Vendor Phpunit Phpunit Src Util Php Eval-stdin.php Exploit Site

curl -X POST https://victim.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "<?php system('id'); ?>"

PHPUnit is a popular testing framework for PHP. To run tests in separate processes, PHPUnit utilizes a helper script located at vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php . The Vulnerable Code

If a web server is misconfigured to serve the entire project root rather than just the /public directory, the entire vendor folder becomes publicly accessible. vendor phpunit phpunit src util php eval-stdin.php exploit

Let’s look at the actual source code of eval-stdin.php (simplified for clarity):

An attacker can exploit this by sending a POST request to the vulnerable endpoint with a payload starting with the PHP opening tag <?php . curl -X POST https://victim

Indicators of compromise

While PHPUnit is a standalone package, it is deeply integrated into the dependency ecosystem of several major PHP frameworks and platforms. Developers often unknowingly inherit this vulnerability through third-party packages. Let’s look at the actual source code of eval-stdin

The vulnerability (CVE-2017-9841) allowed remote code execution via eval-stdin.php in PHPUnit versions before 4.8.28 or 5.x before 5.6.3 when left in a web-accessible directory. It became a classic example of why dev dependencies should never reach production.

The exploitation process can be broken down into three distinct steps:

The script reads anything sent to STDIN (standard input) and passes it directly to eval() . In a CLI (command-line interface) environment, this is safe because only authorized users have shell access. However, when this file is placed in a web-accessible directory, an attacker can use the php://input wrapper or a POST request body to supply the STDIN data.

192.168.1.100 - - [12/May/2025:10:23:45 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200 1234