Key Information Vulnerability Name: xdebug < 2.5.5 - OS Command Execution (Metasploit) EDB-ID: 46581 CVE: N/A Author: Metasploit Type: Remote Platform: PHP Date: 2018-05-07 Affected Application: xdebug Vulnerability Description This module exploits a vulnerability in the eval command present in xdebug versions 2.5.5 and earlier. This allows an attacker to execute arbitrary PHP code under the context of the web user. Technical Details Disclosure Date: September 17, 2017 Authors: Ricter Zheng, Bhicovory, Shashank Joshiwal, @KintoaTW, @Auris Hudson References: - https://websec.ca/blog/2015/11/13/open-exploiting-xdebug-enabled-servers/ - https://www.sensepost.com/blog/2017/x/ Default Target: 0 Auto Default Options: - : php/meterpreter/reverse_tcp - : true - : Automatic Check and Exploit Check: Send a request to the target path and check if the response header contains Exploit: Construct and send payload to execute system commands