PHP Utility Belt Remote Code Execution Vulnerability Verification and analysis

PHP Utility Belt Remote Code Execution Vulnerability Verification and analysis

PHP Utility Belt is a set of tools used by PHP programmers. It can be used to test regular expressions and observe the matching with the preg_match and preg_match_all functions. Observe the results of the preg_replate function; obtain a random password that contains two words, two numbers, one uppercase letter and one symbol; serialization and deserialization; test the date format of the mktime and strtotime timestamp or a digital timestamp; run any PHP code outside the home page.
Because it can execute arbitrary PHP code, it can only be used in the test environment and cannot run in the product environment.
Vulnerability Number for this vulnerability is EDB-ID: 39554
Set up an experiment environment. The IP address of the target is 192.168.248.129, And the IP address of the attacker is 192.168.248.128.
Running status after setting up PHP Utility Belt.

Metasploit has provided a vulnerability exploitation code. The path is
Exploit/multi/http/php_utility_belt_rce
Run this attack script on the attacker

Then set payload

Next, set the corresponding options.

Finally, execute the exploit command to start the attack.

The meterpreter shell is displayed, indicating that the attack is successful.
Capture data packets for the entire process as follows:

The parameter passed by POST is code, and all the attack code is in this variable. Next, let's take a look at the file ajax. php where the vulnerability is located. The problem lies in the code segment from lines 10th to lines 15th.

It can be seen that the program first checks whether the code parameter is set. If it has already been set, it is directly put into the eval function for execution. The eval function is used to execute the input parameter content as php code, the above code does not filter the content passed in by the user. That is to say, the value given by the attacker in the code will be unconditionally executed as long as it complies with the syntax specification of the php code, this is a typical eval injection.
If the above Code is in the testing environment, it can be convenient for programmers to work, but it is very dangerous to put it in the product environment.