What is this hacker trying to do with this Java code?

Question

In my server log of my web server, I've noticed a hacker trying this:

https://[domain name]/index.action?action:${%23a%3d(new%20java.lang.processbuilder(new%20java.lang.string[]{'sh','-c','id'})).start(),%23b%3d%23a.getinputstream(),%23c%3dnew%20java.io.inputstreamreader(%23b),%23d%3dnew%20java.io.bufferedreader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.httpservletresponse%27),%23matt.getwriter().println(%23e),%23matt.getwriter().flush(),%23matt.getwriter().close()}

Which URL decodes to this:

https://[domain name]/index.action?action:${#a=(new java.lang.processbuilder(new java.lang.string[]{'sh','-c','id'})).start(),#b=#a.getinputstream(),#c=new java.io.inputstreamreader(#b),#d=new java.io.bufferedreader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.httpservletresponse'),#matt.getwriter().println(#e),#matt.getwriter().flush(),#matt.getwriter().close()}

My server doesn't use Java but I'm trying to understand what this hacker is trying to do here and why this could be a vulnerability. After all, I'm not just a developer but also need to know about how to protect a server, including servers not set up by me.

Code seems to start a new process and then tries to read data from the input stream. I'm assuming this is the input stream of the current web session.

As this attack is also tried over /login.action and various other URL's and different Java code, I am considering it to be potential dangerous. But I can't explain why this is dangerous.

The specific domain is under attack right now as the hacker tries to see if it's running WordPress or Magenta or other known systems and also tries several different attacks.

But what matters is this: the domain is currently under development and the owner still has to decide which development tools will be used. The choices are between Java and ASP-NET so is this attack dangerous if he chooses to pick Java?

Answer 1

It's trying to exploit a RCE vulnerability in Struts 2, I think this one. A bad one, Freemarker would execute any code inside ${} tags.

The Freemarker code starts a process to execute id to see if the server is running as root, giving full access to the box. Even a vulnerable Struts version might not be too bad here, since the attacker might not be interested unless you were root.

The attacker's program has a lot of these old vulnerabilities that would work on very unsafe servers, but even simple admin protocol will protect against these amateur attacks. You would only be vulnerable when running as root, using an old version of a software, opening up your db server to the internet with a weak or default password, etc.

Regardless of the technology you choose, there will be security issues and you need to follow the CVEs. For example a modern Java framework like Spring has a few, but remote code execution is quite rare, and that's what those attack programs look for.