c# HttpRequestValidationException

Question

I have a c# asp.net app running on an Amazon EC2 however I am getting a validation error:

Exception type: HttpRequestValidationException

Exception message: A potentially dangerous Request.RawUrl value was detected from the client (="...h&content=<php>die(@md5(HelloT...").

The logs show that the request url was:

http://blah.com/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>

Where does that PHP die script come from? Is this some kind of security breach and I have no idea how to debug this.

As @CompuChip has posted, does look like someone is taking a pop at your site: https://www.abuseipdb.com/user/18001?page=1 — Keith, Jan 20 '20 at 15:00
Thanks for comments - not sure where to start however. The site had no database, just loads xml (it's a blogging site). Where do I begin to look for the malicious code? — SSED, Jan 20 '20 at 15:10
I am no expert, so don't rely on my comments too much, but, my understanding is that there is no malicious code on your site, they are looking for a vulnerability by posting to your site, looking to see if they can execute code. Have you tried visiting the URL they are posting? If so, what happens? Did you write the site? — Keith, Jan 20 '20 at 15:13
Yes I did. The site is here blog.evantodesk.com (54.173.115.22). But this gets forwarded to http://54.173.115.22/?a=fetch&content=die(@md5(HelloThinkCMF)) where the HttpRequestValidationException described above gets logged — SSED, Jan 20 '20 at 15:21
Well, you can't stop these requests coming in, if someone has found your site, they are free to post to it. You will want to get yourself familiar with the functions that are being passed, and what you need to do to protect yourself against them. — Keith, Jan 20 '20 at 15:25
May be worth a read: https://www.wpeka.com/how-to-block-ip-addresses-in-wordpress.html — Keith, Jan 20 '20 at 15:31
I had one of these tonight, exactly as in the question. I don't have PHP, SQL or any other programming, and not even XML on my site. Apache returned a 200 in the log. It seems that Apache returns a 200 for any requested URL that begins with "?" and displays the home page. Haha. — Wastrel, Mar 27 '21 at 04:12

score 8 · Answer 1 · answered Jan 20 '20 at 15:30

This is due to a built-in ASP.Net feature called "Request validation" which causes an exception to be thrown to prevent attacks whenever dangerous characters are found in e.g. the query string. In this case, it is probably caused by the < character, which is forbidden to make attacks such as Cross Site Scripting harder. As such, the error indicates that the attempt to access your site was stopped before your application code was even invoked.

The query string in your example is probably generated by some automated attack script or botnet that is throwing random data at your site to try to breach it. You can safely ignore this particular instance of the attack, since you're not running PHP. That being said, as others have commented, it does indicate that someone is trying to get in, so you should consider taking appropriate security measures either in your application code or in your network/hosting setup. What these are is both out of scope for this site and hard to say without knowing a lot more about your context, however.

In IIS I add Request Filtering rule to deny "php" strings in query string and url — GigaKatowice, May 05 '21 at 10:54

score 3 · Answer 2 · answered Mar 11 '21 at 18:06

3

Those are ThinkPHP5 (Chinese PHP framework based on Laravel) RCE exploit attempts

answered Mar 11 '21 at 18:06

learner

73
1
8

score 2 · Answer 3 · answered Jun 04 '20 at 17:03

This blog post suggests that this is a wordpress exploit that no longer works.

I am not running PHP (or Wordpress) yet my web server (apache2, log extract) returns a 200 to this (which is why I was interested):`

[04/Jun/2020:11:43:35 -0500] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1" 404 367 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

That request came from 195.54.160.135. Jonas Høgh is correct, of course, that securing your site is something you have to figure out yourself. I have a script to block an IP on an ad hoc basis and another one to get a list of bad actors from a website and block them all. I suppose, though, that many of these attempts come from pwned machines or through Tor, and blocking an IP may be useless.

It's not WordPress, it's ThinkPHP, a framework that's popular in China. — xehpuk, Oct 09 '20 at 15:52

score 0 · Answer 4 · answered Aug 03 '21 at 05:54

0

It is an attempt to see if this code is running on the server side. PHP and its CMS had such problems before, but if the site is written in .net then everything is fine you don't have to worry.

answered Aug 03 '21 at 05:54

BASKA

311
4
15

c# HttpRequestValidationException

4 Answers4