Creating an xmlrpc honeypot
#1
I created a website for my boss and decided it'd be cool to create a honeypot for an xmlrpc.php. Today I'll go through how I did it, what I created, and how it works.

What's a honeypot?

According to http://searchsecurity.techtarget.com a honeypot is;

Code:
A honeypot is a computer system that is set up to act as a decoy to lure cyberattackers, and to detect, deflect or study attempts to gain unauthorized access to information systems. Generally, it consists of a computer, applications, and data that simulate the behavior of a real system that appears to be part of a network but is actually isolated and closely monitored. All communications with a honeypot are considered hostile, as there's no reason for legitimate users to access a honeypot. Viewing and logging this activity can provide an insight into the level and types of threat a network infrastructure faces while distracting attackers away from assets of real value.

TL;DR: A honeypot is a system that is setup to look vulnerable so that you can study what attackers are trying to do.


How it works

My honeypot is sitting on an xmlrpc.php link (IE http://site.com/xmlrpc.php) this link is usually one of the first links people fuzz for to determine if it is a wordpress site or not. The reason I chose this link is because it is one of the most connected to links (that I am aware of), it will display information, functions, and secret data of the webpage. Attackers use these links to gain access to the wordpress site and cause damage. My specific xmlrpc is designed to look like a poorly configured MySQL database complete with a SQL error. This should lure scanners and attackers into trying to attack the system with POST requests, PUT requests, and GET requests.

Data gathered

Once there is a connection to the clients IP address, User-Agent, browser type, and request method is stored into a hidden folder (unfuzzable folder) within a "honey-pot.log" file. How this data is gathered is as follows:

Gathering the User-Agent is pretty simple:

Code:
function getUserAgent(){
  return $_SERVER['HTTP_USER_AGENT'];
}

Gathering the IP address is a little more complicated because there is not always a reliable way to do so, so I went ahead and created a system to gather the possible IP address:

Code:
function getIp(){
  if(!empty($_SERVER['HTTP_CLIENT_IP'])) {
      $retval = $_SERVER['HTTP_CLIENT_IP'];
  } elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
      $retval = $_SERVER['HTTP_X_FORWARDED_FOR'];
  } elseif (!empty($_SERVER['REMOTE_ADDR'])) {
      $retval = $_SERVER['REMOTE_ADDR'];
  } else {
      $retval = "n/a";
  }
  return $retval;
}

Getting request method is fairly simple as well:

Code:
function getRequestType(){
  return $_SERVER['REQUEST_METHOD'];
}


Getting the browser information is by far the hardest part. I attempted to create a simple system of getting the browser:

Code:
function getBrowserSpecs(){
  $u_agent = $_SERVER['HTTP_USER_AGENT'];
  $bname = 'Unknown';
  $platform = 'Unknown';
  $version= "";
  $ub = "";

  //First get the platform?
  if (preg_match('/linux/i', $u_agent)) {
      $platform = 'linux';
  }
  elseif (preg_match('/macintosh|mac os x/i', $u_agent)) {
      $platform = 'mac';
  }
  elseif (preg_match('/windows|win32/i', $u_agent)) {
      $platform = 'windows';
  }

  // Next get the name of the useragent yes seperately and for good reason
  if(preg_match('/MSIE/i',$u_agent) && !preg_match('/Opera/i',$u_agent))
  {
      $bname = 'Internet Explorer';
      $ub = "MSIE";
  }
  elseif(preg_match('/Firefox/i',$u_agent))
  {
      $bname = 'Mozilla Firefox';
      $ub = "Firefox";
  }
  elseif(preg_match('/OPR/i',$u_agent))
  {
      $bname = 'Opera';
      $ub = "Opera";
  }
  elseif(preg_match('/Chrome/i',$u_agent))
  {
      $bname = 'Google Chrome';
      $ub = "Chrome";
  }
  elseif(preg_match('/Safari/i',$u_agent))
  {
      $bname = 'Apple Safari';
      $ub = "Safari";
  }
  elseif(preg_match('/Netscape/i',$u_agent))
  {
      $bname = 'Netscape';
      $ub = "Netscape";
  }

  // finally get the correct version number
  $known = array('Version', $ub, 'other');
  $pattern = '#(?<browser>' . join('|', $known) .
      ')[/ ]+(?<version>[0-9.|a-zA-Z.]*)#';
  if (!preg_match_all($pattern, $u_agent, $matches)) {}

