API tools faq
paste
Advertisement
tehsyntx

Honeypot skeleton for PHP-Injection attacks

tehsyntx
Mar 2nd, 2014
4,914
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.18 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2.  
  3. """
  4. Simple skeleton for a honeypot targeting PHP Injection attacks. Use/change as you see fit, try to at least give some cred if you find it useful. :)
  5. Requries: MongoDB, pymongo, bottle
  6. Author: @tehsyntx
  7. thembits.blogspot.com
  8. """
  9.  
  10. from bottle import run, route, error, response, request
  11. import datetime
  12. import simplejson
  13. import pymongo
  14. import os
  15. import base64
  16.  
  17.  
  18. WORKDIR = '/honeydata/'
  19.  
  20. @error(400)
  21. def badreq(error):
  22.     response.status = 200
  23.     return ''
  24.  
  25. @error(404)
  26. def notfound(error):
  27.  
  28.     response.status = 200
  29.     ip = request['REMOTE_ADDR']
  30.     hlog = pymongo.Connection().honey.http
  31.  
  32.     if request.method == 'POST':
  33.         pdata = request.body.read()
  34.    
  35.         resp = 'POST %s HTTP/1.1\n' % request.path
  36.         for key in request.headers.keys():
  37.             resp += '%s : %s\n' % (key, request.headers[key])
  38.         resp += '\n'
  39.         resp += '%s\n' % pdata
  40.  
  41.         idata = base64.b64encode(resp)
  42.    
  43.         hlog.insert({ "honeysrc" : "honeypot_name", # Change to for example your hostname
  44.                         "src" : ip,
  45.                         "method" : "POST",
  46.                         "time" : str(datetime.datetime.utcnow())[:-7],
  47.                         "data" : idata})
  48.  
  49.         response.headers['Server'] = 'Apache'
  50.  
  51.         return ''
  52.  
  53.     elif request.method == 'GET' and 'http:' in request.path:
  54.         try:
  55.             resp = 'GET %s HTTP/1.1\n' % request.path
  56.             for key in request.headers.keys():
  57.                     resp += '%s: %s\n' % (key, request.headers[key])
  58.    
  59.             idata = base64.b64encode(resp)
  60.        
  61.             hlog.insert({ "honeysrc" : "honeypot_name", # Change to for example your hostname
  62.                             "src" : ip,
  63.                             "method" : "GET",
  64.                             "time" : str(datetime.datetime.utcnow())[:-7],
  65.                             "data" : idata})
  66.    
  67.             response.headers['Server'] = 'Apache'
  68.         except:
  69.             return str(e)
  70.        
  71.         # Return content of injected file (Google is often used to verify vulnerability before injecting)
  72.         if 'google' in request.path and 'humans' in request.path:
  73.             return open('%shumans.txt' % WORKDIR, 'r').read()  
  74.  
  75.     else:
  76.         response.headers['Server'] = 'Apache'
  77.         return ''
  78.  
  79. @route('/')
  80. def root():
  81.     response.headers['Server'] = 'Apache'
  82.     return '' # Change to return some real page for more "realistic" look.
  83.  
  84. run(host='10.10.10.10', port=8080) # Make sure to change IP (..and port)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!