Re: [mod-security-users] Example OS command injection. Where is the injection?
Brought to you by:
victorhora,
zimmerletw
From: Christian B. <ch...@jw...> - 2009-11-17 15:05:15
|
It's shown in the rule-message: [data "; id"] The pattern catches a ";" as end-of-command and assumes the following "id" is a command to be executed. This is typically used by attackers to find out the user-id executing a command on the server (i.e. the unix 'id' command). Found in you User-Agent-String: ..... ni/4.2.13216/938; U; id) Presto/2.2.0 at "U; id)" Regards, Chris PS: It's just a quick guess, though. Didn't fully verify this. Am 17.11.2009 um 15:53 schrieb David Taveras: > Hello, > > Iam looking over my audit log and found an entry like this... Iam > confused however because I dont see the actual injection on this image > other then the regex matches. Where can I see the actual payload do I > need to modify something extra? > > Thank you. > > David > > > --891dab3f-A-- > [17/Nov/2009:08:35:09 --0600] SwK0nX8AAAEAAFKIUIUAAAAF 174.142.46.11 > 39200 10.1.106.42 80 > --891dab3f-B-- > GET /affimages/07.gif HTTP/1.0 > Host: domain.com > X-Real-IP: 64.255.180.31 > X-Forwarded-For: 114.120.235.25, 64.255.180.31 > Connection: close > User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.13216/938; U; id) > Presto/2.2.0 > Accept: text/html, application/xml;q=0.9, application/xhtml+xml, > image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 > Accept-Language: id,en;q=0.9 > Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 > Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 > Referer: http://blog.blog.com/mt41/mt-search.cgi?IncludeBlogs=3&tag=doctor&limit=20 > X-OperaMini-Features: advanced, file_system, folding > X-OperaMini-Phone-UA: Nokia3500c/2.0 (06.60) Profile/MIDP-2.0 > Configuration/CLDC-1.1 > X-OperaMini-Phone: Nokia # 3500 Classic > > --891dab3f-F-- > HTTP/1.1 501 Method Not Implemented > Allow: TRACE > Content-Length: 227 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --891dab3f-H-- > Message: Access denied with code 501 (phase 2). Pattern match > "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)| > t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp) > \.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*? > [\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*? > ..." at REQUEST_HEADERS:User-Agent. [file > "/var/apache2/mod_security_rules/ > modsecurity_crs_40_generic_attacks.conf"] > [line "140"] [id "959006"] [msg "System Command Injection"] [data "; > id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] > Action: Intercepted (phase 2) > Stopwatch: 1258468509877985 5869 (4446 5653 -) > Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); > core ruleset/1.6.1. > Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8j DAV/2 > PHP/5.2.8 with Suhosin-Patch > > --891dab3f-K-- > SecAction "phase:2,auditlog,nolog,skipAfter:959009" > SecAction "phase:2,auditlog,nolog,skipAfter:959007" > SecAction "phase:2,auditlog,nolog,skipAfter:959904" > SecAction "phase:2,auditlog,nolog,id:999501,skipAfter:959001" > SecAction "phase:2,auditlog,nolog,skipAfter:959906" > SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|! > REQUEST_HEADERS:Referer" > "@pm jscript onsubmit copyparentfolder javascript meta onmove > onkeydown onchange onkeyup activexobject expression onmouseup > ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort > shell: .innerhtml onmousedown onkeypress asfunction: onclick > .fromcharcode background-image: .cookie ondragdrop onblur x-javascript > mocha: onfocus javascript: getparentfolder lowsrc onresize @import > alert onselect script onmouseout onmousemove background application > .execscript livescript: getspecialfolder vbscript iframe .addimport > onunload createtextrange onload <input" > "phase: > 2 > ,auditlog > ,t:none > ,t:urlDecodeUni > ,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1" > SecAction "phase:2,auditlog,nolog,skipAfter:959005" > SecAction "phase:2,auditlog,nolog,skipAfter:950006" > SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer| > X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" > "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp > chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls > tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd > wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls > nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe > /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod > cpp telnet cmd32.exe gcc g++" > "phase: > 2 > ,auditlog > ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1" > SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer| > X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" > "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp > chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls > tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd > wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls > nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe > /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod > cpp telnet cmd32.exe gcc g++" > "phase: > 2 > ,auditlog > ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1" > SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer| > X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" > "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp > chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls > tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd > wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls > nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe > /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod > cpp telnet cmd32.exe gcc g++" > "phase: > 2 > ,auditlog > ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1" > SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer| > X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" > "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp > chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls > tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd > wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls > nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe > /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod > cpp telnet cmd32.exe gcc g++" > "phase: > 2 > ,auditlog > ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1" > SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer| > X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" > "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp > chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls > tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd > wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls > nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe > /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod > cpp telnet cmd32.exe gcc g++" > "phase: > 2 > ,auditlog > ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1" > SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer| > X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" > "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp > chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls > tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd > wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls > nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe > /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod > cpp telnet cmd32.exe gcc g++" > "phase: > 2 > ,auditlog > ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1" > SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer| > X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" > "@rx (?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\ > \.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)| > rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\ > \W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))| > [\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd| > ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)? > rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b))|\\/ > (?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm| > map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\\+\\+|cc)|(?:xte)?rm| > ls(?:of)?|telnet|uname|echo|id)(?:[\\'\"\\|\\;\\`\\-\\s]|$))" > "phase: > 2 > ,capture > ,t:none > ,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts= > +E,deny,log,auditlog,status:501,msg:'System > Command Injection',id:959006,tag:WEB_ATTACK/ > COMMAND_INJECTION,logdata:%{TX.0},severity:2" > > --891dab3f-Z-- > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html |