  // see how many we have
  $i = count($matches['browser']);
  if ($i != 1) {
      //we will have two since we are not using 'other' argument yet
      //see if version is before or after the name
      if (strripos($u_agent,"Version") < strripos($u_agent,$ub)){
          $version= $matches['version'][0];
      }
      else {
          $version= $matches['version'][1];
      }
  }
  else {
      $version= $matches['version'][0];
  }

  // check if we have a number
  if ($version==null || $version=="") {$version="?";}

  return array(
      'userAgent' => $u_agent,
      'name'      => $bname,
      'version'   => $version,
      'platform'  => $platform,
      'pattern'    => $pattern
  );
}


Finally the data is written to a file in CSV format:

Code:
function logData($ip,$agent,$browser,$requestType){
  $fname = "[REDACTED]/honey-pot.log";
  $ip = trim($ip);
  $agent = trim($agent);
  $browser = trim($browser);
  $data = "\n".$ip.",".$agent.",".$browser.",".$requestType;
  file_put_contents($fname, $data, FILE_APPEND);
}

Once the data is logged, I can make a request to a hidden file (unfuzzable) and display the data:

Code:
<?php
function readList(){
  echo "<!doctype html>
<head>
<meta http-equiv=\"content-type\" content=\"text/html\" charset=\"UTF-8\" />
<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />
<meta http-equiv=\"X-UA-Compatible\" content=\"chrome=1\" />
</head>";
  $fname = "[REDACTED]/honey-pot.log";
  $opened = fopen($fname, "r");
  if ($opened) {
      while (($line = fgets($opened)) !== false) {
          echo $line."<br>";
      }
      fclose($opened);
  } else {
      echo "<h2>Error opening file</h2>";
  }
}
readList();
?>



The honeypot



The honey pot aspect of this is extremely simple as well, all it is, is a simple string that contains a MySQL error, fuzzing this will result in a false positive SQLi:

Code:
function setHoneyPot(){
  echo "
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1";
}



Putting it all together

With all this put together the output will look something like this:

[Image: 43726456-cf33d5bc-9964-11e8-988c-8ee1f433bc94.png]

And the data gathered:

Code:
ip,user-agent,browser-info,request-method
[REDACTED],Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Firefox/52.0,Mozilla Firefox,GET

Why do this?

I want to determine the presence of attackers and study what they are doing. Along with that I want to determine how many requests will be sent to the SQL error before people realize what it is.

Full code

Code:
<?php
function setHoneyPot(){
  echo "
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1";
}

function logData($ip,$agent,$browser,$requestType){
  $fname = "[READACTED]/honey-pot.log";
  $ip = trim($ip);
  $agent = trim($agent);
  $browser = trim($browser);
  $data = "\n".$ip.",".$agent.",".$browser.",".$requestType;
  file_put_contents($fname, $data, FILE_APPEND);
}

function getIp(){
  if(!empty($_SERVER['HTTP_CLIENT_IP'])) {
      $retval = $_SERVER['HTTP_CLIENT_IP'];
  } elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
      $retval = $_SERVER['HTTP_X_FORWARDED_FOR'];
  } elseif (!empty($_SERVER['REMOTE_ADDR'])) {
      $retval = $_SERVER['REMOTE_ADDR'];
  } else {
      $retval = "n/a";
  }
  return $retval;
}

function getUserAgent(){
  return $_SERVER['HTTP_USER_AGENT'];
}

function getBrowserSpecs(){
  $u_agent = $_SERVER['HTTP_USER_AGENT'];
  $bname = 'Unknown';
  $platform = 'Unknown';
  $version= "";
  $ub = "";

  //First get the platform?
  if (preg_match('/linux/i', $u_agent)) {
      $platform = 'linux';
  }
  elseif (preg_match('/macintosh|mac os x/i', $u_agent)) {
      $platform = 'mac';
  }
  elseif (preg_match('/windows|win32/i', $u_agent)) {
      $platform = 'windows';
  }

  // Next get the name of the useragent yes seperately and for good reason
  if(preg_match('/MSIE/i',$u_agent) && !preg_match('/Opera/i',$u_agent))
  {
      $bname = 'Internet Explorer';
      $ub = "MSIE";
  }
  elseif(preg_match('/Firefox/i',$u_agent))
  {
      $bname = 'Mozilla Firefox';
      $ub = "Firefox";
  }
  elseif(preg_match('/OPR/i',$u_agent))
  {
      $bname = 'Opera';
      $ub = "Opera";
  }
  elseif(preg_match('/Chrome/i',$u_agent))
  {
      $bname = 'Google Chrome';
      $ub = "Chrome";
  }
  elseif(preg_match('/Safari/i',$u_agent))
  {
      $bname = 'Apple Safari';
      $ub = "Safari";
  }
  elseif(preg_match('/Netscape/i',$u_agent))
  {
      $bname = 'Netscape';
      $ub = "Netscape";
  }

