Hi Jean,
On Sun, May 28, 2017 at 09:15:56AM +0000, Jean LUBATTI wrote:
> Hi Willy,
>
> I just tried the line "tcp-request content capture req.hdrs_bin len 2000" in
> the config but I get:
>
> [ALERT] 147/073131 (13352) : parsing [/etc/haproxy/haproxy.cfg:42] :
> 'tcp-request content capture' : unknown fetch method 'req.hdrs_bin'
> [ALERT] 147/073131 (13352) : Error(s) found in configuration file :
> /etc/haproxy/haproxy.cfg
> [ALERT] 147/073131 (13352) : Fatal errors found in configuration.
> Errors found in configuration file, check it with 'haproxy check'.
Sorry, this one is only in 1.8-dev.
> I changed it to :
>
> tcp-request content capture req.payload(0,2000) len 2000
>
> but I don't think it works (at least not when inspecting the core on s->req).
Ah, I forgot to mention you need to allow a delay for the request to arrive,
you need to add this :
tcp-request inspect-delay 10s
(for example)
> Here is the output of haproxy running under gdb when the attack happens:
>
> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clireq[0027:ffffffff]:
> GET /wp-content/uploads/ HTTP/1.1
> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]:
> Host: 185.139.245.111
> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]:
> User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101
> Firefox/40.0
> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]:
> Cookie: SERVERID=ppmktplportals01fe
> 000001d7:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0027:ffffffff]:
> Accept-Encoding: gzip
> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clireq[0028:ffffffff]:
> GET /wp-content/uploads/2015/ HTTP/1.1
> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]:
> Host: 185.139.245.111
> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]:
> User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101
> Firefox/40.0
> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]:
> Cookie: SERVERID=ppmktplportals01fe
> 000001d8:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0028:ffffffff]:
> Accept-Encoding: gzip
> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvrep[0027:0029]:
> HTTP/1.1 404 Not Found
> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]:
> Server: Apache-Coyote/1.1
> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]:
> Content-Length: 0
> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]:
> Date: Sun, 28 May 2017 09:03:04 GMT
> 000001d7:appmarket_preprod_services_ingenico_com_8443.srvhdr[0027:0029]:
> Connection: close
> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvrep[0028:002a]:
> HTTP/1.1 404 Not Found
> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]:
> Server: Apache-Coyote/1.1
> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]:
> Content-Length: 0
> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]:
> Date: Sun, 28 May 2017 09:03:04 GMT
> 000001d8:appmarket_preprod_services_ingenico_com_8443.srvhdr[0028:002a]:
> Connection: close
> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clireq[0025:ffffffff]:
> GET /language/en-GB/en-GB.xml HTTP/1.1
> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]:
> Host: 185.139.245.111
> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]:
> User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:40.0) Gecko/20100101
> Firefox/40.0
> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]:
> Cookie: SERVERID=ppmktplportals01fe
> 000001d9:ft_appmarket_preprod_services_ingenico_com_443.clihdr[0025:ffffffff]:
> Accept-Encoding: gzip
>
> Program received signal SIGSEGV, Segmentation fault.
> _wordcopy_fwd_dest_aligned (dstp=14712784, srcp=14712832,
> len=2305843009213203548) at wordcopy.c:196
> 196 a0 = ((op_t *) srcp)[0];
> (gdb)
>
> Attaching to the mail the core and the binary.
Thanks for all this, I think I should be able to reproduce it with all this,
otherwise I'll recontact you :-)
Thanks!
Willy
