The article comes from the research group of community attack and defense
For a long time, phpstudy, which was popular before, had a back door. First, prepare a phpstudy with a back door, and our virtual machine comrades.
I will provide a phpstudy download address with a back door
First of all, how to detect the backdoor of our version
The backdoor code exists in the module \ ext \ php_xmlrpc.dll
Php-5.2.17 and php-5.4.45 of phpstudy2016 and phpstudy2018
1. Phpstudy2016 path
php\php-5.2.17\ext\php_xmlrpc.dllphp\php-5.4.45\ext\php_xmlrpc.dll
2. Phpstudy2018 path
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dl
Kangkangit, as expected, has a back door.
How can we use it?
To exploit the vulnerability, you only need to modify the content of accept charset in any PHP suffix file and replace it with our command after base64 encryption. This is very easy to exploit
We just need to replace the content of Base64 with the command we want to execute (after Base64 encoding) on the accept charset side. Now I am executing phpinfo();
We can change it to c3lzdgvtkcd3ag9hbwknkts = the effect of executing a system ('whoami ')
Of course, we can also use this to do more, not to mention it now.