  // finally get the correct version number
  $known = array('Version', $ub, 'other');
  $pattern = '#(?<browser>' . join('|', $known) .
      ')[/ ]+(?<version>[0-9.|a-zA-Z.]*)#';
  if (!preg_match_all($pattern, $u_agent, $matches)) {}

  // see how many we have
  $i = count($matches['browser']);
  if ($i != 1) {
      //we will have two since we are not using 'other' argument yet
      //see if version is before or after the name
      if (strripos($u_agent,"Version") < strripos($u_agent,$ub)){
          $version= $matches['version'][0];
      }
      else {
          $version= $matches['version'][1];
      }
  }
  else {
      $version= $matches['version'][0];
  }

  // check if we have a number
  if ($version==null || $version=="") {$version="?";}

  return array(
      'userAgent' => $u_agent,
      'name'      => $bname,
      'version'   => $version,
      'platform'  => $platform,
      'pattern'    => $pattern
  );
}

function getRequestType(){
  return $_SERVER['REQUEST_METHOD'];
}

setHoneyPot();
logData(getIp(), getUserAgent(), getBrowserSpecs()['name'], getRequestType());
?>

I will be posting updates to this honey pot as they come along, anytime I see a new attack, or a new connection, I'll post the data here for everyone
Reply
#2
I updated the xmlrpc.php to indicate more of an XML-RPC look to itself. If the request type provided is not POST it will output "XML-RPC server accepts POST requests only." and if the request type provided is POST it will output the SQL error:

Code:
function setHoneyPot($requestType){
   if ($requestType === "POST"){
       echo "SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1";
   } else {
       echo "XML-RPC server accepts POST requests only.";
   }
}

So the end of the code now looks like this:

Code:
....
$ip = getIp();
$userAgent = getUserAgent();
$browserSpecs = getBrowserSpecs()["name"];
$requestMethod = getRequestType();

setHoneyPot($requestMethod);
logData($ip,$userAgent,$browserSpecs,$requestMethod);
?>
Reply
#3
I've gotten 1 request since yesterday:

Code:
188.166.184.185,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Firefox/52.0,Mozilla Firefox,POST

IP address information:

- Blacklist: 11/96
- Country: Asia

Most likely a Tor connection
Reply
#4
Looks like I'm being automated now, I decided to add the request path to the stored data as well:

Code:
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=4822
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%22.%2C%27%2C%2C%28%29%2C.
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%27NtErWX%3C%27%22%3ErAiHxR
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%29%20AND%202161%3D8845%20AND%20%287242%3D7242
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%29%20AND%203172%3D3172%20AND%20%283307%3D3307
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%20AND%202247%3D9809
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%20AND%203172%3D3172
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%20AND%203022%3D7788--%20CWWc
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%20AND%203172%3D3172--%20ARwP
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%27%29%20AND%206971%3D8633%20AND%20%28%27oIpw%27%3D%27oIpw
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%27%29%20AND%203172%3D3172%20AND%20%28%27JZOm%27%3D%27JZOm
77.247.181.162,Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27,Apple Safari,GET,/xmlrpc.php?id=10%27%20AND%201437%3D6184%20AND%20%27bZGV%27%3D%27bZGV
77.247.181.162,Mozilla/5.0 (Windows; U; Windows NT 6.0; pl-PL) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21,Apple Safari,GET,/xmlrpc.php
77.247.181.162,Mozilla/5.0 (Windows; U; Windows NT 6.0; pl-PL) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21,Apple Safari,GET,/xmlrpc.php

IP data:
- Blacklist: 14/96
- Area: Europe.

Some sort of proxy most likely

Got another automated request from, wouldn't you know it, WhatWaf. I've never been more proud of someone in my entire life:

