First, the flaw location
The program comes with the PHP module of php_xmlrpc.dll hidden back door, the affected versions phpstudy2016 (php5.2 / 5.4), phpstudy2018 (php5.2 / 5.4) versions.
Here we use phpstudy2018 version to verify the position and role of the back door.
Second, step
Step1: switching to 5.2 php version 5.4 or find phpStudy phpstudy in the root directory of \ PHPTutorial \ php \ php-5.2.17 \ ext \ php_xmlrpc.dll, Notepad open the file, the sweep eval. As shown below
Step2: Use BurpSuite to intercept packets, modification request packet, wherein Accept_Encoding: gzip, deflate the space after the comma must be deleted, and then add one: Accept_Charset, predetermined data server processing data received form, malicious code "system ( 'net user') "transcoding using Base64, the results on the back.
Step3: submit a request packet, a response packet to see
Can be found in the Accept-Charset command is executed on the target machine, and return the results.
Third, the repair method
- The php_xmlrpc file php5.2 and php5.3 replaces the official publication of the net.
- Use "phpstudy 'self-security hotfix" repair phpstudy