|
WTF an SQL injection payload as part of an URL in IIS.NET , it must be a honeypot |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
WTF an SQL injection payload as part of an URL in IIS.NET , it must be a honeypot Par Dinis Cruz BlogLe [2013-03-14] à 03:42:58
Présentation : NOTE I used the 'contact us' form at IIS.net to ask for a direct email to send the info below, and they said to 'post it on the support forum'. see at the end of this blog entry a screenshot of the email I sent to IIS.NET Btw, since the issue is still there a week later , I think this is a honeypot Here is blog entry I was writing when I found this saved as a draft since . --------------------------------------------------------------------- This is either a funny joke, or an attack gone wrong. When I was adding some references to my What happens when Asp.Net not installed on Windows 8 server post, I noticed something weird with one of the urls used as references http www.iis.net learn get-started whats-new-in-iis--1'pourcents20orpourcents20'82' '82 iis-80-using-aspnet-35-and-aspnet-45 Can you spot the issue What about like this http www.iis.net learn get-started whats-new-in-iis--1'pourcents20orpourcents20'82' '82 iis-80-using-aspnet-35-and-aspnet-45 Just to confirm that something hadn't happened with my copy and paste, I went to the browser and confirmed that it was the correct URL image Note how these variation of the original URL don't work http www.iis.net learn get-started whats-new-in-iis image http www.iis.net learn get-started whats-new-in-iis iis-80-using-aspnet-35-and-aspnet-45 image BUT, these work http www.iis.net learn get-started whats-new-in-iis--1'pourcents20orpourcents20'83' '83 iis-80-using-aspnet-35-and-aspnet-45 http www.iis.net learn get-started whats-new-in-iis--1'pourcents20orpourcents20'8' '8 iis-80-using-aspnet-35-and-aspnet-45 image The last ones seems to imply that there is an SQL Injection here Now the question is where do the links with the SQL Injection payload come from Weirdly, it looks like they come directly from their own website A search for http www.iis.net search searchterm IISpourcents208.0pourcents20Usingpourcents20ASP.NETpourcents203.5pourcents20andpourcents20ASP.NETpourcents204.5 image shows the SQL injection payload in there image Same thing in Google note the full URL in the address bar image And sure enough, there are more cases image http www.iis.net learn install installing-iis-7'pourcents20andpourcents2070-68 '2 installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2 image http www.iis.net downloads -1'pourcents20orpourcents20'79' '79 2007 01 iis7-native-api- cplusplus -starter-kit image Humm, this is a bit weird, since It looks like an SQL Injection, but somehow I think this is a honeypot. But since Google doesn't return any decent hits on that image And I m not authorized to make any SQL Injection tests on this side, I m going to contact the website owners and see what they say about it --------------------------------------------------------------------- Note Email sent to IIS.NET support team note how they never replied to my 2nd email
Les mots clés de la revue de presse pour cet article : payload Les videos sur SecuObs pour les mots clés : payload Les mots clés pour les articles publiés sur SecuObs : honeypot Les éléments de la revue Twitter pour les mots clé : payload honeypot
Les derniers articles du site "Dinis Cruz Blog" :
- Updated version of BSIMM Questions for Teams now will all activities mapped - First pass at BSIMM questions for teams - Started working on new book Measuring Software Quality using Application Security - When talking about Application Security and Software Quality, Pollution is a much better analogy than Technical Debt - New Era of Software with modern Application Security presentation v1.0 - Simple Threat Model template - Good place to start - JIRA RISK workflow handling of 'Risk Fatigue' - Updated JIRA RISK workflow now with a 'Fixing' State - Presenting at OWASP AppSecEU on Using JIRA to manage Risks and Security Champions activities - Thinking of writing a book called Measuring Software Quality using Application Security
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|