This project demonstrates how an insecure use of the User-Agent HTTP header can lead to Remote Command Execution (RCE) if not properly sanitised. It includes:
- A vulnerable PHP server that logs headers unsafely using
system() - A secure version with input sanitation
- A Python-based exploit tool that simulates an attack
- Defensive guidelines and mitigation recommendations
GitHub: BackdoorAli
When a web server logs the User-Agent header directly into a system shell command, it becomes vulnerable to injection if the attacker includes malicious shell syntax in the header.
Example malicious header:
User-Agent: zerodium; id
In an insecure environment, this results in execution of the id command on the server.
vulnerable_index.php— Insecure PHP script (for demo only)secure_index.php— Hardened PHP script usingescapeshellarg()exploit.py— CLI tool to send injection payloads via User-Agent header
cd vulnerable_server
php -S 127.0.0.1:8000python3 exploit.py http://127.0.0.1:8000/ "id"[+] Response Body:
uid=501(alita) gid=20(staff) groups=...
cd secure_server
php -S 127.0.0.1:8000Re-running the same exploit will now produce no harmful effects.
This project is for educational and awareness purposes only. Do NOT deploy the vulnerable server in a production environment or expose it to the internet. Always sanitise user input and NEVER directly inject user data into system commands, without the proper authorisation!