search

mushorg / glastopf

Web Application Honeypot
http://glastopf.org
560 stars 168 forks source link

RFI is not working with the Debian installation #121

Closed oguzy closed 10 years ago

oguzy commented 11 years ago

I followed the Debian instructions and installed glastopf on Debian wheezy.

Below is the first time running:

# glastopf-runner
2013-08-14 09:26:57,773 (glastopf.glastopf) Initializing Glastopf 3.0.9-dev using "/opt/myhoneypot" as work directory.
2013-08-14 09:26:57,776 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
2013-08-14 09:26:58,764 (glastopf.modules.handlers.emulators.dork_list.dork_page_generator) Bootstrapping dork database.
2013-08-14 09:26:58,783 (requests.packages.urllib3.connectionpool) Starting new HTTPS connection (1): mnemosyne.honeycloud.net
2013-08-14 09:26:59,257 (requests.packages.urllib3.connectionpool) "POST /login HTTP/1.1" 200 30
2013-08-14 09:26:59,686 (requests.packages.urllib3.connectionpool) "GET /api/v1/aux/dorks?limit=1000 HTTP/1.1" 200 170112
2013-08-14 09:26:59,831 (glastopf.modules.handlers.emulators.dork_list.mnem_service) Successfully retrieved 1000 dorks from the mnemosyne service.
2013-08-14 09:27:04,598 (glastopf.glastopf) Generating initial dork pages - this can take a while.
2013-08-14 09:27:08,381 (pyhpfeeds) connecting to hpfriends.honeycloud.net:20000
2013-08-14 09:27:08,676 (pyhpfeeds) info message name: hpfriends, rand: 'X \x91\xd4'
2013-08-14 09:27:08,771 (glastopf.glastopf) Glastopf started and privileges dropped.

I changed the cfg file webserver information as

[webserver]
host = pot.comu.edu.tr
port = 80
uid = nobody
gid = nogroup
proxy_enabled = False

Second running and testing the url http://pot.comu.edu.tr/?color=http://192.168.1.250/vul.php

# glastopf-runner
2013-08-14 09:33:05,715 (glastopf.glastopf) Initializing Glastopf 3.0.9-dev using "/opt/myhoneypot" as work directory.
2013-08-14 09:33:05,718 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
2013-08-14 09:33:05,778 (pyhpfeeds) connecting to hpfriends.honeycloud.net:20000
2013-08-14 09:33:06,005 (pyhpfeeds) info message name: hpfriends, rand: '\xc6\x19\xe6\xe2'
2013-08-14 09:33:06,094 (glastopf.glastopf) Glastopf started and privileges dropped.
2013-08-14 09:33:34,569 (glastopf.glastopf) 192.168.1.250 requested GET /?color=http://192.168.1.250/vul.php on pot.comu.edu.tr
2013-08-14 09:33:34,654 (glastopf.sandbox.sandbox) File successfully parsed with sandbox.
2013-08-14 09:33:34,731 (glastopf.glastopf) 192.168.1.250 requested GET /favicon.ico on pot.comu.edu.tr
2013-08-14 09:33:40,549 (glastopf.glastopf) 192.168.1.250 requested GET /?color=http://192.168.1.250/vul.php on pot.comu.edu.tr
2013-08-14 09:33:40,602 (glastopf.sandbox.sandbox) File successfully parsed with sandbox.
2013-08-14 09:33:40,654 (glastopf.glastopf) 192.168.1.250 requested GET /favicon.ico on pot.comu.edu.tr
2013-08-14 09:35:45,399 (glastopf.glastopf) 192.168.1.250 requested GET /?color=http://192.168.1.250/vul.php on pot.comu.edu.tr
2013-08-14 09:35:45,454 (glastopf.sandbox.sandbox) File successfully parsed with sandbox.
2013-08-14 09:35:45,586 (glastopf.glastopf) 192.168.1.250 requested GET /favicon.ico on pot.comu.edu.tr

http://192.168.1.250/vul.php output:

16:42:47 up 14 days, 4:57, 25 users, load average: 0.53, 0.58, 0.49 uname -a: Linux kubuntu-desktop 3.8.0-27-generic #40-Ubuntu SMP Tue Jul 9 00:19:35 UTC 2013 i686
uptime: 16:42:47 up 14 days, 4:57, 25 users, load average: 0.53, 0.58, 0.49

I got files created with the above content when the url is called from honeypot

root@honeypot:/opt/myhoneypot/data/files# ls -l
total 20
-rw------- 1 nobody nogroup 253 Aug 14 09:35 3cb49f7b07f1373c8349becf91e5a428
-rw------- 1 nobody nogroup 253 Aug 14 09:27 5e0d58d595a9a786737d1808ead5f83a
-rw------- 1 nobody nogroup 253 Aug 14 09:27 7ceb6ea708e1f574f9eff3782256cd74
-rw------- 1 nobody nogroup 253 Aug 14 09:33 9032ea658e1a1b4549b043b1f63ed149
-rw------- 1 nobody nogroup 253 Aug 14 09:33 f841ed4886b7c43f7e52bb7ba3a18ec1

But when i open http://pot.comu.edu.tr/?color=http://192.168.1.250/vul.php on web page, i just see a blank page.

Glastopf is running for a while and i can see some GET request information at sqlite. When i read the KYT paper at Honeynet site, i thought the web site should return some information. Assuming this situation is a bug.

glaslos commented 11 years ago

This is how it should work:

The content you see should be returned to the adversary and Glastopf should store the unprocesses file. The fact that there is a processed file tells me that there is at least a running sandbox. This is definitely a bug. Thanks for the notice.

glaslos commented 10 years ago

Should be fixed in 0cc916e7cadd9ffae3143e67af43814dd2bb567e Please reopen if the error still happens.