From d87867503b1367243a960bf019a6b419deea4717 Mon Sep 17 00:00:00 2001 From: bars Date: Tue, 3 Nov 2015 16:00:47 +0100 Subject: [PATCH 1/3] added support for logging to postgresql database --- README.md | 1 + wordpot.conf | 8 +++ wordpot/__init__.py | 103 +++++++++++++++++++++++++++++ wordpot/plugins/badlogin.py | 4 ++ wordpot/plugins/commonfiles.py | 3 + wordpot/plugins/timthumb.py | 8 +++ wordpot/plugins/userenumeration.py | 3 + wordpot/views.py | 61 +++++++++++++++++ 8 files changed, 191 insertions(+) diff --git a/README.md b/README.md index 7fd4382..322a7ee 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ Wordpot is a Wordpress honeypot which detects probes for plugins, themes, timthu --plugins=PLUGINS Fake installed plugins --themes=THEMES Fake installed plugins --ver=VERSION Wordpress version + --server=SERVER Custom server header To configure the honeypot you can edit the config file `wordpot.conf` or provide arguments trough the command line interface as shown above. diff --git a/wordpot.conf b/wordpot.conf index 827d737..91baead 100644 --- a/wordpot.conf +++ b/wordpot.conf @@ -38,3 +38,11 @@ HPFEEDS_PORT = 10000 HPFEEDS_IDENT = 'wordpot' HPFEEDS_SECRET = 'wordpot-pass' HPFEEDS_TOPIC = 'wordpot.events' + +POSTGRESQL_ENABLED = True +POSTGRESQL_DATABASE = 'database' +POSTGRESQL_USER = 'username' +POSTGRESQL_PASSWORD = 'password' +POSTGRESQL_HOST = '127.0.0.1' +POSTGRESQL_PORT = 5432 + diff --git a/wordpot/__init__.py b/wordpot/__init__.py index ea9eab0..41d2e0e 100644 --- a/wordpot/__init__.py +++ b/wordpot/__init__.py @@ -98,6 +98,109 @@ def check_options(): else: LOGGER.warn('hpfeeds is disabled') +if app.config['POSTGRESQL_ENABLED']: + import psycopg2 + print 'Connecting to postgresql {}:{}'.format(app.config['POSTGRESQL_HOST'], app.config['POSTGRESQL_PORT']) + app.config['postgresql_dbh'] = psycopg2.connect(database=app.config['POSTGRESQL_DATABASE'], user=app.config['POSTGRESQL_USER'], password=app.config['POSTGRESQL_PASSWORD'], host=app.config['POSTGRESQL_HOST'], port=app.config['POSTGRESQL_PORT']) + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("""CREATE TABLE IF NOT EXISTS + login_attempts ( + id SERIAL PRIMARY KEY, + plugin TEXT, + source_ip TEXT, + source_port INTEGER, + dest_host TEXT, + dest_port INTEGER, + username TEXT, + password TEXT, + user_agent TEXT, + url TEXT, + timestamp TIMESTAMP + );""") + cursor.execute("""CREATE TABLE IF NOT EXISTS + login_page_probes ( + id SERIAL PRIMARY KEY, + plugin TEXT, + source_ip TEXT, + source_port INTEGER, + dest_host TEXT, + dest_port INTEGER, + user_agent TEXT, + url TEXT, + timestamp TIMESTAMP + );""") + cursor.execute("""CREATE TABLE IF NOT EXISTS + file_probes ( + id SERIAL PRIMARY KEY, + plugin TEXT, + source_ip TEXT, + source_port INTEGER, + dest_host TEXT, + dest_port INTEGER, + probed_filename TEXT, + user_agent TEXT, + url TEXT, + timestamp TIMESTAMP + );""") + cursor.execute("""CREATE TABLE IF NOT EXISTS + plugins_probes ( + id SERIAL PRIMARY KEY, + plugin TEXT, + source_ip TEXT, + source_port INTEGER, + dest_host TEXT, + dest_port INTEGER, + probed_plugin TEXT, + path TEXT, + user_agent TEXT, + url TEXT, + timestamp TIMESTAMP + );""") + cursor.execute("""CREATE TABLE IF NOT EXISTS + themes_probes ( + id SERIAL PRIMARY KEY, + plugin TEXT, + source_ip TEXT, + source_port INTEGER, + dest_host TEXT, + dest_port INTEGER, + probed_theme TEXT, + path TEXT, + user_agent TEXT, + url TEXT, + timestamp TIMESTAMP + );""") + cursor.execute("""CREATE TABLE IF NOT EXISTS + author_probes ( + id SERIAL PRIMARY KEY, + plugin TEXT, + source_ip TEXT, + source_port INTEGER, + dest_host TEXT, + dest_port INTEGER, + probed_author TEXT, + user_agent TEXT, + url TEXT, + timestamp TIMESTAMP + );""") + cursor.execute("""CREATE TABLE IF NOT EXISTS + connections ( + id SERIAL PRIMARY KEY, + source_ip TEXT, + source_port