niedziela, 23 października 2016

Playing with Contagio



(Still) during my „little break”, I found some directory on my disk with few samples from excellent Contagio’s Blog. I decide to check few of them, this time related to web attacks. 


TL;DR – it’s good idea to have an IPS and/or IDS (or “few” ;)).

In few archives I found some PCAP files. I was wondering what’s inside. To check it I used Wireshark.



The first one pcap was with some exploit for “2Capsule_Sticker”. I didn’t know that software so I decide to check the traffic in sniffed logs:



Cool, got it. ;] For now, it should not be a problem to write a simple proof-of-concept code (in python or other poc-friendly-language). Below you will find a full request to the vulnerable webapp (‘follow TCP stream’ from Wireshark):

 



Next case – similar bug, also SQLi this time for Joomla:



As you can see, with a good IPS/IDS protection, you can find some cool 0/1-days. Of course not only for webapps, but it’s always your decision what (traffic) you’re looking for. ;)

(*todo: Maybe in the future I will post here some notes from my old VPS with some similar cases…)

Cheers!
 

 

Brak komentarzy:

Prześlij komentarz