Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-10141 PoC — Xdebug Remote Debugger Unauthenticated OS Command Execution

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2015/CVE-2015-10141.yaml
Associated Vulnerability
Title:Xdebug Remote Debugger Unauthenticated OS Command Execution (CVE-2015-10141)
Description:An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.
Description
Xdebug <= 2.5.5 contains an unauthenticated command injection caused by accepting debugger protocol commands without authentication when remote debugging is enabled, letting remote attackers execute arbitrary PHP code and system commands, exploit requires remote debugging enabled.
File Snapshot

 id: CVE-2015-10141

info:
  name: Xdebug <= 2.5.5 - Command Injection
  author: pwnhxl
  severity: c

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →