RFI URL extraction not working on urlencoded request

[kfeger]

Dear All, I have Trouble running my Glastopf (3.0.7) on Debian, listening on port 8080. When sending a test-URL as per documentation I get the following: (send: http://www.smuldom.de:8080/was_schickes/vuln.php=http://www.smuldom.de/rfi.php)

---

2013-06-07 23:10:01,946 (glastopf.glastopf) Initializing Glastopf using "/opt/myglastopf" as work directory. 2013-06-07 23:10:01,947 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db 2013-06-07 23:10:01,980 (glastopf.modules.reporting.auxiliary.log_hpfeeds) Connecting to feed broker. 2013-06-07 23:10:02,067 (glastopf.modules.reporting.auxiliary.log_hpfeeds) Connected to hpfeed broker. 2013-06-07 23:10:05,175 (glastopf.glastopf) Glastopf started and privileges dropped. 2013-06-07 23:10:32,543 (glastopf.glastopf) 84.183.231.170 requested GET /was_schickes/vuln.php%3Dhttp://www.smuldom.de/rfi.php on www.smuldom.de:8080 Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/gevent/wsgi.py", line 114, in handle result = self.server.application(env, self.start_response) File "/usr/local/lib/python2.7/dist-packages/glastopf/wsgi_wrapper.py", line 44, in application remote_addr, None) File "/usr/local/lib/python2.7/dist-packages/glastopf/glastopf.py", line 308, in handle_request emulator.handle(attack_event) File "/usr/local/lib/python2.7/dist-packages/glastopf/modules/handlers/emulators/rfi.py", line 77, in handle attack_event.http_request.path) File "/usr/local/lib/python2.7/dist-packages/glastopf/modules/handlers/emulators/rfi.py", line 57, in download_file injectd_url = self.extract_url(url) File "/usr/local/lib/python2.7/dist-packages/glastopf/modules/handlers/emulators/rfi.py", line 40, in extract_url matched_protocol = protocol_pattern.search(url).group(1) AttributeError: 'NoneType' object has no attribute 'group'

: Failed to handle request: request = application = > --- rfi.php contains the following: and nothing ist saved in files. any help on this?

[nsmfoo]

Upgrade to 3.0.8 (remove the old glastopf dir) and run glastopf-runner. The injected file(s) can be located under data/files

[glaslos]

This looks more like an issue with the regular expression not matching the url encoded request string.

[ilmila]

I agree with you lukas.

By the way the request with rfi attempt has been made through a web browser or with a script?

All the rfi test cases in your installation passed? Otherwise I think there is an error in regexp match with url encoded requests.

[kfeger]

The test has been made using a web browser. Where do I get the test cases from?

Anyway, I do as Mikael recommended and upgrade to 3.08 and see what happens.

[kfeger]

I upgraded to 3.0.8.

No luck, same problem.

[johnnykv]

I am able to reproduce the bug on 3.0.9 also.

[johnnykv]

protocol_pattern = re.compile("=.*(http(s){0,1}|ftp(s){0,1})", re.IGNORECASE)

This pattern is not matching because the = is url encoded (%3D).

[johnnykv]

@kfeger could you please try the latest version on github, i believe this bug if fixed now.

[kfeger]

I don’t know if that helps, but I get the same effect using IE10 or Firefox 17

Von: Johnny Vestergaard [mailto:notifications@github.com] Gesendet: Samstag, 8. Juni 2013 22:47 An: glastopf/glastopf Cc: kfeger Betreff: Re: [glastopf] RFI URL extraction not working on urlencoded request (#112)

protocol_pattern = re.compile("=.*(http(s){0,1}|ftp(s){0,1})", re.IGNORECASE)

This pattern is not matching because the = is url encoded (%3D).

— Reply to this email directly or view it on GitHub https://github.com/glastopf/glastopf/issues/112#issuecomment-19155216 . https://github.com/notifications/beacon/t46sTbUOQuGjus10UXgmGvYm2XI_Q5ItHwqh1f1PAG-E7EdciJoRY9_bRBAxeR4j.gif

[johnnykv]

Did you try the latest version from github?

[kfeger]

An hour ago I installed with „pip install glastopf –upgrade“ 3.0.8 and ran the Firefox-Test against it.

Shall I do it again now?

[johnnykv]

When you install with pip you install the latest stable version of glastopf. The bugfix for this issue is in the development version, you can install the development version by using the following commands:

cd /opt
sudo git clone https://github.com/glastopf/glastopf.git
cd glastopf
sudo python setup.py install

If you do not have git installed, you can install it using apt-get install git if you are using debian or ubuntu.

[kfeger]

Done.

This is what happened

2013-06-08 23:34:31,468 (glastopf.glastopf) Initializing Glastopf 3.0.9-dev using "/opt/myglastopf" as work directory. 2013-06-08 23:34:31,470 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db 2013-06-08 23:34:31,519 (pyhpfeeds) connecting to hpfriends.honeycloud.net:20000 2013-06-08 23:34:31,687 (pyhpfeeds) info message name: hpfriends, rand: '\xaf\x1c\x10\xc2' 2013-06-08 23:34:31,699 (glastopf.glastopf) Glastopf started and privileges dropped. 2013-06-08 23:34:43,693 (glastopf.glastopf) 84.180.121.54 requested GET /was_schickes/vuln.php%3Dhttp://www.smuldom.de/rfi.php on www.smuldom.de:8080 2013-06-08 23:34:43,801 (glastopf.sandbox.sandbox) File successfully parsed with sandbox.

And the file is in data/files So that did it. Thank you very much!

[johnnykv]

You are welcome - and thanks for raising this issue!