HTTP - POST - file sended by server
2xyo opened this issue · 2 comments
2xyo commented
When I craft a file inside an HTTP POST, I waiting an HTTP POST request (with the file embedded), then an HTTP 200 OK answer from the server.
Instead, file2pcap crafts an HTTP request with the file embeded in the server answer inside the multipart/form-data!
Is it the expected behavior?
$ wget http://www.eicar.org/download/eicar.com.txt
$ file eicar.com.txt
eicar.com.txt: EICAR virus test files
$ ./file2pcap --srcip 1.1.1.1 --dstip 2.2.2.2 -mH eicar.com.txt
Writing to eicar.com.txt-http-post.pcap
$ sudo tcpdump -A -n -q -r eicar.com.txt-http-post.pcap
reading from file eicar.com.txt-http-post.pcap, link-type EN10MB (Ethernet)
<...redacted...>
14:55:36.052000 IP 1.1.1.1.4006 > 2.2.2.2.80: tcp 697
E.......@..G...........P...=.. .P...Z(..POST /file2pcap.cgi HTTP/1.1
Host: wrl
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20081007 Firefox/2.0.0.17
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Content-Length: 303
Content-Type: multipart/form-data; boundary=---------------------------8173728711543081858379436204
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
-----------------------------8173728711543081858379436204
Content-Disposition: form-data; name="file"; filename="eicar.com.txt"
Content-Type: application/octet-stream
14:55:36.065000 IP 2.2.2.2.80 > 1.1.1.1.4006: tcp 0
E..(....@..!.........P.... .....P...w...
14:55:36.078000 IP 2.2.2.2.80 > 1.1.1.1.4006: tcp 68
E..lfT..@..3.........P.... .....P.... ..X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
14:55:36.091000 IP 1.1.1.1.4006 > 2.2.2.2.80: tcp 0
E..(.F..@..............P...... SP...v...
14:55:36.104000 IP 1.1.1.1.4006 > 2.2.2.2.80: tcp 63
E..g....@..............P...... SP.......
-----------------------------8173728711543081858379436204--
14:55:36.117000 IP 2.2.2.2.80 > 1.1.1.1.4006: tcp 0
E..(S...@. ..........P.... S...5P...v...
14:55:36.130000 IP 2.2.2.2.80 > 1.1.1.1.4006: tcp 0
E..(h...@..@.........P.... S...5P...v...
<...redacted...>2xyo commented
Hey @Talos-Martin
Could you please confim that you close this issue because it's fixed since 1.28 according to the Changelog:
1.28
- Bugfix in the http module. The POST should obviously have the client
upload data to the server, not the other way round. Fixed now.
Bug found and reported by Nick Mavis. Thank you!
Talos-Martin commented
Hey 2xyo
Yes this issue was fixed in 1.28, and that's why I'm closing it.