version 0.33

added base64 raw data send funtion to dtag early warning system

.gitignore

@@ -1 +1 @@
-node_modules
+# Created by .gitignore support plugin (hsz.mobi)

Nodepot.iml

@@ -8,6 +8,6 @@
     <orderEntry type="library" name="Prototype-1.7.1" level="application" />
     <orderEntry type="library" name="Node.js v0.10.26 Core Modules" level="application" />
     <orderEntry type="library" name="Node.js v0.10.31 Core Modules" level="application" />
-    <orderEntry type="library" name="Node.js v0.10.32 Core Modules" level="application" />
   </component>
-</module>
+</module>
+

README.md

@@ -1,17 +1,9 @@
 Nodepot
 =======
 
-Version 0.33: 02.11.2014
-
-0.33 News:
-
-- Bugfix for DTAG EWS reporting (thanks Markus and Lutz)
-- added dockerized version (schmalle/nodepot)
-
+Version 0.33: 07.12.2014
 
 Thanks to Angelo Dell'Aera and Andrea De Pasquale for testing.
-Thanks for Lutz Wischmann and Markus Schroer for bug reporting.
-
 
 - not production ready !!! -
 
@@ -35,15 +27,13 @@ npm install emailjs --save
 npm install twit
 npm install string
 npm install nodejs-hpfeeds
-npm install urlencode --registry=http://r.cnpmjs.org
 
 On a plain vanilla Debian system add the following
 
 npm install put
 npm install binary
 
 
-
 If the npm call fails, run the following code to fix the entry.
 
 npm config set registry http://registry.npmjs.org/
@@ -70,8 +60,6 @@ e.g. with a 5 minute interval the following call to your crontab:
 Internally it will call corecheck.sh for some additional stuff.
 
 
-
-
 Contact:
 --------
 

analyzer.js

@@ -67,9 +67,11 @@ function analyze(request, response)
 
         var buffer = method + " " + urlRequest;
         for(var item in request.headers) {
-            buffer = buffer + "\r\n" + item + ":" + request.headers[item];
+            buffer = buffer + "\r\n" + checkHeaders(item) + ":" + request.headers[item];
         }
 
+        console.log(buffer);
+
         var externalReference = (S(query).contains("http://"));
         var directoryTraversal = (S(query).contains(".."));
         var crossSiteScripting = (S(query).contains("alert("));
@@ -152,6 +154,29 @@ function checkRules(url)
 
 }   // checkrules
 
+/**
+ *
+ * @param url
+ * @returns {*}
+ */
+function checkHeaders(url)
+{
+
+
+    for(var i=0;i<rules.replaceStrings.length;i++)
+    {
+
+        if (S(url).contains(rules.replaceStrings[i]))
+            return rules.replaceStrings[i++];
+
+        i++;
+
+    }
+
+
+    return url;
+
+}   // checkHeaders
 
 
 function externalReferenceCheck(request, query)

history,txt

@@ -0,0 +1,3 @@
+Version 0.33 (06.12.2014)
+
+- added base64 encoding for "raw" request data, when sending data (optionally) to DTAG early warning system

html/dork.html

@@ -1 +1 @@
-/testme?x&b=../..<br>
+/testme?x=/../../<br>

reporter.js

@@ -44,8 +44,8 @@ function PostCode(codestring, mode, alarmHost, alarmURL, alarmPort) {
 
         var query = "https://" + config.ews.host + ":" + config.ews.port + config.ews.path;
 
-        console.log("Body Input" + codestring);
-        console.log("Request URL:" + query);
+        //console.log("Body Input" + codestring);
+        //console.log("Request URL:" + query);
 
         request.post({
             headers: {'content-type' : 'text/xml'},

template/rules.js

@@ -16,4 +16,8 @@ var attackStrings = ["-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simula
                       ];                                                      // MWchat RFI 2006
 
 
-exports.attackStrings = attackStrings;
+var replaceStrings = ["user-agent", "User-Agent", "host", "Host", "content-type:", "Content-type:"
+];
+
+exports.attackStrings = attackStrings;
+exports.replaceStrings = replaceStrings;