An "Index of" page appears when a web server (like Apache or Nginx) is configured to show a list of files in a directory that doesn't have an index.php or index.html file.
Try to request the file without any payload. Even a GET request might reveal the script’s source code. But to confirm RCE, send a benign test:
GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 index of vendor phpunit phpunit src util php evalstdinphp
Developers often run composer install without the --no-dev flag, which mistakenly pushes PHPUnit to production.
When performing code audits, penetration testing, or even routine debugging of legacy PHP applications, you may stumble upon a peculiar search query or directory listing: . An "Index of" page appears when a web
PHPUnit is a development tool and should never be deployed to a production environment.
Turn off directory listing to prevent attackers from finding files via "Index of" pages. Options -Indexes Use code with caution. Nginx ( nginx.conf ): autoindex off; Use code with caution. 5. Block Access to the Vendor Directory But to confirm RCE, send a benign test:
Similar dorks include:
The EvalStdin.php file contains a single class, PHPUnit_Util_EvalStdin , which provides a static method, evaluate . This method reads input from the standard input stream (STDIN) and evaluates it as PHP code.
To secure a system containing this file, immediate action is required.