What are they after?

[JacekN]

When someone sends this to your index.php, what are they trying to do?

 

/index.php?s=/module/action/param1/${@die(sha1(xyzt))} 

[requinix]

They're checking your website for vulnerabilities they can exploit. Make sure yours doesn't, then you can more or less ignore it.

[JacekN]

But what kind of vulnerability? I run my own php script, so I'm not concerned about exposure. I just want to know what they're after. It this a WordPress exploit or something like that?

[requinix]

Could be, sure. WP does have more than its fair share of problems. Wouldn't be surprised.

[maxxd]

's' is often used as the variable name for search terms. If the developer doesn't escape properly, and they used double quotes in their code, I think this particular bit would parse and stop script execution with the output that is the sha1 encrypted string of 'xyzt', which one would assume the sender knows. This would then mean that your search endpoint doesn't escape properly and is capable of evaluating php code, which means it could potentially output credentials, secrets, or simply damaging information. And yes, WordPress uses 's' as the search variable name by default - as do other CMS systems and frameworks, but as requinix pointed out WordPress has more than it's fair share of issues and potential vulnerabilities.

[JacekN]

Thanks, Max. 

 

What about this one? 

 

uri=/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt

[kicken]

https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/

 

[JacekN]

Thanks, Kicken. 

 

Nothing better than a framework that opens up holes.