(Still) during my „little break”, I found some directory on my disk with few samples from excellent Contagio’s Blog. I decide to check few of them, this time related to web attacks.
TL;DR – it’s good idea to have an IPS and/or IDS (or “few” ;)).
In few archives I found some PCAP files. I was wondering what’s inside. To check it I used Wireshark.
The first one pcap was with some exploit for “2Capsule_Sticker”. I didn’t know that software so I decide to check the traffic in sniffed logs:
Cool, got it. ;] For now, it should not be a problem to write a simple proof-of-concept code (in python or other poc-friendly-language). Below you will find a full request to the vulnerable webapp (‘follow TCP stream’ from Wireshark):
Next case – similar bug, also SQLi this time for Joomla:
As you can see, with a good IPS/IDS protection, you can find some cool 0/1-days. Of course not only for webapps, but it’s always your decision what (traffic) you’re looking for. ;)
(*todo: Maybe in the future I will post here some notes from my old VPS with some similar cases…)