Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A collection of weird URLs that I think are used to exploit security vulnerabilities on web apps
  • /manager/html (Apache Tomcat)
  • http://123.249.24.233/POST_ip_port.php
  • /tmUnblock.cgi
  • /HNAP1/
  • /phpMyAdmin/scripts/setup.php (PHPMyAdmin)
  • /pma/scripts/setup.php
  • /myadmin/scripts/setup.php
  • /MyAdmin/scripts/setup.php
  • /vyvy/vyv/vy.php
  • /cgi-sys/php5
  • /cgi-bin/test-cgi
  • /cgi-bin/printenv
  • /cgi-bin/test.cgi
  • /cgi-bin/test.pl
  • /cgi-bin/test.sh
  • /cgi-bin/teste.pl
  • /cgi-bin/teste.cgi
  • /cgi-bin/teste.sh
  • /cgi-bin/print-env
  • /cgi-bin/print.pl
  • /cgi-bin/print.cgi
  • /cgi-bin/printenv.sh
  • /dpdp/dpd/dp.php
  • /upup/upu/up.php
  • /admin/fckeditor/editor/filemanager/browser/default/connectors/test.html
  • /web-console/ServerInfo.jsp
  • /vtigercrm/
  • /operator/basic.shtml (AXIS 206 Network Camera)
  • /secure/ltx_conf.htm (M30X / M306 Wireless Ethernet Monitor)
  • /syslog.htm (Linux?)
@anhducbkhn

This comment has been minimized.

Copy link

anhducbkhn commented Feb 26, 2015

http://123.249.24.233/POST_ip_port.php what is it? and why it appear in my apache access.log

@rained23

This comment has been minimized.

Copy link

rained23 commented Mar 11, 2015

@g33klord

This comment has been minimized.

Copy link

g33klord commented May 13, 2015

in mine too:

script '/var/www/html/POST_ip_port.php' not found or unable to stat, referer: http://123.249.24.233/POST_ip_port.phpAccept: /

@renancouto

This comment has been minimized.

Copy link
Owner Author

renancouto commented May 13, 2015

Hi guys, I really don't know about this http://123.249.24.233/POST_ip_port.php url, but judging from its file name, it should not be a secure thing, also it doesn't have nothing to do with my application.

@neoadventist

This comment has been minimized.

Copy link

neoadventist commented May 27, 2015

So what do we do about this? I'm getting the same thing.

@guru-beach

This comment has been minimized.

Copy link

guru-beach commented May 29, 2015

Depending on your web server, you can just shunt the traffic. For apache HTTPD I used mod_rewrite and added the following:

   RewriteEngine On
   RewriteCond %{REQUEST_URI} "POST.*"
   RewriteRule ^(.*)$ - [F,L]

For our particular site this is acceptable because none of the URLs we process have the word POST in them.

And the results are the 403 Forbidden you'd expect:

222.186.129.5 - - [29/May/2015:05:47:54 +0000] "POST http://123.249.24.233/POST_ip_port.php HTTP/1.1" 403 303
@theLufenk

This comment has been minimized.

Copy link

theLufenk commented Jul 7, 2015

Bloddy Chinese Spammers!!1
I made my server live for the first time, and within 5 minutes these requests started flowing in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.