Code:
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cframeset%3E%3Cframe%20src=%22javascript:alert('XSS');%22%3E%3C/frameset%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20AND%201=1%20ORDERBY(1,2,3,4,5)%20--;
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3E%3Cscript%3Ealert(%22testing%22);%3C/script%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20AND%201=1%20UNION%20ALL%20SELECT%201,NULL,1,'%3Cscript%3Ealert(%22666%22)%3C/script%3E',table_name%20FROM%20information_schema.tables%20WHERE%202%3E1--/**/;%20EXEC%20xp_cmdshell('cat%20../../../etc/passwd')
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cimg%20src=%22javascript:alert('XSS');%22%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10')))%20AND%201=1,SELECT%20*%20FROM%20information_schema.tables%20((('
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10'%20))%20AND%201=1%20((%20'%20--%20rgzd
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10;SELECT%20*%20FROM%20information_schema.tables%20WHERE%202%3E1%20AND%201=1%20OR%202=2%20--%20qdEf%20'
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10'%20OR%20'1'=1%20'
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20OR%201=1
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cscri%3Cscript%3Ept%3Ealert('123');%3C/scri%3C/script%3Ept%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cframeset%3E%3Cframe%20src=%22javascript:alert(%EF%BC%87XSS%EF%BC%87);%22%3E%3C/frameset%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20AND%201=1%20ORDERBY(1,2,3,4,5)%20--;
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3E%3Cscript%3Ealert(%22testing%22);%3C/script%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20AND%201=1%20UNION%20ALL%20SELECT%201,NULL,1,%EF%BC%87%3Cscript%3Ealert(%22666%22)%3C/script%3E%EF%BC%87,table_name%20FROM%20information_schema.tables%20WHERE%202%3E1--/**/;%20EXEC%20xp_cmdshell(%EF%BC%87cat%20../../../etc/passwd%EF%BC%87)
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cimg%20src=%22javascript:alert(%EF%BC%87XSS%EF%BC%87);%22%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%EF%BC%87)))%20AND%201=1,SELECT%20*%20FROM%20information_schema.tables%20(((%EF%BC%87
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%EF%BC%87%20))%20AND%201=1%20((%20%EF%BC%87%20--%20rgzd
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10;SELECT%20*%20FROM%20information_schema.tables%20WHERE%202%3E1%20AND%201=1%20OR%202=2%20--%20qdEf%20%EF%BC%87
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%EF%BC%87%20OR%20%EF%BC%871%EF%BC%87=1%20%EF%BC%87
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20OR%201=1
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cscri%3Cscript%3Ept%3Ealert(%EF%BC%87123%EF%BC%87);%3C/scri%3C/script%3Ept%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cframeset%3E%3Cframe%20src=%22javascript:alert(%00%27XSS%00%27);%22%3E%3C/frameset%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20AND%201=1%20ORDERBY(1,2,3,4,5)%20--;
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3E%3Cscript%3Ealert(%22testing%22);%3C/script%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20AND%201=1%20UNION%20ALL%20SELECT%201,NULL,1,%00%27%3Cscript%3Ealert(%22666%22)%3C/script%3E%00%27,table_name%20FROM%20information_schema.tables%20WHERE%202%3E1--/**/;%20EXEC%20xp_cmdshell(%00%27cat%20../../../etc/passwd%00%27)
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cimg%20src=%22javascript:alert(%00%27XSS%00%27);%22%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%00%27)))%20AND%201=1,SELECT%20*%20FROM%20information_schema.tables%20(((%00%27
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%00%27%20))%20AND%201=1%20((%20%00%27%20--%20rgzd
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10;SELECT%20*%20FROM%20information_schema.tables%20WHERE%202%3E1%20AND%201=1%20OR%202=2%20--%20qdEf%20%00%27
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%00%27%20OR%20%00%271%00%27=1%20%00%27
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20OR%201=1
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cscri%3Cscript%3Ept%3Ealert(%00%27123%00%27);%3C/scri%3C/script%3Ept%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cframeset%3E%3Cframe%20src=%22javascript:alert('XSS');%22%3E%3C/frameset%3E%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20AND%201=1%20ORDERBY(1,2,3,4,5)%20--;%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3E%3Cscript%3Ealert(%22testing%22);%3C/script%3E%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20AND%201=1%20UNION%20ALL%20SELECT%201,NULL,1,'%3Cscript%3Ealert(%22666%22)%3C/script%3E',table_name%20FROM%20information_schema.tables%20WHERE%202%3E1--/**/;%20EXEC%20xp_cmdshell('cat%20../../../etc/passwd')
