The payload is simple PHP code placed in the body of the POST request.
composer install --no-dev --optimize-autoloader
PHPUnit is a widely used testing framework for PHP. In older versions, it included a utility file named eval-stdin.php designed to facilitate test execution via standard input. This file was placed in the publicly accessible web root by default in many project structures (like Laravel, Symfony, or CodeIgniter).
The exploit is trivial to execute. An attacker sends a POST request to the location of eval-stdin.php with a payload in the body. vendor phpunit phpunit src util php eval-stdin.php exploit
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
When deploying to production, use the --no-dev flag with Composer: composer install --no-dev --optimize-autoloader Use code with caution.
I can provide the exact configuration rules to lock down your system. Share public link The payload is simple PHP code placed in
It does not check if the request is coming from a local CLI process (as intended) or from a remote HTTP client.
:
Using curl , an attacker can execute system commands: This file was placed in the publicly accessible
The exploitation process is alarmingly simple. The vulnerable code in eval-stdin.php performs the following action:
The attacker crafts malicious PHP code. When executed, this code does something harmful, like creating a backdoor, exfiltrating data, or taking control of the server.
Never install development tools on production servers. When deploying your application via Composer, always use the --no-dev flag to exclude PHPUnit entirely. composer install --no-dev --optimize-autoloader Use code with caution.
The logs told a story. An automated scanner had found the file two hours ago. Twelve minutes later, someone—probably the same actor—sent a payload: