One of the advantages of Spondulas over other similar tools is that it supports POST requests. Here's an example from an IDS alert I recently saw, showing the additional steps in submitting a Spondulas request using the POST method:
[root@muckabout spondulas]# python3 spondulas.py -u "http://www.newsday.com/logger/p.gif" -a -r POST
http://www.newsday.com/logger/p.gif
POST requests must have variables.
Please enter POST variables......
Format: parameter1=value¶meter2=value¶meter3=value....
Post vars: parameter1=a=1.4275134¶meter2=d=/2.810/2.893/2.906¶meter3=type=MIXEDTYPE&ct=430_432,430,0
Enter a referrer if you were redirected from another site.
If there is no referrer, you can leave this blank.
Referrer should be in the format: http://www.example.com/somepath/file.html
Referrer: http://www.newsday.com/sports/football/bears-wr-brandon-marshall-heard-of-players-using-viagra-to-gain-edge-1.4275134
Cookies are used to track state on the same web site.
Enter any cookies that were set for this web site...
Cookies should be in the format: cookie1=value1; cookie2=value2
Enter each line separately. Press enter on a blank line to finish entering
Cookies: visited=true
Cookies: JSESSIONID=222C0040D266FDD184C0FAD6E0065177
Cookies: SKSESSION=10.5.145.229
Cookies: s_pers=%20gpv_ch%3DSports%7C1354918554944%3B%20s_depth%3D1%7C1354918554944%3B%20s_vnum%3D1357508754944%2526vn%253D1%7C1357508754944%3B%20s_invisit%3Dtrue%7C1354918554944%3B%20dslv%3D1354916754944%7C1449524754944%3B%20dslv_s%3DFirst%2520Visit%7C1354918554944%3B%20s_vnum_w%3D1355029200959%2526vn%253D1%7C1355029200959%3B%20sinvisit_w%3Dtrue%7C1354918554959%3B%20ri_ch%3DSports%7C1355089554959%3B%20ri_c38%3Darticle%7C1355089554959%3B%20sspp%3D1354916754959%7C1354918554959%3B
Cookies: tmpPersistentst
Cookies:
Query being sent
----------------
POST /logger/p.gif HTTP/1.1
Host: www.newsday.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.newsday.com/sports/football/bears-wr-brandon-marshall-heard-of-players-using-viagra-to-gain-edge-1.4275134
Cookie: visited=true
Cookie: JSESSIONID=222C0040D266FDD184C0FAD6E0065177
Cookie: SKSESSION=10.5.145.229
Cookie: s_pers=%20gpv_ch%3DSports%7C1354918554944%3B%20s_depth%3D1%7C1354918554944%3B%20s_vnum%3D1357508754944%2526vn%253D1%7C1357508754944%3B%20s_invisit%3Dtrue%7C1354918554944%3B%20dslv%3D1354916754944%7C1449524754944%3B%20dslv_s%3DFirst%2520Visit%7C1354918554944%3B%20s_vnum_w%3D1355029200959%2526vn%253D1%7C1355029200959%3B%20sinvisit_w%3Dtrue%7C1354918554959%3B%20ri_ch%3DSports%7C1355089554959%3B%20ri_c38%3Darticle%7C1355089554959%3B%20sspp%3D1354916754959%7C1354918554959%3B
Cookie: tmpPersistentst
Content-Length: 97
parameter1=a=1.4275134¶meter2=d=/2.810/2.893/2.906¶meter3=type=MIXEDTYPE&ct=430_432,430,0
Do not be alarmed if the progam appears to "hang."
This is caused by keep-alive packets. A timeout exception
will be raised after 30 seconds.
Birds away.....
.IP address: 66.54.17.120
..............................
Target URL: www.newsday.com/logger/p.gif
IP address: 66.54.17.120
Referrer: http://www.newsday.com/sports/football/bears-wr-brandon-marshall-heard-of-players-using-viagra-to-gain-edge-1.4275134
Date/Time: 2012-12-13 11:09:05
Output File: 001.txt
Links File: 001-links.txt
Cookies
--------------------
visited=true; domain=www.newsday.com; expires=Friday, 14-Dec-2012 16:08:34 GMT; path=/
tmpPersistentstatsUserId=63c7555ac82755e12360f5da377883a4; Domain=.newsday.com; Expires=Fri, 13-Dec-2013 16:08:34 GMT; Path=/
SKSESSION=10.5.145.228; path=/
[root@muckabout spondulas]#
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
No comments:
Post a Comment