编写FTP、telnet协议、IIS、Elastic漏洞的suricata规则-测试(9004080-9004089)
1.测试规则(9004080)
1.主机B监听 nc -l -p 21 -k 2.主机A发送请求 printf 'USER () { :;}; id\r\n' | nc 10.10.10.2 21 printf 'USER (){ : ; } ;uname -a\r\n' | nc 10.10.10.2 21 printf 'PASS ()\t{\t:\t;\t}\t;\twhoami\r\n' | nc 10.10.10.2 21
2.测试规则(9004081-9004082)
1.主机B开启服务 cat >sel_telnet_mock.py <<'PY' import socket, threading HOST="10.10.10.2" PORT=23 def handle(c): c.sendall(b"SEL-2032 Ready\r\n> ") buf=b"" while True: d=c.recv(4096) if not d: break buf += d if b"2AC" in buf.upper() or b"2ACCESS" in buf.upper(): c.sendall(b"\r\n=>> ") buf=b"" c.close() s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind((HOST, PORT)) s.listen(20) while True: c,_=s.accept() threading.Thread(target=handle, args=(c,), daemon=True).start() PY 2.主机A发送请求 printf "2AC\r\n" | nc 10.10.10.2 23
3.测试规则(9004083-9004084)
1.主机B开启服务 cat >webdav_mock.py <<'PY' import socket, threading HOST="10.10.10.2"; PORT=80 def handle(c): data=b"" while True: d=c.recv(4096) if not d: break data += d if b"\r\n\r\n" in data: break resp = b"HTTP/1.1 207 Multi-Status\r\nContent-Length: 0\r\nConnection: close\r\n\r\n" c.sendall(resp) c.close() s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1) s.bind((HOST,PORT)) s.listen(50) while True: c,_=s.accept() threading.Thread(target=handle,args=(c,),daemon=True).start() PY 2.主机A发送请求至主机B python - <<'PY' import socket host="10.10.10.2"; port=80 pad="A"*1300 req = ( "PROPFIND / HTTP/1.1\r\n" "Host: 10.10.10.2\r\n" "If: <http://10.10.10.2/" + pad + ">\r\n" "Content-Length: 0\r\n" "\r\n" ) s=socket.create_connection((host,port)) s.sendall(req.encode()) s.recv(1024) s.close() PY
4.测试规则(9004085-9004089)
1.主机B开启9200服务 python -m http.server 9200 --bind 10.10.10.2 2.主机A发送请求至9200端口 DST=10.10.10.2 PORT=9200 printf 'GET /_plugin/test/../_nodes HTTP/1.1\r\nHost: %s\r\nConnection: close\r\n\r\n' "$DST" | nc -n -w 2 "$DST" "$PORT" printf '%b' "GET /_plugin/test/%2e%2e%2f_nodes HTTP/1.1\r\nHost: $DST\r\nConnection: close\r\n\r\n" | nc -n -w 2 "$DST" "$PORT" printf '%b' "GET /_plugin/test/%252e%252e%252f_nodes HTTP/1.1\r\nHost: $DST\r\nConnection: close\r\n\r\n" | nc -n -w 2 "$DST" "$PORT" printf 'GET /_plugin/test/..;/_nodes HTTP/1.1\r\nHost: %s\r\nConnection: close\r\n\r\n' "$DST" | nc -n -w 2 "$DST" "$PORT" printf 'GET /_plugin/test/etc/passwd HTTP/1.1\r\nHost: %s\r\nConnection: close\r\n\r\n' "$DST" | nc -n -w 2 "$DST" "$PORT" 3.主机B分析测试流量 tshark -r ElasticSearch-cve-2015-3337.pcap -Y 'tcp.port==9200 && tcp.len>0' -T fields -e tcp.stream | sort -n | uniq
浙公网安备 33010602011771号