wrapper or a POST request body to supply the STDIN data. The exploit is trivial to execute. An attacker sends a POST request to the location of eval-stdin.php with a payload in the body.