(Still) during my „little
break”, I found some directory on my disk with few
samples from excellent Contagio’s Blog. I decide to check few of
them, this time related to web attacks.
TL;DR – it’s good idea to have an IPS and/or IDS (or “few” ;)).
In few archives I found some
PCAP files. I was wondering what’s inside. To check it I used Wireshark.
The first one pcap was with
some exploit for “2Capsule_Sticker”. I didn’t know that software so I decide to
check the traffic in sniffed logs:
Cool, got it. ;] For now, it
should not be a problem to write a simple proof-of-concept
code (in python or other poc-friendly-language). Below you will find a full
request to the vulnerable webapp (‘follow TCP stream’ from Wireshark):
Next case – similar bug, also
SQLi this time for Joomla:
As you can see, with a good
IPS/IDS protection, you can find some cool 0/1-days. Of course not only for
webapps, but it’s always your decision what (traffic) you’re looking for. ;)
(*todo:
Maybe in the future I will post here some notes from my old VPS with some
similar cases…)
Cheers!
Brak komentarzy:
Prześlij komentarz