PHP Utility Belt 远程代码执行漏洞的验证与分析-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

PHP Utility Belt 远程代码执行漏洞的验证与分析

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 20, 2016 pm 12:31 PM

PHP Utility Belt是一款为PHP程序开发人员使用的一套工具集，可以用来测试正则表达式并且观察与preg_match和preg_match_all函数的匹配，观察preg_replate函数的结果；获得包含两个单词两个数字一个大写字母和一个符号的随机密码；序列化与反序列化；测试mktime和strtotime时间戳的日期格式或者一个数字型时间戳；在主页外运行任意PHP代码。

由于它能够执行任意的PHP代码，因此只能在测试环境下使用，绝不能产品环境下运行。

此漏洞的漏洞编号为EDB-ID：39554

源代码下载地址为： https://github.com/mboynes/php-utility-belt

搭建实验环境，其中靶机的IP地址为192.168.248.129，攻击机的IP地址为192.168.248.128

下图为PHP Utility Belt搭建完之后的运行情况。

针对此漏洞metasploit已经给出了一个漏洞利用代码，路径为

exploit/multi/http/php_utility_belt_rce

在攻击机上运行此攻击脚本

随后设置payload

接下来设置相应的选项

最后执行exploit命令，开始攻击

可见得到了meterpreter的shell，说明攻击是成功的。

对整个过程抓数据包，如下

其中POST传递的参数为名为code，所有的攻击代码都在这个变量中，接下来看一下漏洞所在的文件ajax.php，问题出在第10行至第15行这部分代码段

可见程序先判断code参数是否设置，如果已经被设置的话，直接放到了eval函数中执行，eval函数的作用是把输入参数的内容作为php代码执行，而在上述代码中并没有对用户所传入的内容进行过滤，也就是说攻击者在code中给出的值只要符合php代码的语法规范就会被无条件执行，这是一个典型的eval注入。

上述代码如果在测试环境下，可以方便程序员的工作，但是放在产品环境下就很危险。

* navyofficer 投递，转载请注明来自FreeBuf黑客与极客（FreeBuf.COM）

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Working with Flash Session Data in LaravelMar 12, 2025 pm 05:08 PM

Laravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-

cURL in PHP: How to Use the PHP cURL Extension in REST APIsMar 14, 2025 am 11:42 AM

The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.

Simplified HTTP Response Mocking in Laravel TestsMar 12, 2025 pm 05:09 PM

Laravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>

12 Best PHP Chat Scripts on CodeCanyonMar 13, 2025 pm 12:08 PM

Do you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom

Discover File Downloads in Laravel with Storage::downloadMar 06, 2025 am 02:22 AM

The Storage::download method of the Laravel framework provides a concise API for safely handling file downloads while managing abstractions of file storage. Here is an example of using Storage::download() in the example controller:

Explain the concept of late static binding in PHP.Mar 21, 2025 pm 01:33 PM

Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo

PHP Logging: Best Practices for PHP Log AnalysisMar 10, 2025 pm 02:32 PM

PHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot

How to Register and Use Laravel Service ProvidersMar 07, 2025 am 01:18 AM

Laravel's service container and service providers are fundamental to its architecture. This article explores service containers, details service provider creation, registration, and demonstrates practical usage with examples. We'll begin with an ove

See all articles