INTEGER, + dest_host TEXT, + dest_port INTEGER, + user_agent TEXT, + url TEXT, + method TEXT, + path TEXT, + headers TEXT, + timestamp TIMESTAMP + );""") + app.config['postgresql_dbh'].commit() +else: + LOGGER.warn('postgresql is disabled') + # ------------------------ # Add Custom Server Header diff --git a/wordpot/plugins/badlogin.py b/wordpot/plugins/badlogin.py index a2bb04c..3f6166d 100644 --- a/wordpot/plugins/badlogin.py +++ b/wordpot/plugins/badlogin.py @@ -1,5 +1,7 @@ from wordpot.plugins_manager import BasePlugin +import datetime + class Plugin(BasePlugin): def run(self): # Initialize template vars dict @@ -17,10 +19,12 @@ def run(self): password = self.inputs['request'].form['pwd'] self.outputs['log'] = '%s tried to login with username %s and password %s' % (origin, username, password) self.outputs['log_json'] = self.to_json_log(username=username, password=password, plugin='badlogin') + self.outputs['log_postgresql'] = "INSERT INTO login_attempts (plugin, source_ip, source_port, dest_host, dest_port, username, password, user_agent, url, timestamp) VALUES ('badlogin','%s',%s,'%s',%s,'%s','%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], self.inputs['request'].form['log'], self.inputs['request'].form['pwd'], self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) self.outputs['template_vars']['BADLOGIN'] = True self.outputs['template'] = 'wp-login.html' else: self.outputs['log'] = '%s probed for the login page' % origin + self.outputs['log_postgresql'] = "INSERT INTO login_page_probes (plugin, source_ip, source_port, dest_host, dest_port, user_agent, url, timestamp) VALUES ('badlogin','%s',%s,'%s',%s,'%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) self.outputs['template_vars']['BADLOGIN'] = False self.outputs['template'] = 'wp-login.html' diff --git a/wordpot/plugins/commonfiles.py b/wordpot/plugins/commonfiles.py index 803df1f..1891fc6 100644 --- a/wordpot/plugins/commonfiles.py +++ b/wordpot/plugins/commonfiles.py @@ -1,5 +1,7 @@ from wordpot.plugins_manager import BasePlugin +import datetime + class Plugin(BasePlugin): def run(self): # Initialize template vars dict @@ -20,6 +22,7 @@ def run(self): if filename in common: self.outputs['log'] = '%s probed for: %s' % (origin, filename) self.outputs['log_json'] = self.to_json_log(filename=filename, plugin='commonfiles') + self.outputs['log_postgresql'] = "INSERT INTO file_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_filename, user_agent, url, timestamp) VALUES ('commonfiles','%s',%s,'%s',%s,'%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], filename, self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) self.outputs['template'] = common[filename] return diff --git a/wordpot/plugins/timthumb.py b/wordpot/plugins/timthumb.py index 9f6dc17..5babb3d 100644 --- a/wordpot/plugins/timthumb.py +++ b/wordpot/plugins/timthumb.py @@ -1,6 +1,8 @@ from wordpot.plugins_manager import BasePlugin import re +import datetime + TIMTHUMB_RE = re.compile('[tim]*thumb|uploadify', re.I) class Plugin(BasePlugin): @@ -11,6 +13,12 @@ def run(self): log = '%s probed for timthumb: %s' % (self.inputs['request'].remote_addr, self.inputs['subpath']) self.outputs['log'] = log self.outputs['log_json'] = self.to_json_log(filename=self.inputs['subpath'], plugin='timthumb') + if 'theme' in self.inputs: + self.outputs['log_postgresql'] = "INSERT INTO themes_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_theme, path, user_agent, url, timestamp) VALUES ('timthumb','%s',%s,'%s',%s,'%s','%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], self.inputs['theme'], self.inputs['subpath'], self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) + + if 'plugin' in self.inputs: + self.outputs['log_postgresql'] = "INSERT INTO plugins_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_plugin, path, user_agent, url, timestamp) VALUES ('timthumb','%s',%s,'%s',%s,'%s','%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], self.inputs['plugin'], self.inputs['subpath'], self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) + # Template to render self.outputs['template'] = 'timthumb.html' diff --git a/wordpot/plugins/userenumeration.py b/wordpot/plugins/userenumeration.py index e0b81bf..51c4e89 100644 --- a/wordpot/plugins/userenumeration.py +++ b/wordpot/plugins/userenumeration.py @@ -1,6 +1,8 @@ from wordpot.plugins_manager import BasePlugin from wordpot import app +import datetime + class Plugin(BasePlugin): def run(self): # Initialize template vars dict @@ -15,6 +17,7 @@ def run(self): if (k + 1) == int(req_args['author']): self.outputs['log'] = '%s probed author page for user: %s' % (origin, a) self.outputs['log_json'] = self.to_json_log(author=a, plugin='userenumeration') + self.outputs['log_postgresql'] = "INSERT INTO author_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_author, user_agent, url, timestamp) VALUES ('userenumeration','%s',%s,'%s',%s,'%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], a, self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) self.outputs['template_vars']['AUTHORPAGE'] = True self.outputs['template_vars']['CURRENTAUTHOR'] = (k+1, a) self.outputs['template'] = app.config['THEME'] + '.html' diff --git a/wordpot/views.py b/wordpot/views.py index f8547c9..a6b33fa 100644 --- a/wordpot/views.py +++ b/wordpot/views.py @@ -5,12 +5,20 @@ from wordpot.helpers import * from wordpot.logger import LOGGER +import psycopg2 +import datetime + TEMPLATE = app.config['THEME'] + '.html' @app.route('/', methods=['GET', 'POST']) @app.route('/.', methods=['GET', 'POST']) def commons(filename=None, ext=None): + if app.config['POSTGRESQL_ENABLED']: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + app.config['postgresql_dbh'].commit() + # Plugins hook for p in pm.hook('commons'): p.start(filename=filename, ext=ext, request=request) @@ -18,6 +26,13 @@ def commons(filename=None, ext=None): LOGGER.info(p.outputs['log']) if 'log_json' in p.outputs and app.config['HPFEEDS_ENABLED']: app.config['hpfeeds_client'].publish(app.config['HPFEEDS_TOPIC'], p.outputs['log_json']) + if 'log_postgresql' in p.outputs and app.config['POSTGRESQL_ENABLED']: + try: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute(p.outputs['log_postgresql']) + app.config['postgresql_dbh'].commit() + except Exception as e: + print(e) if 'template' in p.outputs: if 'template_vars' in p.outputs: return render_template(p.outputs['template'], vars=p.outputs['template_vars']) @@ -37,6 +52,11 @@ def admin(subpath='/'): origin = request.remote_addr LOGGER.info('%s probed for the admin panel with path: %s', origin, subpath) + if app.config['POSTGRESQL_ENABLED']: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + app.config['postgresql_dbh'].commit() + # Plugins hook for p in pm.hook('plugins'): p.start(subpath=subpath, request=request) @@ -44,6 +64,13 @@ def admin(subpath='/'): LOGGER.info(p.outputs['log']) if 'log_json' in p.outputs and app.config['HPFEEDS_ENABLED']: app.config['hpfeeds_client'].publish(app.config['HPFEEDS_TOPIC'], p.outputs['log_json']) + if 'log_postgresql' in p.outputs and app.config['POSTGRESQL_ENABLED']: + try: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute(p.outputs['log_postgresql']) + app.config['postgresql_dbh'].commit() + except Exception as e: + print(e) if 'template' in p.outputs: if 'template_vars' in p.outputs: return render_template(p.outputs['template'], vars=p.outputs['template_vars']) @@ -58,6 +85,11 @@ def plugin(plugin, subpath='/'): origin = request.remote_addr LOGGER.info('%s probed for plugin "%s" with path: %s', origin, plugin, subpath) + if app.config['POSTGRESQL_ENABLED']: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + app.config['postgresql_dbh'].commit() + # Is the plugin in the whitelist? if not is_plugin_whitelisted(plugin): abort(404) @@ -69,6 +101,13 @@ def plugin(plugin, subpath='/'): LOGGER.info(p.outputs['log']) if 'log_json' in p.outputs and app.config['HPFEEDS_ENABLED']: app.config['hpfeeds_client'].publish(app.config['HPFEEDS_TOPIC'], p.outputs['log_json']) + if 'log_postgresql' in p.outputs and app.config['POSTGRESQL_ENABLED']: + try: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute(p.outputs['log_postgresql']) + app.config['postgresql_dbh'].commit() + except Exception as e: + print(e) if 'template' in p.outputs: if 'template_vars' in p.outputs: return render_template(p.outputs['template'], vars=p.outputs['template_vars']) @@ -83,6 +122,11 @@ def theme(theme, subpath='/'): origin = request.remote_addr LOGGER.info('%s probed for theme "%s" with path: %s', origin, theme, subpath) + if app.config['POSTGRESQL_ENABLED']: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + app.config['postgresql_dbh'].commit() + # Is the theme whitelisted? if not is_theme_whitelisted(theme): abort(404) @@ -94,6 +138,13 @@ def theme(theme, subpath='/'): LOGGER.info(p.outputs['log']) if 'log_json' in p.outputs and app.config['HPFEEDS_ENABLED']: app.config['hpfeeds_client'].publish(app.config['HPFEEDS_TOPIC'], p.outputs['log_json']) + if 'log_postgresql' in p.outputs and app.config['POSTGRESQL_ENABLED']: + try: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute(p.outputs['log_postgresql']) + app.config['postgresql_dbh'].commit() + except Exception as e: + print(e) if 'template' in p.outputs: if 'template_vars' in p.outputs: return render_template(p.outputs['template'], vars=p.outputs['template_vars']) @@ -101,3 +152,13 @@ def theme(theme, subpath='/'): return render_template(TEMPLATE, vars={}) +@app.route('/', methods=['GET', 'POST']) +def connection(path='/'): + + if app.config['POSTGRESQL_ENABLED']: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + app.config['postgresql_dbh'].commit() + + abort(404) + From 3a63fa053aa91ee59bd9dda6bd3a6576485ed758 Mon Sep 17 00:00:00 2001 From: bars Date: Mon, 7 Dec 2015 09:42:51 +0100 Subject: [PATCH 2/3] fixed missing requirement for psycopg2 --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index c41fb80..3f80779 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,3 @@ Flask==0.10.1 -e git+https://github.com/threatstream/hpfeeds/#egg=hpfeeds-dev +psycopg2 From c19bb66fa72817794716bbeef90f3a461434201c Mon Sep 17 00:00:00 2001 From: bars Date: Thu, 7 Jan 2016 12:46:54 +0100 Subject: [PATCH 3/3] fixed issue with sql injection vulnerability --- wordpot/plugins/badlogin.py | 5 +-- wordpot/plugins/commonfiles.py | 2 +- wordpot/plugins/timthumb.py | 4 +-- wordpot/plugins/userenumeration.py | 2 +- wordpot/views.py | 51 +++++++++++++++++++----------- 5 files changed, 40 insertions(+), 24 deletions(-) diff --git a/wordpot/plugins/badlogin.py b/wordpot/plugins/badlogin.py index 3f6166d..a43c54f 100644 --- a/wordpot/plugins/badlogin.py +++ b/wordpot/plugins/badlogin.py @@ -19,12 +19,13 @@ def run(self): password = self.inputs['request'].form['pwd'] self.outputs['log'] = '%s tried to login with username %s and password %s' % (origin, username, password) self.outputs['log_json'] = self.to_json_log(username=username, password=password, plugin='badlogin') - self.outputs['log_postgresql'] = "INSERT INTO login_attempts (plugin, source_ip, source_port, dest_host, dest_port, username, password, user_agent, url, timestamp) VALUES ('badlogin','%s',%s,'%s',%s,'%s','%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], self.inputs['request'].form['log'], self.inputs['request'].form['pwd'], self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) + self.outputs['log_postgresql_login_attempt'] = {"source_ip": self.inputs['request'].remote_addr,"source_port": self.inputs['request'].environ['REMOTE_PORT'],"dest_host": self.inputs['request'].environ['SERVER_NAME'],"dest_port": self.inputs['request'].environ['SERVER_PORT'],"username": self.inputs['request'].form['log'],"password": self.inputs['request'].form['pwd'],"user_agent": self.inputs['request'].user_agent.string,"url": self.inputs['request'].url,"timestamp": str(datetime.datetime.now())} + self.outputs['template_vars']['BADLOGIN'] = True self.outputs['template'] = 'wp-login.html' else: self.outputs['log'] = '%s probed for the login page' % origin - self.outputs['log_postgresql'] = "INSERT INTO login_page_probes (plugin, source_ip, source_port, dest_host, dest_port, user_agent, url, timestamp) VALUES ('badlogin','%s',%s,'%s',%s,'%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) + self.outputs['log_postgresql_login_page_probes'] = {"source_ip": self.inputs['request'].remote_addr,"source_port": self.inputs['request'].environ['REMOTE_PORT'],"dest_host": self.inputs['request'].environ['SERVER_NAME'],"dest_port": self.inputs['request'].environ['SERVER_PORT'],"user_agent": self.inputs['request'].user_agent.string,"url": self.inputs['request'].url,"timestamp": str(datetime.datetime.now())} self.outputs['template_vars']['BADLOGIN'] = False self.outputs['template'] = 'wp-login.html' diff --git a/wordpot/plugins/commonfiles.py b/wordpot/plugins/commonfiles.py index 1891fc6..b1ec8a4 100644 --- a/wordpot/plugins/commonfiles.py +++ b/wordpot/plugins/commonfiles.py @@ -22,7 +22,7 @@ def run(self): if filename in common: self.outputs['log'] = '%s probed for: %s' % (origin, filename) self.outputs['log_json'] = self.to_json_log(filename=filename, plugin='commonfiles') - self.outputs['log_postgresql'] = "INSERT INTO file_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_filename, user_agent, url, timestamp) VALUES ('commonfiles','%s',%s,'%s',%s,'%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], filename, self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) + self.outputs['log_postgresql_file_probes'] = {"source_ip": self.inputs['request'].remote_addr,"source_port": self.inputs['request'].environ['REMOTE_PORT'],"dest_host": self.inputs['request'].environ['SERVER_NAME'],"dest_port": self.inputs['request'].environ['SERVER_PORT'],"probed_filename": filename,"user_agent": self.inputs['request'].user_agent.string,"url": self.inputs['request'].url,"timestamp": str(datetime.datetime.now())} self.outputs['template'] = common[filename] return diff --git a/wordpot/plugins/timthumb.py b/wordpot/plugins/timthumb.py index 5babb3d..c526b14 100644 --- a/wordpot/plugins/timthumb.py +++ b/wordpot/plugins/timthumb.py @@ -14,10 +14,10 @@ def run(self): self.outputs['log'] = log self.outputs['log_json'] = self.to_json_log(filename=self.inputs['subpath'], plugin='timthumb') if 'theme' in self.inputs: - self.outputs['log_postgresql'] = "INSERT INTO themes_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_theme, path, user_agent, url, timestamp) VALUES ('timthumb','%s',%s,'%s',%s,'%s','%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], self.inputs['theme'], self.inputs['subpath'], self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) + self.outputs['log_postgresql_themes_probes'] = {"source_ip": self.inputs['request'].remote_addr,"source_port": self.inputs['request'].environ['REMOTE_PORT'],"dest_host": self.inputs['request'].environ['SERVER_NAME'],"dest_port": self.inputs['request'].environ['SERVER_PORT'],"probed_theme": self.inputs['theme'],"path": self.inputs['subpath'],"user_agent": self.inputs['request'].user_agent.string,"url": self.inputs['request'].url,"timestamp": str(datetime.datetime.now())} if 'plugin' in self.inputs: - self.outputs['log_postgresql'] = "INSERT INTO plugins_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_plugin, path, user_agent, url, timestamp) VALUES ('timthumb','%s',%s,'%s',%s,'%s','%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], self.inputs['plugin'], self.inputs['subpath'], self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) + self.outputs['log_postgresql_plugins_probes'] = {"source_ip": self.inputs['request'].remote_addr,"source_port": self.inputs['request'].environ['REMOTE_PORT'],"dest_host": self.inputs['request'].environ['SERVER_NAME'],"dest_port": self.inputs['request'].environ['SERVER_PORT'],"probed_plugin": self.inputs['plugin'],"path": self.inputs['subpath'],"user_agent": self.inputs['request'].user_agent.string,"url": self.inputs['request'].url,"timestamp": str(datetime.datetime.now())} # Template to render self.outputs['template'] = 'timthumb.html' diff --git a/wordpot/plugins/userenumeration.py b/wordpot/plugins/userenumeration.py index 51c4e89..bb87070 100644 --- a/wordpot/plugins/userenumeration.py +++ b/wordpot/plugins/userenumeration.py @@ -17,7 +17,7 @@ def run(self): if (k + 1) == int(req_args['author']): self.outputs['log'] = '%s probed author page for user: %s' % (origin, a) self.outputs['log_json'] = self.to_json_log(author=a, plugin='userenumeration') - self.outputs['log_postgresql'] = "INSERT INTO author_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_author, user_agent, url, timestamp) VALUES ('userenumeration','%s',%s,'%s',%s,'%s','%s','%s','%s')" % (self.inputs['request'].remote_addr, self.inputs['request'].environ['REMOTE_PORT'], self.inputs['request'].environ['SERVER_NAME'], self.inputs['request'].environ['SERVER_PORT'], a, self.inputs['request'].user_agent.string, self.inputs['request'].url, str(datetime.datetime.now())) + self.outputs['log_postgresql_author_probes'] = {"source_ip": self.inputs['request'].remote_addr,"source_port": self.inputs['request'].environ['REMOTE_PORT'],"dest_host": self.inputs['request'].environ['SERVER_NAME'],"dest_port": self.inputs['request'].environ['SERVER_PORT'],"probed_author": a,"user_agent": self.inputs['request'].user_agent.string,"url": self.inputs['request'].url,"timestamp": str(datetime.datetime.now())} self.outputs['template_vars']['AUTHORPAGE'] = True self.outputs['template_vars']['CURRENTAUTHOR'] = (k+1, a) self.outputs['template'] = app.config['THEME'] + '.html' diff --git a/wordpot/views.py b/wordpot/views.py index a6b33fa..0104019 100644 --- a/wordpot/views.py +++ b/wordpot/views.py @@ -16,9 +16,10 @@ def commons(filename=None, ext=None): if app.config['POSTGRESQL_ENABLED']: cursor = app.config['postgresql_dbh'].cursor() - cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES (%(remote_addr)s,%(remote_port)s,%(server_name)s,%(server_port)s,%(user_agent)s,%(url)s,%(method)s,%(path)s,%(headers)s,%(timestamp)s)", {"remote_addr": request.remote_addr, "remote_port": request.environ['REMOTE_PORT'], "server_name": request.environ['SERVER_NAME'], "server_port": request.environ['SERVER_PORT'], "user_agent": request.user_agent.string, "url": request.url, "method": request.method, "path": request.path, "headers": str(request.headers), "timestamp": str(datetime.datetime.now())}) app.config['postgresql_dbh'].commit() + # Plugins hook for p in pm.hook('commons'): p.start(filename=filename, ext=ext, request=request) @@ -26,10 +27,31 @@ def commons(filename=None, ext=None): LOGGER.info(p.outputs['log']) if 'log_json' in p.outputs and app.config['HPFEEDS_ENABLED']: app.config['hpfeeds_client'].publish(app.config['HPFEEDS_TOPIC'], p.outputs['log_json']) - if 'log_postgresql' in p.outputs and app.config['POSTGRESQL_ENABLED']: + if 'log_postgresql_login_attempt' in p.outputs and app.config['POSTGRESQL_ENABLED']: + try: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("INSERT INTO login_attempts (plugin, source_ip, source_port, dest_host, dest_port, username, password, user_agent, url, timestamp) VALUES ('badlogin',%(source_ip)s,%(source_port)s,%(dest_host)s,%(dest_port)s,%(username)s,%(password)s,%(user_agent)s,%(url)s,%(timestamp)s)", p.outputs['log_postgresql_login_attempt']) + app.config['postgresql_dbh'].commit() + except Exception as e: + print(e) + if 'log_postgresql_login_page_probes' in p.outputs and app.config['POSTGRESQL_ENABLED']: + try: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("INSERT INTO login_page_probes (plugin, source_ip, source_port, dest_host, dest_port, user_agent, url, timestamp) VALUES ('badlogin',%(source_ip)s,%(source_port)s,%(dest_host)s,%(dest_port)s,%(user_agent)s,%(url)s,%(timestamp)s)", p.outputs['log_postgresql_login_page_probes']) + app.config['postgresql_dbh'].commit() + except Exception as e: + print(e) + if 'log_postgresql_author_probes' in p.outputs and app.config['POSTGRESQL_ENABLED']: try: cursor = app.config['postgresql_dbh'].cursor() - cursor.execute(p.outputs['log_postgresql']) + cursor.execute("INSERT INTO author_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_author, user_agent, url, timestamp) VALUES ('userenumeration',%(source_ip)s,%(source_port)s,%(dest_host)s,%(dest_port)s,%(probed_author)s,%(user_agent)s,%(url)s,%(timestamp)s)", p.outputs['log_postgresql_author_probes']) + app.config['postgresql_dbh'].commit() + except Exception as e: + print(e) + if 'log_postgresql_file_probes' in p.outputs and app.config['POSTGRESQL_ENABLED']: + try: + cursor = app.config['postgresql_dbh'].cursor() + cursor.execute("INSERT INTO file_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_filename, user_agent, url, timestamp) VALUES ('commonfiles',%(source_ip)s,%(source_port)s,%(dest_host)s,%(dest_port)s,%(probed_filename)s,%(user_agent)s,%(url)s,%(timestamp)s)", p.outputs['log_postgresql_file_probes']) app.config['postgresql_dbh'].commit() except Exception as e: print(e) @@ -54,7 +76,7 @@ def admin(subpath='/'): if app.config['POSTGRESQL_ENABLED']: cursor = app.config['postgresql_dbh'].cursor() - cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES (%(remote_addr)s,%(remote_port)s,%(server_name)s,%(server_port)s,%(user_agent)s,%(url)s,%(method)s,%(path)s,%(headers)s,%(timestamp)s)", {"remote_addr": request.remote_addr, "remote_port": request.environ['REMOTE_PORT'], "server_name": request.environ['SERVER_NAME'], "server_port": request.environ['SERVER_PORT'], "user_agent": request.user_agent.string, "url": request.url, "method": request.method, "path": request.path, "headers": str(request.headers), "timestamp": str(datetime.datetime.now())}) app.config['postgresql_dbh'].commit() # Plugins hook @@ -64,13 +86,6 @@ def admin(subpath='/'): LOGGER.info(p.outputs['log']) if 'log_json' in p.outputs and app.config['HPFEEDS_ENABLED']: app.config['hpfeeds_client'].publish(app.config['HPFEEDS_TOPIC'], p.outputs['log_json']) - if 'log_postgresql' in p.outputs and app.config['POSTGRESQL_ENABLED']: - try: - cursor = app.config['postgresql_dbh'].cursor() - cursor.execute(p.outputs['log_postgresql']) - app.config['postgresql_dbh'].commit() - except Exception as e: - print(e) if 'template' in p.outputs: if 'template_vars' in p.outputs: return render_template(p.outputs['template'], vars=p.outputs['template_vars']) @@ -87,7 +102,7 @@ def plugin(plugin, subpath='/'): if app.config['POSTGRESQL_ENABLED']: cursor = app.config['postgresql_dbh'].cursor() - cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES (%(remote_addr)s,%(remote_port)s,%(server_name)s,%(server_port)s,%(user_agent)s,%(url)s,%(method)s,%(path)s,%(headers)s,%(timestamp)s)", {"remote_addr": request.remote_addr, "remote_port": request.environ['REMOTE_PORT'], "server_name": request.environ['SERVER_NAME'], "server_port": request.environ['SERVER_PORT'], "user_agent": request.user_agent.string, "url": request.url, "method": request.method, "path": request.path, "headers": str(request.headers), "timestamp": str(datetime.datetime.now())}) app.config['postgresql_dbh'].commit() # Is