JacekN Posted July 19, 2020 Share Posted July 19, 2020 When someone sends this to your index.php, what are they trying to do? /index.php?s=/module/action/param1/${@die(sha1(xyzt))} Quote Link to comment Share on other sites More sharing options...
requinix Posted July 19, 2020 Share Posted July 19, 2020 They're checking your website for vulnerabilities they can exploit. Make sure yours doesn't, then you can more or less ignore it. Quote Link to comment Share on other sites More sharing options...
JacekN Posted July 19, 2020 Author Share Posted July 19, 2020 But what kind of vulnerability? I run my own php script, so I'm not concerned about exposure. I just want to know what they're after. It this a WordPress exploit or something like that? Quote Link to comment Share on other sites More sharing options...
requinix Posted July 19, 2020 Share Posted July 19, 2020 Could be, sure. WP does have more than its fair share of problems. Wouldn't be surprised. Quote Link to comment Share on other sites More sharing options...
maxxd Posted July 19, 2020 Share Posted July 19, 2020 's' is often used as the variable name for search terms. If the developer doesn't escape properly, and they used double quotes in their code, I think this particular bit would parse and stop script execution with the output that is the sha1 encrypted string of 'xyzt', which one would assume the sender knows. This would then mean that your search endpoint doesn't escape properly and is capable of evaluating php code, which means it could potentially output credentials, secrets, or simply damaging information. And yes, WordPress uses 's' as the search variable name by default - as do other CMS systems and frameworks, but as requinix pointed out WordPress has more than it's fair share of issues and potential vulnerabilities. 1 Quote Link to comment Share on other sites More sharing options...
JacekN Posted July 19, 2020 Author Share Posted July 19, 2020 Thanks, Max. What about this one? uri=/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt Quote Link to comment Share on other sites More sharing options...
kicken Posted July 19, 2020 Share Posted July 19, 2020 https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/ Quote Link to comment Share on other sites More sharing options...
JacekN Posted July 19, 2020 Author Share Posted July 19, 2020 Thanks, Kicken. Nothing better than a framework that opens up holes. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.