Re: [mod-security-users] Example OS command injection. Where is the injection?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Example OS command injection. Where is the injection?
|
From: Christian B. <ch...@jw...> - 2009-11-17 15:05:15
|
It's shown in the rule-message:
[data "; id"]
The pattern catches a ";" as end-of-command and assumes the following
"id" is a
command to be executed.
This is typically used by attackers to find out the user-id executing
a command
on the server (i.e. the unix 'id' command).
Found in you User-Agent-String:
..... ni/4.2.13216/938; U; id) Presto/2.2.0
at "U; id)"
Regards,
Chris
PS: It's just a quick guess, though. Didn't fully verify this.
Am 17.11.2009 um 15:53 schrieb David Taveras:
> Hello,
>
> Iam looking over my audit log and found an entry like this... Iam
> confused however because I dont see the actual injection on this image
> other then the regex matches. Where can I see the actual payload do I
> need to modify something extra?
>
> Thank you.
>
> David
>
>
> --891dab3f-A--
> [17/Nov/2009:08:35:09 --0600] SwK0nX8AAAEAAFKIUIUAAAAF 174.142.46.11
> 39200 10.1.106.42 80
> --891dab3f-B--
> GET /affimages/07.gif HTTP/1.0
> Host: domain.com
> X-Real-IP: 64.255.180.31
> X-Forwarded-For: 114.120.235.25, 64.255.180.31
> Connection: close
> User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.13216/938; U; id)
> Presto/2.2.0
> Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
> image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
> Accept-Language: id,en;q=0.9
> Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
> Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
> Referer: http://blog.blog.com/mt41/mt-search.cgi?IncludeBlogs=3&tag=doctor&limit=20
> X-OperaMini-Features: advanced, file_system, folding
> X-OperaMini-Phone-UA: Nokia3500c/2.0 (06.60) Profile/MIDP-2.0
> Configuration/CLDC-1.1
> X-OperaMini-Phone: Nokia # 3500 Classic
>
> --891dab3f-F--
> HTTP/1.1 501 Method Not Implemented
> Allow: TRACE
> Content-Length: 227
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> --891dab3f-H--
> Message: Access denied with code 501 (phase 2). Pattern match
> "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|
> t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)
> \.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?
> [\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?
> ..." at REQUEST_HEADERS:User-Agent. [file
> "/var/apache2/mod_security_rules/
> modsecurity_crs_40_generic_attacks.conf"]
> [line "140"] [id "959006"] [msg "System Command Injection"] [data ";
> id"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"]
> Action: Intercepted (phase 2)
> Stopwatch: 1258468509877985 5869 (4446 5653 -)
> Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/);
> core ruleset/1.6.1.
> Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8j DAV/2
> PHP/5.2.8 with Suhosin-Patch
>
> --891dab3f-K--
> SecAction "phase:2,auditlog,nolog,skipAfter:959009"
> SecAction "phase:2,auditlog,nolog,skipAfter:959007"
> SecAction "phase:2,auditlog,nolog,skipAfter:959904"
> SecAction "phase:2,auditlog,nolog,id:999501,skipAfter:959001"
> SecAction "phase:2,auditlog,nolog,skipAfter:959906"
> SecRule "REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!
> REQUEST_HEADERS:Referer"
> "@pm jscript onsubmit copyparentfolder javascript meta onmove
> onkeydown onchange onkeyup activexobject expression onmouseup
> ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort
> shell: .innerhtml onmousedown onkeypress asfunction: onclick
> .fromcharcode background-image: .cookie ondragdrop onblur x-javascript
> mocha: onfocus javascript: getparentfolder lowsrc onresize @import
> alert onselect script onmouseout onmousemove background application
> .execscript livescript: getspecialfolder vbscript iframe .addimport
> onunload createtextrange onload <input"
> "phase:
> 2
> ,auditlog
> ,t:none
> ,t:urlDecodeUni
> ,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,skip:1"
> SecAction "phase:2,auditlog,nolog,skipAfter:959005"
> SecAction "phase:2,auditlog,nolog,skipAfter:950006"
> SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|
> X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
> "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp
> chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls
> tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd
> wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls
> nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe
> /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod
> cpp telnet cmd32.exe gcc g++"
> "phase:
> 2
> ,auditlog
> ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1"
> SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|
> X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
> "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp
> chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls
> tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd
> wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls
> nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe
> /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod
> cpp telnet cmd32.exe gcc g++"
> "phase:
> 2
> ,auditlog
> ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1"
> SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|
> X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
> "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp
> chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls
> tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd
> wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls
> nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe
> /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod
> cpp telnet cmd32.exe gcc g++"
> "phase:
> 2
> ,auditlog
> ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1"
> SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|
> X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
> "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp
> chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls
> tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd
> wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls
> nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe
> /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod
> cpp telnet cmd32.exe gcc g++"
> "phase:
> 2
> ,auditlog
> ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1"
> SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|
> X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
> "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp
> chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls
> tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd
> wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls
> nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe
> /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod
> cpp telnet cmd32.exe gcc g++"
> "phase:
> 2
> ,auditlog
> ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1"
> SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|
> X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
> "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp
> chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls
> tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd
> wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls
> nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe
> /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod
> cpp telnet cmd32.exe gcc g++"
> "phase:
> 2
> ,auditlog
> ,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skip:1"
> SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|
> X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES"
> "@rx (?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\
> \.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|
> rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\
> \W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|
> [\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|
> ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?
> rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b))|\\/
> (?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|
> map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\\+\\+|cc)|(?:xte)?rm|
> ls(?:of)?|telnet|uname|echo|id)(?:[\\'\"\\|\\;\\`\\-\\s]|$))"
> "phase:
> 2
> ,capture
> ,t:none
> ,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=
> +E,deny,log,auditlog,status:501,msg:'System
> Command Injection',id:959006,tag:WEB_ATTACK/
> COMMAND_INJECTION,logdata:%{TX.0},severity:2"
>
> --891dab3f-Z--
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
|