How to capture data sent by POST ?

  • pete_398

    (@pete_398)


    11 years, 2 months ago

    Recently have been having hundreds of these ..

    – – [03/Feb/2013:02:42:20 +1100] “POST /wp-login.php HTTP/1.1” 403 2815 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1); .NET CLR 3.5.30729)”

    I have the site setup to force a 403, BUT I would prefer to know what data is being sent by the POST ? Need to now sooner or later what is being sent to the login form.

    If it is a few variables, then they can be added to the 403 error script. I have no idea how they were able to do a POST, when the apache side of things is setup to ‘fail/403’ if they attempt a GET, let alone a POST.

    Would they be using curl remotely, or similar tool ?

    Pete

Viewing 6 replies - 1 through 6 (of 6 total)
  • catacaustic

    (@catacaustic)

    11 years, 2 months ago

    You can do a POST to any URL, regardless of what the URL repsonds with. The POST happens before the response, so whatever system is doing this won’t see your 403 until after the POST has been done. There’s a few 1,000 systems out there that do these things. Soem of them are for more “white-hat” reasons where they are trying to create accounts and log in to add posts and comments to your site, but others are designed to break into the site to try and take it over for whatever reason.

    Getting POST data is easy in PHP. Every value sent via POST is stored in the suer-global $_POST array, if there’s anything extra sent by GET it’s in the $_GET array, and both are “combinied” in the $_REQUEST array. You can dump any or all of those into a log or an email when ever anyone attempts a log in by using login hooks.

    Thread Starter pete_398

    (@pete_398)

    11 years, 2 months ago

    Thanks for your reply, very informative. 🙂

    You can dump any or all of those into a log or an email when ever anyone attempts a log in by using login hooks.

    I would prefer them by email, as I get an email now. I did try this ..

    $post_array = $_POST;
$get_array = $_GET;

    and then $post_array and $get_array are contained in the body part of the email. Not sure if that is the method to send a complete array though ??

    catacaustic

    (@catacaustic)

    11 years, 2 months ago

    No, it’s not. If you do it that way you’ll onlt get them output as ‘Array’. PHP doesn’t automatically print array values out like that.

    The way to do it is something like this:

    $post_array = var_export ($_POST, true);

    There’s more ways to do it then this, but this is a good starting point.

    Thread Starter pete_398

    (@pete_398)

    11 years, 2 months ago

    Thanks, that worked fine.

    Thread Starter pete_398

    (@pete_398)

    11 years, 1 month ago

    I have had a lot of attempts to POST to /wp-login, so modified the emails I get, to see what was in various arrays. There are 3 arrays put out now, being $_POST, $_GET and $_SERVER, as follows:

    array (
    )
    array (
    )
    array (
    ‘CONTENT_LENGTH’ => ’97’,
    ‘CONTENT_TYPE’ => ‘application/x-www-form-urlencoded’,
    ‘DOCUMENT_ROOT’ => ‘/home/********/public_html’,
    ‘GATEWAY_INTERFACE’ => ‘CGI/1.1’,
    ‘HTTP_ACCEPT’ => ‘*/*’,
    ‘HTTP_HOST’ => ‘example.com’,
    ‘HTTP_USER_AGENT’ => ‘Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1); .NET CLR 3.5.30729)’,
    ‘PATH’ => ‘/bin:/usr/bin’,
    ‘QUERY_STRING’ => ”,
    ‘REDIRECT_REQUEST_METHOD’ => ‘POST’,
    ‘REDIRECT_STATUS’ => ‘403’,
    ‘REDIRECT_UNIQUE_ID’ => ‘UTDeI8wPhjQAADEtfXYAAAAC’,
    ‘REDIRECT_URL’ => ‘/wp-login.php’,
    ‘REMOTE_ADDR’ => ‘188.143.232.30’,
    ‘REMOTE_PORT’ => ‘1393’,
    ‘REQUEST_METHOD’ => ‘GET’,
    ‘REQUEST_URI’ => ‘/wp-login.php’,
    ‘SCRIPT_FILENAME’ => ‘/home/********/public_html/403error.php’,
    ‘SCRIPT_NAME’ => ‘/403error.php’,
    ‘SERVER_ADDR’ => ‘204.15.***.***’,
    ‘SERVER_ADMIN’ => ‘webmaster@example.com’,
    ‘SERVER_NAME’ => ‘example.com’,
    ‘SERVER_PORT’ => ’80’,
    ‘SERVER_PROTOCOL’ => ‘HTTP/1.1’,
    ‘SERVER_SIGNATURE’ => ”,
    ‘SERVER_SOFTWARE’ => ‘Apache’,
    ‘UNIQUE_ID’ => ‘UTDeI8wPhjQAADEtfXYAAAAC’,
    ‘PHP_SELF’ => ‘/403error.php’,
    ‘REQUEST_TIME’ => 1362157091,
    ‘argv’ =>
    array (
    ),
    ‘argc’ => 0,
    )

    There is nothing in the first 2 arrays, yet the attempt to login was a POST ? Am I missing something ?

    Pete

    catacaustic

    (@catacaustic)

    11 years, 1 month ago

    If it’s a POST request, you will see the $_POST array. The $_GET array only receives values that are sent via the URL (eg: page.php?id=15). The $_SERVER array indicated your servers values/settings, so should really not be a concern for you in this case. If there’s nothing in the $_POST Array then that means that no values were sent via the POST protocol. That’s either a broken hacking/spam registration software package or an attempt to break into the system. All that I’d suggest is to keep an eye on the IP addresses that it’s coming from and see if there’s any correlation in that value.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘How to capture data sent by POST ?’ is closed to new replies.