2022-06-14 21:58:34 +01:00
|
|
|
title: Java Payload Strings
|
2022-06-04 08:46:14 +02:00
|
|
|
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
|
|
|
|
|
status: experimental
|
2022-06-14 21:58:34 +01:00
|
|
|
description: Detects possible Java payloads in web access logs
|
2022-06-04 08:46:14 +02:00
|
|
|
references:
|
|
|
|
|
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
|
|
|
|
|
- https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
|
2022-07-11 18:12:51 +01:00
|
|
|
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
|
2022-06-04 10:08:49 +02:00
|
|
|
- https://twitter.com/httpvoid0x2f/status/1532924261035384832
|
2022-10-25 10:08:58 +02:00
|
|
|
author: frack113
|
|
|
|
|
date: 2022/06/04
|
|
|
|
|
modified: 2022/06/14
|
|
|
|
|
tags:
|
|
|
|
|
- cve.2022.26134
|
|
|
|
|
- cve.2021.26084
|
2022-06-04 08:46:14 +02:00
|
|
|
logsource:
|
|
|
|
|
category: webserver
|
|
|
|
|
detection:
|
|
|
|
|
keywords:
|
2022-07-11 18:12:51 +01:00
|
|
|
- '%24%7B%28%23a%3D%40'
|
|
|
|
|
- '${(#a=@'
|
|
|
|
|
- '%24%7B%40java'
|
|
|
|
|
- '${@java'
|
|
|
|
|
- 'u0022java'
|
|
|
|
|
- '%2F%24%7B%23'
|
|
|
|
|
- '/${#'
|
|
|
|
|
- 'new+java.'
|
2022-06-04 08:46:14 +02:00
|
|
|
condition: keywords
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Legitimate apps
|
2022-06-06 17:32:08 +02:00
|
|
|
level: high
|