the plugin in the whitelist? @@ -101,10 +116,10 @@ def plugin(plugin, subpath='/'): LOGGER.info(p.outputs['log']) if 'log_json' in p.outputs and app.config['HPFEEDS_ENABLED']: app.config['hpfeeds_client'].publish(app.config['HPFEEDS_TOPIC'], p.outputs['log_json']) - if 'log_postgresql' in p.outputs and app.config['POSTGRESQL_ENABLED']: + if 'log_postgresql_plugins_probes' in p.outputs and app.config['POSTGRESQL_ENABLED']: try: cursor = app.config['postgresql_dbh'].cursor() - cursor.execute(p.outputs['log_postgresql']) + cursor.execute("INSERT INTO plugins_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_plugin, path, user_agent, url, timestamp) VALUES ('timthumb',%(source_ip)s,%(source_port)s,%(dest_host)s,%(dest_port)s,%(probed_plugin)s,%(path)s,%(user_agent)s,%(url)s,%(timestamp)s)", p.outputs['log_postgresql_plugins_probes']) app.config['postgresql_dbh'].commit() except Exception as e: print(e) @@ -124,7 +139,7 @@ def theme(theme, subpath='/'): if app.config['POSTGRESQL_ENABLED']: cursor = app.config['postgresql_dbh'].cursor() - cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES (%(remote_addr)s,%(remote_port)s,%(server_name)s,%(server_port)s,%(user_agent)s,%(url)s,%(method)s,%(path)s,%(headers)s,%(timestamp)s)", {"remote_addr": request.remote_addr, "remote_port": request.environ['REMOTE_PORT'], "server_name": request.environ['SERVER_NAME'], "server_port": request.environ['SERVER_PORT'], "user_agent": request.user_agent.string, "url": request.url, "method": request.method, "path": request.path, "headers": str(request.headers), "timestamp": str(datetime.datetime.now())}) app.config['postgresql_dbh'].commit() # Is the theme whitelisted? @@ -138,10 +153,10 @@ def theme(theme, subpath='/'): LOGGER.info(p.outputs['log']) if 'log_json' in p.outputs and app.config['HPFEEDS_ENABLED']: app.config['hpfeeds_client'].publish(app.config['HPFEEDS_TOPIC'], p.outputs['log_json']) - if 'log_postgresql' in p.outputs and app.config['POSTGRESQL_ENABLED']: + if 'log_postgresql_themes_probes' in p.outputs and app.config['POSTGRESQL_ENABLED']: try: cursor = app.config['postgresql_dbh'].cursor() - cursor.execute(p.outputs['log_postgresql']) + cursor.execute("INSERT INTO themes_probes (plugin, source_ip, source_port, dest_host, dest_port, probed_theme, path, user_agent, url, timestamp) VALUES ('timthumb',%(source_ip)s,%(source_port)s,%(dest_host)s,%(dest_port)s,%(probed_theme)s,%(path)s,%(user_agent)s,%(url)s,%(timestamp)s)", p.outputs['log_postgresql_themes_probes']) app.config['postgresql_dbh'].commit() except Exception as e: print(e) @@ -157,7 +172,7 @@ def connection(path='/'): if app.config['POSTGRESQL_ENABLED']: cursor = app.config['postgresql_dbh'].cursor() - cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES ('%s',%s,'%s',%s,'%s','%s','%s','%s','%s','%s')" % (request.remote_addr, request.environ['REMOTE_PORT'], request.environ['SERVER_NAME'], request.environ['SERVER_PORT'], request.user_agent.string, request.url, request.method, request.path, str(request.headers), str(datetime.datetime.now()))) + cursor.execute("INSERT INTO connections (source_ip, source_port, dest_host, dest_port, user_agent, url, method, path, headers, timestamp) VALUES (%(remote_addr)s,%(remote_port)s,%(server_name)s,%(server_port)s,%(user_agent)s,%(url)s,%(method)s,%(path)s,%(headers)s,%(timestamp)s)", {"remote_addr": request.remote_addr, "remote_port": request.environ['REMOTE_PORT'], "server_name": request.environ['SERVER_NAME'], "server_port": request.environ['SERVER_PORT'], "user_agent": request.user_agent.string, "url": request.url, "method": request.method, "path": request.path, "headers": str(request.headers), "timestamp": str(datetime.datetime.now())}) app.config['postgresql_dbh'].commit() abort(404)