Nepenthes submit-http server (with file upload!).

Simple server for the submit-http module within Nepenthes. This saves the details of the attack into a MySQL Database and sticks the captured binary into a folder.

The submit-http handler, submits the attack data via an HTTP Post, including: URL, Trigger, MD5, SHA512, FileType, SourceHost, TargetHost, Filename and File.

Save the code below as submit.php and edit submit-http.conf to point to it. Make sure you read the issues below!

<?php

$user = "";
$passwd = "";
$db = "";
$server = "";

$filepath = "binaries/";

if($_FILES['file']['size'] > 0)
{
	if(!is_uploaded_file($_FILES['file']['tmp_name']))	{
		die("S_ERROR");
	}

	storeFile($_POST['md5']);
	echo "S_FILEOK";
}
else
{
	storeData($_POST,$_SERVER['REMOTE_ADDR']);

	if(fileExists($_POST['md5']))	{
		echo "S_FILEKNOWN";
	}
	else	{
		echo "S_FILEREQUEST";
	}
}

function fileExists($file)	{
	file_exists($filepath . $file);
}

function queryDB($query)	{
	global $user, $passwd, $db, $server;
	$con = mysql_connect($server, $user,$passwd);
	if (!$con)	{
 		die('Could not connect: ' . mysql_error());
	}
	mysql_select_db($db, $con);

	$result = mysql_query($query,$con);	

	if (!$result)	{
  		die('Error: ' . mysql_error());
  	}
	mysql_close($con);

	return $result;
}

function storeData($data, $sensor)	{
	$remotehost = $sensor;

	foreach ($_POST as $key => $value)
	{
			switch ($key) {

			case 'url':
			$url = $value;
			break;
			case 'trigger':
			$trigger = $value;
			break;
			case 'md5':
			$md5 = $value;
			break;
			case 'sha512':
			$sha512 = $value;
			break;
			case 'filetype':
			$filetype = $value;
			break;
			case 'source_host':
			$sourcehost = $value;
			break;
			case 'target_host':
			$targethost = $value;
			break;
			case 'filename':
			$filename = $value;
			break;
		default:
			break;
			}
	}

	$query = "INSERT INTO submission (`RemoteHost`, `URL`, `Trigger`, `MD5`, `SHA512`, `FileType`, `SourceHost`,
           `TargetHost`, `Filename`, `Submitted`)  VALUES ('$remotehost', '$url', '$trigger', '$md5', '$sha512', '$filetype',
           '$sourcehost', '$targethost', '$filename', NOW())";

	queryDB($query);
}

function storeFile($file)	{
	global $filepath;
	if(!move_uploaded_file($_FILES['file']['tmp_name'], $filepath . $file))	{
		die("S_ERROR");
	}
}

?>

You can test it works correctly with a simple HTML file as below. Save the file as submit.html.

<html>
<head>
</head>
<body>
<form action="submit.php" method="post" enctype="multipart/form-data">
  <p>URL
    <input type="text" name="url">
    <br>
Trigger
<input type="text" name="trigger">
<br>
MD5
<input type="text" name="md5">
<br>
SHA512
<input type="text" name="sha512">
<br>
FileType
<input type="text" name="filetype">
<br>
SourceHost
<input type="text" name="source_host">
<br>
TargetHost
<input type="text" name="target_host">
<br>
Filename
<input type="text" name="filename">
  </p>
  <p>
    <label>File
    <input type="file" name="file" id="file">
    </label>
  </p>
  <p>
    <input type="submit" value="Submit">
    </p>
</form>
</body>
</html>

For an example that simply writes to a file, see the UK Honeynet Project submit-http handler. Credit for the submit-http patch and the idea for this post go to Niklas Schiffler!

Current issues with this implementation:

  • There is no input checking, it’s SQL injection madness. Run it behind HTTP-Auth and add your own sanity checking!
  • It’s not the best way of coding it!

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

July 21st, 2008
By Joe | filed under Honeypot, Nepenthes |