Shulou(Shulou.com)06/01 Report--

PhpStudy was recently exposed to a backdoor loophole. In the previous partial version of phpStudy2016,phpStudy2018, the EXE package was suspected to have been implanted into the back door of a Trojan horse by intruders, resulting in many websites and servers being attacked and tampered with. At present, our SINE security company immediately set up a phpStudy security emergency response team to carry out comprehensive vulnerability repair and security protection for the installation of the PHP one-click environment on some client servers. The first time to ensure the security of the customer's website, as well as the safe and stable operation of the server. About the details of the vulnerability, let's take a look at the security analysis, as well as recurrence, vulnerability repair, three aspects to start.

Most of the domestic servers, especially the windows system, have installed phpstudy one-click environment building software, which can automatically set and install apache,php,mysql database, as well as zend installation, and automatically set root account password, one-click operation, which is deeply loved by the vast number of website operators and server maintainers. It is precisely because there are so many users that attackers target and insert the back door of the Trojan into the exe package.

The backdoor file is the backdoor file in which the php_xmlrpc.dll module in the PHP environment is implanted into the backdoor of the Trojan horse. The specific name can be determined to be the phpstudy2016.11.03 version and the phpstudy2018.02.11 version after the security test of our SINE security technology. The backdoor file is as follows:

Phpphp-5.2.17extphp_xmlrpc.dll

Phpphp-5.4.45extphp_xmlrpc.dll

PHPTutorialphpphp-5.2.17extphp_xmlrpc.dll

PHPTutorialphpphp-5.4.45extphp_xmlrpc.dll

Search the php_xmlrpc.dll file under the phpstudy folder to see if the dll file contains @ eval (% s (% s)) characters. If so, there is basically a Trojan back door. The screenshot is as follows:

Let's analyze the recurrence loophole to see whether it can be successfully exploited. First, install the phpstudy2016.11.03 version of the installation package locally, decompress it to the current directory and directly click EXE to run. The default installed PHP version is the php5.4.45 version, and then open it locally and use the package grab tool to detect the current packet.

GET / safe.php HTTP/1.1

Host:

Cache-Control: max-age=1

Upgrade-Insecure-Requests: 2

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Accept:

Accept-Language: zh-CN,zh;q=0.6

Accept-Encoding:gzip

Accept-Charset:=cGhwaW5mbyUyOCUyOSUzQg== (this is encrypted by POC code)

Cookie: Hm_lpvt_49143271fe785debb3b77f77f7c71752=1569485559

Connection: close

The execution location of the vulnerability is in the Accept-Charset of the packet, where the phpinfo encrypted by malicious code is written, and then submitted, the phpinfo statement will be executed.

With regard to the repair method of phpstudy vulnerability, download the latest version from the official website of phpstudy, replace php_xmlrpc.dll with the old version, do security filtering and validation on the parameter transmission of PHP Accept-Charset to prevent the submission of malicious parameters, and prohibit the transmission of code, you can repair this loophole. (it has been confirmed that the back door of this phpstudy official announcement is a security problem caused by hackers invading the official website and tampering with the program package. Strongly despise the behavior of hackers! If you don't know much about the code, you can also find a professional website security company to deal with it. Domestic SINESAFE, Qiming Star and Green Alliance are all quite good. At present, the impact of this vulnerability is wide. Please fix the loophole and patch it as soon as possible to prevent the website from being attacked and tampered with.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.