* Jeremy Nicoll - ml openSUSE <jn.ml.ops.785@wingsandbeaks.org.uk> [07-23-20 04:26]:
On 2020-07-21 20:45, David C. Rankin wrote:
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))} /index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
(Oops, just noticed I accidentally replied to David Rankin directly; I meant to reply to the list.)
Presumably both of these are being used on the assumption that some well known / frequently-used code, often in sites' index.php files (maybe for something that lots of people use like blogging or BB software) will directly use the contents of var "s", or parse something out of it and use that, without checking what it is before use?
/index.php/module/action/param1/${@die(sha1(xyzt))}
What would a malformed URL like that do?
It is probably checking for existence of a particular string of code which it can exploit and when not finding, doesn't bother anymore. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org