Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


phpstudy back door reappearance

Posted by fleschner at 2020-03-22

The article comes from the research group of community attack and defense

For a long time, phpstudy, which was popular before, had a back door. First, prepare a phpstudy with a back door, and our virtual machine comrades.

I will provide a phpstudy download address with a back door

First of all, how to detect the backdoor of our version

The backdoor code exists in the module \ ext \ php_xmlrpc.dll

Php-5.2.17 and php-5.4.45 of phpstudy2016 and phpstudy2018

1. Phpstudy2016 path


2. Phpstudy2018 path

PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dl

Kangkangit, as expected, has a back door.

How can we use it?

To exploit the vulnerability, you only need to modify the content of accept charset in any PHP suffix file and replace it with our command after base64 encryption. This is very easy to exploit

We just need to replace the content of Base64 with the command we want to execute (after Base64 encoding) on the accept charset side. Now I am executing phpinfo();

We can change it to c3lzdgvtkcd3ag9hbwknkts = the effect of executing a system ('whoami ')

Of course, we can also use this to do more, not to mention it now.