WordPress.org

Ready to get started?Download WordPress

Forums

How to capture data sent by POST ? (7 posts)

  1. pete_398
    Member
    Posted 1 year ago #

    Recently have been having hundreds of these ..

    - - [03/Feb/2013:02:42:20 +1100] "POST /wp-login.php HTTP/1.1" 403 2815 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1); .NET CLR 3.5.30729)"

    I have the site setup to force a 403, BUT I would prefer to know what data is being sent by the POST ? Need to now sooner or later what is being sent to the login form.

    If it is a few variables, then they can be added to the 403 error script. I have no idea how they were able to do a POST, when the apache side of things is setup to 'fail/403' if they attempt a GET, let alone a POST.

    Would they be using curl remotely, or similar tool ?

    Pete

  2. catacaustic
    Member
    Posted 1 year ago #

    You can do a POST to any URL, regardless of what the URL repsonds with. The POST happens before the response, so whatever system is doing this won't see your 403 until after the POST has been done. There's a few 1,000 systems out there that do these things. Soem of them are for more "white-hat" reasons where they are trying to create accounts and log in to add posts and comments to your site, but others are designed to break into the site to try and take it over for whatever reason.

    Getting POST data is easy in PHP. Every value sent via POST is stored in the suer-global $_POST array, if there's anything extra sent by GET it's in the $_GET array, and both are "combinied" in the $_REQUEST array. You can dump any or all of those into a log or an email when ever anyone attempts a log in by using login hooks.

  3. pete_398
    Member
    Posted 1 year ago #

    Thanks for your reply, very informative. :)

    You can dump any or all of those into a log or an email when ever anyone attempts a log in by using login hooks.

    I would prefer them by email, as I get an email now. I did try this ..

    $post_array = $_POST;
    $get_array = $_GET;

    and then $post_array and $get_array are contained in the body part of the email. Not sure if that is the method to send a complete array though ??

  4. catacaustic
    Member
    Posted 1 year ago #

    No, it's not. If you do it that way you'll onlt get them output as 'Array'. PHP doesn't automatically print array values out like that.

    The way to do it is something like this:

    $post_array = var_export ($_POST, true);

    There's more ways to do it then this, but this is a good starting point.

  5. pete_398
    Member
    Posted 1 year ago #

    Thanks, that worked fine.

  6. pete_398
    Member
    Posted 1 year ago #

    I have had a lot of attempts to POST to /wp-login, so modified the emails I get, to see what was in various arrays. There are 3 arrays put out now, being $_POST, $_GET and $_SERVER, as follows:

    array (
    )
    array (
    )
    array (
    'CONTENT_LENGTH' => '97',
    'CONTENT_TYPE' => 'application/x-www-form-urlencoded',
    'DOCUMENT_ROOT' => '/home/********/public_html',
    'GATEWAY_INTERFACE' => 'CGI/1.1',
    'HTTP_ACCEPT' => '*/*',
    'HTTP_HOST' => 'example.com',
    'HTTP_USER_AGENT' => 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1); .NET CLR 3.5.30729)',
    'PATH' => '/bin:/usr/bin',
    'QUERY_STRING' => '',
    'REDIRECT_REQUEST_METHOD' => 'POST',
    'REDIRECT_STATUS' => '403',
    'REDIRECT_UNIQUE_ID' => 'UTDeI8wPhjQAADEtfXYAAAAC',
    'REDIRECT_URL' => '/wp-login.php',
    'REMOTE_ADDR' => '188.143.232.30',
    'REMOTE_PORT' => '1393',
    'REQUEST_METHOD' => 'GET',
    'REQUEST_URI' => '/wp-login.php',
    'SCRIPT_FILENAME' => '/home/********/public_html/403error.php',
    'SCRIPT_NAME' => '/403error.php',
    'SERVER_ADDR' => '204.15.***.***',
    'SERVER_ADMIN' => 'webmaster@example.com',
    'SERVER_NAME' => 'example.com',
    'SERVER_PORT' => '80',
    'SERVER_PROTOCOL' => 'HTTP/1.1',
    'SERVER_SIGNATURE' => '',
    'SERVER_SOFTWARE' => 'Apache',
    'UNIQUE_ID' => 'UTDeI8wPhjQAADEtfXYAAAAC',
    'PHP_SELF' => '/403error.php',
    'REQUEST_TIME' => 1362157091,
    'argv' =>
    array (
    ),
    'argc' => 0,
    )

    There is nothing in the first 2 arrays, yet the attempt to login was a POST ? Am I missing something ?

    Pete

  7. catacaustic
    Member
    Posted 1 year ago #

    If it's a POST request, you will see the $_POST array. The $_GET array only receives values that are sent via the URL (eg: page.php?id=15). The $_SERVER array indicated your servers values/settings, so should really not be a concern for you in this case. If there's nothing in the $_POST Array then that means that no values were sent via the POST protocol. That's either a broken hacking/spam registration software package or an attempt to break into the system. All that I'd suggest is to keep an eye on the IP addresses that it's coming from and see if there's any correlation in that value.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.