Menu
<?php // vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php while (($input = file_get_contents('php://input')) !== '') eval('?>' . $input);
curl -X POST https://target.com/eval-stdin.php -d "<?php echo 5*5; ?>" If the response contains 25 , it is 100% vulnerable. The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php exploit is a masterclass in how a developer convenience tool becomes a production nightmare.
While the vulnerability was patched in 2017, automated scanners still routinely flag this file. For every penetration tester, system administrator, or developer, encountering a URL like https://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php sends a jolt of adrenaline.
Your vendor folder should never, ever be directly accessible by a web request. And your production server should never, ever see a --dev dependency.
In the ecosystem of web application security, few vulnerabilities have caused as widespread, silent, and persistent damage as the PHPUnit eval-stdin Remote Code Execution (RCE) vulnerability (tracked as CVE-2017-9841 ).
curl -s -X POST http://target.com/path/to/eval-stdin.php -d "<?php echo 'test'; ?>" | grep test Check your access logs for suspicious patterns. Look for POST requests to any path containing phpunit/src/Util/PHP/eval-stdin.php or eval-stdin.php . File System Scan (Server Side) Run this on your web servers:
PHPUnit is a fantastic piece of software—for testing . But its presence on a public-facing server represents a catastrophic failure of deployment hygiene. The code inside eval-stdin.php is arguably the most dangerous 79 characters in modern PHP history, because it gives an attacker exactly what they want: a direct pipeline from HTTP to eval() .
uid=33(www-data) gid=33(www-data) groups=33(www-data) The server has just executed the id command. The attacker now has Remote Code Execution (RCE). A single command is useful, but persistence is key. An attacker would deliver a second-stage payload to write a permanent webshell:
