ããéæ±æ¯è¿æ ·ï¼æååºnginxæ¥å¿ä¸ï¼GETæè
POSTçæ°æ®ä¸ï¼å称为âshellâå段çæ°æ®
ããnginxæ¥å¿çformaté
ç½®ï¼
ãã'$proxy_add_x_forwarded_for - $remote_user [$time_local] "$request" '
'$status $request_body "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time $upstream_response_time';
ããnginxæ¥å¿å®é
çå
容ï¼å¤§è´å¦ä¸ï¼
ãã61.164.xxx.xxx, 10.16.xx.x â - [13/Aug/2014:00:00:02 +0800] âGET /xxx/xxx?stepid=32&tid=U%2Bo3c0S&&output=json&language=zh_CN&session=114047349&dip=10920&diu=00343B30-9EB8-4B43-A978-FF838587E989&diu3=e9c3afaa4134d678&dia=8E72-1B19E16C0B8E&shell=504c450000000000000000000000004100&compress=false&channel=&adcode=310000&pagenum=1&pagesize=10&sign=C3833277A0DE5C071A799AB5E8AE41E2 HTTP/1.1â³ 200 4382 â-â âxxx-iphoneâ â61.164.xxx.xxxâ 0.204
ããæ
ãã218.202.xxx.xxx, 123.103.xxx.xxx, 10.16.xxx.xxx â - [2014-08-19 22:17:08.446671] âPOST /xxx/xxx-web/xxx HTTP/1.1â³ 200 stepid=15&tid=U753HifVPE0DAOn%2F&output=json&language=zh_CN&session=114099628&dip=10920&diu=DBDBF926-3210-4D64-972A7&xxx=056a849c70ae57560440ebe&diu2=2DFDB167-1505-4372-AAB5-99D28868DCB5&shell=e3209006950686f6e65352c3205004150504c450000000000000000000000000000&compress=false&channel=&sign=438BD4D701A960CD4B7C1DE36AA8A877&wua=0&appkey=0&adcode=150700&t=0 â-â âxxx-iphoneâ â218.202.xxx.xxx, 123.103.xxx.xxxâ 0.001 20.001
ããgrep -P 'shell' access.log | sed 's/\(.*\)&shell=\(.*\)&\(.*\)/\2/g' | awk -F '&' '{print $1}' > output.txt
ããå½ä»¤è§£éï¼
ããgrep -P 'shell' access.log
ãã#å¨æ¥å¿æ件ä¸æ¾å°æâshellâ å
³é®åçæ°æ®è¡
ããsed 's/\(.*\)&shell=\(.*\)&\(.*\)/\2/g'
ãã#sed使ç¨æ£å表达å¼æ¥æ¾ï¼å¸æå°æ¯è¡æ¥å¿åæä¸ä¸ªç»ï¼â&shell=âä¹åä¸ç»ï¼â&shell=âåshellå¼åä¹åç&ä¹é´ä½ä¸ºç¬¬äºç»ï¼ä¹åçå符串ä½ä¸ºç¬¬3ç»ï¼\2代表第äºç»ï¼ç¨ç¬¬äºç»æ¿æ¢æ´ä¸ªå符串ãä½æ¯ï¼sedçæ£å表达å¼æ¯è´ªå©ªæ¨¡å¼ï¼å®é
ç第3ç»æ¯æåä¸ä¸ª&åçå符串
ããawk -F '&' '{print $1}'
ãã#ç¨&å°å符串splitï¼è¾åºç¬¬ä¸ä¸ªç»æ
ããShellèæ¬å½ä»¤ä¼å¤ï¼é常çµæ´»ï¼è§£å³æ¹æ³è¿æå¾å¤ãè¿ä¸ªä¸æ¯æä¼æ¹æ³ï¼ä¹ä¸ååä¸¥æ ¼ï¼å¦æä½ä¸ºéè¦èæ¬å½ä»¤ï¼è¿éè¦æ´å¤å®åãåå¨çé®é¢ï¼shellå
³é®å¨æ¥å¿ä¸å¦æä¸å¯ä¸ï¼å°å¯¼è´æåçç»ææ¯é误çã
ãã#注æç¹ï¼sedçæ£å表达å¼æ¯è´ªå©ªæ¨¡å¼
温馨提示:答案为网友推荐,仅供参考