This article explains how to use the clues of file upload type alarms to carry out daily security operations from several aspects, such as the definition of file upload, IDS rules for file upload, examples of file upload, analysis and judgment of file upload alarms, and suggestions for handling file uploads. In order to mine meaningful security incidents.
File upload definition
File upload specifically refers to vulnerabilities related to file upload in the security field. For details on the principle of file upload vulnerabilities, see here . If you want to learn more about the principles of file upload and the corresponding vulnerability examples, you can move to the previous article.
file upload package
The following is an introduction through an example of a common file upload data package.
File upload case 1
Figure 1
Here, the .php file of a one-sentence Trojan horse is uploaded through the file upload function.
File upload case 2
Figure 2
Here, the .ini configuration file is uploaded through the file upload function, but the content of the file intentionally uses GIF89a at the beginning of the image file.
File upload case three
Figure 3
Here, the .jsp file is uploaded through the file upload function.
File Upload Rules
For the data packets uploaded by the above files, the general rules for HTTP protocol file upload vulnerabilities are as follows:
alert http any any -> any any (msg:"HTTP文件上传漏洞检测"; flow:to_server,established; file_data; content:"Content-Disposition|3a| form-data|3b| name=|22|file|22|"; nocase; content:"filename=|22|"; nocase; pcre:"/filename=[^;]+?.(php|pl|py|jsp|asp|aspx|exe|dll|sh)/U"; reference:url,https://www.owasp.org/index.php/Unrestricted_File_Upload; classtype:attempted-user; sid:1000001; rev:1;)
If you want to obtain more files containing related rules, you can refer to ET's open source rules. The modified rule set is a relatively well-known rule set in the industry. The download address is here . Of course, you can also buy the commercial paid version of the ETPRO ruleset, here , and the snort ruleset, here . The ETPRO rule set focuses on the detection of general attacks, and the Snort rule set focuses on the detection of vulnerabilities. Snort is cheaper in price.
From the above rules, we can see that the detection logic of file upload has two points:
- Monitoring points such as Content-Disposition and filename are used to detect HTTP file upload behavior
- php, py, asp, exe, etc. detect and upload files with a specific suffix
The reason is that in normal business, only pictures, txt files, and word business files are allowed to be uploaded. When an executable script file is transmitted in the uplink data, that is, the script file is uploaded to the server, it is often very suspicious, and usually the security device will issue an alarm for this type.
It is impossible to confirm whether the behavior is a malicious behavior based on the alarms obtained from the detection points of the above rules alone, because there may indeed be cases where administrators upload scripts, and uploading executable files is sometimes a normal business behavior. At this time, operators often need to combine the payload of the alarm and other related behaviors to conduct investigation and evidence collection. That is to say, taking the file upload alarm as a clue, comprehensively uploading the file content, whether there are related vulnerabilities, attacker and victim information, and whether there are other operations related to the kill chain, can finally determine a complete security incident. Therefore, for file uploads, the relevant research and judgment content includes the following.
File upload analysis and judgment
The following introduces several dimensions for operators to judge file upload alarms, including whether it is a specific vulnerability exploit, what is the payload of the file, who is the attacker, the victim's assets, and whether it is associated with other operations.
Related Vulnerability Research and Judgment
If it can be known that the data packet is for the exploitation of a certain vulnerability, it means that the vulnerability is being used to upload the file instead of the normal file upload through the business interface, and this alarm event needs further attention. There are several methods for associating known data packets with specific vulnerability detection:
Check whether the alarm device hits the rules related to vulnerabilities
According to the key information of the URL, search for the corresponding POC to see if
the traffic and a large number Collide with the open source rules to see if it hits. The follow-up will introduce the method of using wireshark+ open source snort rules for vulnerability collision, see the column "Security Analyst" here for details .
Payload research and judgment
The intent can be obtained from the payload of the data packet, as follows:
The payload uploaded in Figure 1 is a one-sentence Trojan horse, and its behavior is very suspicious. Because in one sentence, Trojan horses are often closely related to webshells.
What is uploaded in Figures 2 and 3 is a specific file, if it cannot be judged by experience. The methods for judging maliciousness of a specific file are: 1. Restore the file data in pcap, see here for the method of restoration ; 2. Get the MD5 value of the file through the md5sum command and search it in VT. 3. If there is no corresponding result in VT, the executable file can be dynamically executed through the open source sandbox, and the behavior analysis report can be obtained for further research and judgment through the behavior report. In Figure 2, it is necessary to go to the host to view the corresponding shell.png to be qualitative, but from the ini file disguised as a file beginning with GIF89a, it can be concluded that this is a malicious behavior.
Through the payload, it is basically possible to determine what the initial purpose of the file upload is, that is, what the file can be used for. For files with malicious intent, this warning event needs further attention
Attacker's Judgment
From the source IP, you can know who is the initiator of the attack request. Through threat intelligence analysis, black and gray IPs and malicious attacks are determined. Figure 4 below shows the malicious IP as shown by Weibu Intelligence:
Figure 4
shows that the attacker’s IP is malicious through the intelligence, so this alarm event needs further attention. The follow-up will introduce the method of using wireshark+threat intelligence for collision, see the column "Security Analyst" here for details .
Analysis and judgment of attack results
By judging the return value of the above file upload, determine whether the file upload is successful or not. You can see Figures 1 and 2. The exploit returns 200 OK at the HTTP protocol level, which is suspected to be successful. If the payload part of the response has a clear message of upload success, the alarm event needs further attention, and it is necessary to investigate and collect evidence from the corresponding host as soon as possible. .
Kill Chain Study and Judgment
For the exploitation of file upload vulnerabilities, if it can be related to the previous and subsequent behaviors in the kill chain. For example, by searching the victim's IP, check whether there is a scanning behavior warning before the vulnerability is exploited, and whether there is a webshell exploitation behavior after the vulnerability is exploited. If there is associated behavior and the attack path can be restored, this alarm event needs further attention. Of course, with file uploading as the core, more attack methods are associated. In essence, it is necessary to be familiar with the common use of EXP for file uploading.
Research and judgment of related assets
The asset data often needs to be additionally queried in the customer's system. If the asset is very important, the importance should also be increased, and this alarm event needs further attention
It can be seen that through the associated vulnerabilities, the attack payload, and the attacker's IP information, the attacker's intention can be basically judged. For example, the file upload uses a certain important component vulnerability, the uploaded content is a one-sentence Trojan horse, and the attacker's IP is a certain Malicious IP group, indicating a deliberate attack by a malicious attacker.
Then through the attack result, other actions associated with the kill chain, and the affected assets can judge the severity of the attack. For example, if the upload is successful and there is a subsequent webshell connection, an attack on an important web server needs to be responded immediately.
The above are some common research and judgment ideas for file uploads
File Upload Disposition Recommendations
From a security operations perspective, the disposal recommendations for file uploads are generally as follows:
- Block the attacker's IP address to prevent malicious IP from being used again
- Check whether the corresponding asset has a file upload vulnerability, and if so, join the follow-up vulnerability repair plan
- For successful attacks, it is necessary to go to the corresponding terminal to clear the uploaded files.
- For other attacks related to the kill chain, eliminate the negative impact of other attack techniques such as webshell
This article is an original article by the youth in the village of CSDN, and may not be reproduced without permission. The blogger links here .