Create php-8.1.0-dev-backdoor.bcheck

[r3nt0n]

BCheck Contributions

This Bcheck attempts to detect servers running PHP 8.1.0-dev, which was released with a backdoor allowing Code Injection.

• BCheck compiles and executes as expected
• BCheck contains appropriate metadata (name, version, author, description and appropriate tags)
• Only .bcheck files have been added or modified
• BCheck is in the appropriate folder
• PR contains single or limited number of BChecks (Multiple PRs are preferred)
• BCheck attempts to minimize false positives

[PortSwiggerWiener]

Many thanks for your submission.

It looks good. Only suggestion would be to check for the fingerprint (1787589) in the base response to eliminate potential false positives.

[r3nt0n]

Thanks for the feedback!

The expected output used as a fingerprint includes the "int()" around the number, I thought that the chances to find that specific string were low enough.

Ideally, we would use a loop until find some calculation result which doesn't appear in the base response, and then send the request with the associated payload, but I'm not sure if this could be accomplished with the current Bcheck possibilities.

Maybe increasing the length of the expected output (like 13333337*13333337) could reduce false positives rate to something acceptable?

[PortSwiggerWiener]

No that's a fair point. I'll approve it now.

Thanks again for the submission.

[Hannah-PortSwigger]

Looks good! 👍