The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php exploit is a textbook case of a development artifact becoming a production nightmare. A single eval() on unsanitized input, exposed to the web, leads to complete server takeover.
The file contained logic essentially similar to this: vendor phpunit phpunit src util php eval-stdin.php exploit
<?php // Simplified representation of vulnerable code eval(' ?>' . file_get_contents('php://stdin')); The vendor/phpunit/phpunit/src/Util/PHP/eval-stdin
Here is what each part does:
When the request hits the server: