This repository was archived by the owner on Aug 8, 2024. It is now read-only.
This repository was archived by the owner on Aug 8, 2024. It is now read-only.
parsing error #25
Description
first, sorry. I can not think of any better subject.
we're using this apache log format
grep -rni LogFormat /etc/apache2/* | grep common
apache2.conf:208:LogFormat "%h %l %u %t \"%r\" %>s %O" common
and parsing it with this python code
combine_parser = apache_log_parser.make_parser("%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"")
common_parser = apache_log_parser.make_parser("%h %l %u %t \"%r\" %>s %O")
try:
dataset = combine_parser(rawData)
except:
dataset = common_parser(rawData)
during some penetration tests on our systems, we got this apache log line
1.2.3.4 - - [20/Nov/2018:16:17:59 +0100] "GET //${%23w%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23w.print('Nessus%20Response:%20'),%23w.println('struts_2_3_14_3_command_execution-2092796018'),%23w.flush(),%23w.close()}.action HTTP/1.1" 404 698
which returns the error message
ValueError: invalid literal for int() with base 10: "%20'),%23w.println('struts_2_3_14_3_command_execution-2092796018'),%23w.flush(),%23w.close()}.action"
It looks like that we need to escape some characters in this string? But which one?
It looks like it gets missinterpreted at the : character.
escaping with escaped = rawData.translate(str.maketrans({":": r"\:"})) doesn't work. Any ideas?