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cimg%20src=%22javascript:alert('XSS');%22%3E%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10')))%20AND%201=1,SELECT%20*%20FROM%20information_schema.tables%20((('%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10'%20))%20AND%201=1%20((%20'%20--%20rgzd%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10;SELECT%20*%20FROM%20information_schema.tables%20WHERE%202%3E1%20AND%201=1%20OR%202=2%20--%20qdEf%20'%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10'%20OR%20'1'=1%20'%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20OR%201=1%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cscri%3Cscript%3Ept%3Ealert('123');%3C/scri%3C/script%3Ept%3E%00
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10PGZyYW1lc2V0PjxmcmFtZSBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+PC9mcmFtZXNldD4=
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10IEFORCAxPTEgT1JERVJCWSgxLDIsMyw0LDUpIC0tOw==
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10PjxzY3JpcHQ+YWxlcnQoInRlc3RpbmciKTs8L3NjcmlwdD4=
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10IEFORCAxPTEgVU5JT04gQUxMIFNFTEVDVCAxLE5VTEwsMSwnPHNjcmlwdD5hbGVydCgiNjY2Iik8L3NjcmlwdD4nLHRhYmxlX25hbWUgRlJPTSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIFdIRVJFIDI+MS0tLyoqLzsgRVhFQyB4cF9jbWRzaGVsbCgnY2F0IC4uLy4uLy4uL2V0Yy9wYXNzd2QnKSM=
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10PGltZyBzcmM9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10JykpKSBBTkQgMT0xLFNFTEVDVCAqIEZST00gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyAoKCgn
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10JyApKSBBTkQgMT0xICgoICcgLS0gcmd6ZA==
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10O1NFTEVDVCAqIEZST00gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBXSEVSRSAyPjEgQU5EIDE9MSBPUiAyPTIgLS0gcWRFZiAn
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10JyBPUiAnMSc9MSAn
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10IE9SIDE9MQ==
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10PHNjcmk8c2NyaXB0PnB0PmFsZXJ0KCcxMjMnKTs8L3Njcmk8L3NjcmlwdD5wdD4=
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cframeset%3E%3Cframe%20src=%22javascript:alert('XSS');%22%3E%3C/frameset%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20%26%26%201=1%20%7C%7CDERBY(1,2,3,4,5)%20--;
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3E%3Cscript%3Ealert(%22testing%22);%3C/script%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20%26%26%201=1%20UNION%20ALL%20SELECT%201,NULL,1,'%3Cscript%3Ealert(%22666%22)%3C/script%3E',table_name%20FROM%20inf%7C%7Cmation_schema.tables%20WHERE%202%3E1--/**/;%20EXEC%20xp_cmdshell('cat%20../../../etc/passwd')
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cimg%20src=%22javascript:alert('XSS');%22%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10')))%20%26%26%201=1,SELECT%20*%20FROM%20inf%7C%7Cmation_schema.tables%20((('
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10'%20))%20%26%26%201=1%20((%20'%20--%20rgzd
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10;SELECT%20*%20FROM%20inf%7C%7Cmation_schema.tables%20WHERE%202%3E1%20%26%26%201=1%20%7C%7C%202=2%20--%20qdEf%20'
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10'%20%7C%7C%20'1'=1%20'
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%20%7C%7C%201=1
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%3Cscri%3Cscript%3Ept%3Ealert('123');%3C/scri%3C/script%3Ept%3E
217.147.169.75,whatwaf/0.8.8 (Language=2.7.14; Platform=Darwin),Unknown,GET,/xmlrpc.php?id=10%253Cframeset%253E%253Cframe%2Bsrc%253D%2522javascript%253Aalert%2528%2527XSS%2527%2529%253B%2522%253E%253C%252Fframeset%253E

IP info:
- Blacklists: 11/96
- Area: Europe

Seems to be another proxy
Reply
#5
Nice job @ekultek, I would only add the timestamp of the requests and get the $_SERVER['HTTP_REFERER']
to understand where the attackers came from.

Keep it up, it's always interesting to see real attack scenarios, even in this case where 99% is done by sqlmap et similar.
Reply
#6
Definitely a good post. I guess adding some random errors apart from "SQL error:.." will also make the attacker get busy while ending up with nothing. lol
Reply
#7
(08-12-2018, 04:58 PM)nats Wrote: Definitely a good post. I guess adding some random errors apart from "SQL error:.." will also make the attacker get busy while ending up with nothing. lol

That's really really really bad XD
Reply
#8
(08-12-2018, 11:04 PM)overfl0wN Wrote:
(08-12-2018, 04:58 PM)nats Wrote: Definitely a good post. I guess adding some random errors apart from "SQL error:.." will also make the attacker get busy while ending up with nothing. lol

That's really really really bad XD

Adding up, if let's say the attacker enters some union, etc. syntax in SQL injection and the honey pot spits out fake data, that would amaze the attacker. Hahahaha!
Reply
#9
I created a table on it instead lol. If the attacked sends a certain payload it outputs a table
Reply