Skip to content

Instantly share code, notes, and snippets.

Last active May 15, 2023 06:10
What would you like to do?
Offensive Research Guide to Help Defense Improve Detection

I've transformed this gist into a git repository.

Whenever you research a certain vulnerability ask yourself these questions and please answer them for us


Does the exploited service write a log?
(check ls -lrt /var/log or lsof +D /var/log/ or lsof | grep servicename)

Does a system service write a log?
(e.g. check with tail -f /var/log/messages)

Does it write an event in that log for an exploitation attempt?

Does additional logging/configuration requires enabling? (e.g. access logs need to be configured to include uri_query)

Does it write an event in case of successful exploitation?

Does that log line contain specific values that shouldn't normally appear in similar log lines?
(e.g. empty source address, uncommon characters)

Please include an example log line

Other Traces

Does exploitation generate other events that are directly caused by my actions? (e.g. user login)

Does exploitation create temporary files? (e.g. an XML in a temp folder)

Provide Help

Could you provide simple shell commands to check if someone has previously expolited that vulnerability?
(e.g. egrep "specific-url" /var/log/service.log, zgrep "specific-url" /var/log/service/*.gz)

Could you provide a quick fix that can block explots until the vendor provides a solution?
(e.g. add line in server-side script to drop all requests that contain ":;" in their User-Agent field)

Copy link

ruppde commented Jan 20, 2023

sounds like the specification sheet for a future tool ;)

run tool
run exploit
run tool
upload zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment