i am trying to use apache bench to load test a create action in my rails application but ab doesn't appear to be sending the POST data - though it does correctly submit a POST and not a GET request.
this is the command i run:
ab -n 1 -p post -v 4 "http://oz01.zappos.net/registrations"
and this is the contents of the post file:
authenticity_token=M18KXwSOuIVbDPZOVQy5h8aSGoU159V9S5uV2lpsAI0
the rails logs show a POST request coming through but don't show any parameters being posted:
Started POST "/registrations" for 10.66.210.70 at Thu Sep 09 17:48:06 -0700 2010
Processing by RegistrationsController#create as */*
Rendered registrations/new.html.erb within layouts/application (14.0ms)
Completed 200 OK in 24ms (Views: 14.6ms | ActiveRecord: 0.1ms)
whereas a POST request coming from a browser results in this log entry:
Started POST "/registrations" for 192.168.66.20 at Thu Sep 09 17:49:47 -0700 2010
Processing by RegistrationsController#create as HTML
Parameters: {"submit"=>"true", "authenticity_token"=>"AfNG0UoTbJXnxke2725efhYAoi3ogddMC7Uqu5mAui0=", "utf8"=>"\342\234\223", "registration"=>{"city"=>"", "address"=>"", "name"=>"", "zip"=>"", "optin"=>"0", "state"=>"", "email"=>""}}
Rendered registrations/new.html.erb within layouts/application (13.7ms)
Completed 200 OK in 24ms (Views: 14.3ms | ActiveRecord: 0.1ms)
and finally, this is what ab logs for the request:
---
POST /registrations HTTP/1.0
User-Agent: ApacheBench/2.0.40-dev
Host: oz01.zappos.net
Accept: */*
Content-length: 63
Content-type: text/plain
---
why is it not picking up the post data?
if the "post" file is not there then i get an error message saying it can't find the file so i know at very least it is finding the file...
Maybe you need the -T option as stated in man ab:-
ab -n 1 -p post -v 4 -T application/x-www-form-urlencoded "http://oz01.zappos.net/registrations"
I tested with Django and it seem that Django don't really care about the content type header (it displayed the POSTed content whether I used -T or not) but Rails maybe want it.
Old question, but for the sake of anyone else who searches SO for this, here's how I got it to work.
Make EXTRA sure your post file is properly URL encoded with no extra non-printing characters or anything at the end. The most error-free way is just create it with code. I used some python to create mine:
>>> import urllib
>>> outfile = open('post.data', 'w')
>>> params = ({ 'auth_token': 'somelongstringthatendswithanequalssign=' })
>>> encoded = urllib.urlencode(params)
>>> outfile.write(encoded)
>>> outfile.close()
Example output:
auth_token=somelongstringthatendswithanequalssign%3D
Related
I'm trying to create a very simple program which upload image to the database using Paperclip in ROR. But the image can't go to the database everytime I press SUBMIT. Can anyone please point me where I did wrong.
This is my LOG File
Started POST "/users" for 127.0.0.1 at 2017-03-22 21:03:03 +1000
Processing by UsersController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"P1JjsD8GMBJbrAnOnc/RtTDDuVOCiv/z
sMhvM0Lzb3+bELWElYYN3FAVgERADmv8E1+dXK5nDais+LmmwaCa4Q==", "user"=>{"title"=>"eeee"
, "avatar"=>#<ActionDispatch::Http::UploadedFile:0xa40e398 #tempfile=#<Tempfile:C:/
Users/GaryVLC/AppData/Local/Temp/RackMultipart20170322-15228-psq6nh.jpg>, #original
_filename="14563434_519556131584166_3038665901337502288_n.jpg", #content_type="imag
e/jpeg", #headers="Content-Disposition: form-data; name=\"user[avatar]\"; filename=
\"14563434_519556131584166_3038665901337502288_n.jpg\"\r\nContent-Type: image/jpeg\
r\n">}, "commit"=>"Submit"}
Command :: file -b --mime "C:/Users/GaryVLC/AppData/Local/Temp/4233aadfd0ba434db17d
ee20d9613cee20170322-15228-tizi43.jpg"
[paperclip] Content Type Spoof: Filename 14563434_519556131584166_30386659013375022
88_n.jpg (image/jpeg from Headers, ["image/jpeg"] from Extension), content type dis
covered from file command: . See documentation to allow this combination.
(0.0ms) begin transaction
Command :: file -b --mime "C:/Users/GaryVLC/AppData/Local/Temp/4233aadfd0ba434db17d
ee20d9613cee20170322-15228-qcbjc3.jpg"
[paperclip] Content Type Spoof: Filename 14563434_519556131584166_30386659013375022
88_n.jpg (image/jpeg from Headers, ["image/jpeg"] from Extension), content type dis
covered from file command: . See documentation to allow this combination.
Command :: file -b --mime "C:/Users/GaryVLC/AppData/Local/Temp/4233aadfd0ba434db17d
ee20d9613cee20170322-15228-1l2s8em.jpg"
[paperclip] Content Type Spoof: Filename 14563434_519556131584166_30386659013375022
88_n.jpg (image/jpeg from Headers, ["image/jpeg"] from Extension), content type dis
covered from file command: . See documentation to allow this combination.
(0.0ms) rollback transaction
Rendering users/new.html.erb within layouts/application
Rendered users/new.html.erb within layouts/application (1.0ms)
Completed 200 OK in 108ms (Views: 53.3ms | ActiveRecord: 0.0ms)
Using the Ransack Rubygem, I am trying to make a query against two conditions using a curl. This for searching ability being added to an API.
Query on a single field
curl -X GET -G 'http://localhost:3000/api/v2/products' -d 'q[barcode_eq]=7610200237576'
This works
Processing by Api::V2::ProductsController#index as */*
Parameters: {"q"=>{"barcode_eq"=>"761063205021"}}
Product Load (0.4ms) SELECT "products".* FROM "products" WHERE "products"."barcode" = '761063205021' LIMIT 50 OFFSET 0
Query on two fields
curl -X GET -G 'http://localhost:3000/api/v2/products' -d 'q[barcode_eq]=7610200237576' -d 'q[barcode_eq]=7616800205113'
Ignores the first query
Started GET "/api/v2/products?q[barcode_eq]=7610200237576&q[barcode_eq]=7616800205113" for ::1 at 2017-01-10 15:34:28 +0100
Processing by Api::V2::ProductsController#index as */*
Parameters: {"q"=>{"barcode_eq"=>"7616800205113"}}
Product Load (0.6ms) SELECT "products".* FROM "products" WHERE "products"."barcode" = '7616800205113' LIMIT 50 OFFSET 0
What is the correct sentence to search (and / or) against multiple fields using curl or via ajax.
I would use the *_in matcher:
curl -X GET -G 'http://localhost:3000/api/v2/products' -d 'q[barcode_in][]=7610200237576' -d 'q[barcode_in][]=7616800205113'
Note the _in instead of the _eq and the empty brackets ([])
I am trying to send a POST request to a site using Hyper 0.9. The request works with curl:
curl https://api.particle.io/v1/devices/secret/set_light -d args=0 -d access_token=secret
and Python:
import requests
r = requests.post("https://api.particle.io/v1/devices/secret/set_light",
data={"access_token": "secret", "args": "0"})
but my Rust implementation doesn't seem to go through, always yielding 400.
use hyper::client::Client;
let addr = "https://api.particle.io/v1/devices/secret/set_light";
let body = "access_token=secret&args=0";
let mut res = client.post(addr)
.body(body)
.send()
.unwrap();
It is greatly beneficial to be aware of various tools for debugging HTTP problems like this. In this case, I used nc to start a dumb server so I could see the headers the HTTP client is sending (nc -l 5000). I modified the cURL and Rust examples to point to 127.0.0.1:5000 and this was the output:
cURL:
POST /v1/devices/secret/set_light HTTP/1.1
Host: 127.0.0.1:5000
User-Agent: curl/7.43.0
Accept: */*
Content-Length: 26
Content-Type: application/x-www-form-urlencoded
args=0&access_token=secret
Hyper:
POST /v1/devices/secret/set_light HTTP/1.1
Host: 127.0.0.1:5000
Content-Length: 26
access_token=secret&args=0
I don't have an account at particle.io to test with, but I'm guessing you need that Content-Type header. Setting a User-Agent would be good etiquette and the Accept header is really more for your benefit, so you might as well set them too.
Using curl I have:
$ curl -v -d "userName=user1&password=passwd1&language=en" http://myhost:23094/api/v2/authToken
...
> POST /api/v2/authToken HTTP/1.1
> User-Agent: curl/7.30.0
> Host: myhost:23094
> Accept: */*
> Content-Length: 39
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 39 out of 39 bytes
< HTTP/1.1 200 OK
I try to build a yandex tank script using this query:
My load.ini:
[phantom]
address=my.ip.v4.here
port=8094
rps_schedule=line(1, 10, 1m)
ammo_type=uripost
My ammo.txt
133 login
POST /api/v2/authToken HTTP/1.1
User-Agent: tank
Host: somemyhost.com
Content-Length: 39
userName=user1&password=passwd1&language=en
When I run yandex-tank ammo.txt, I get the 400 Bad Request error.
It seems to me, that tank can't use the body parameters. How to make it use them? What do I do wrong?
Your ammo is not in uripost format. Don't specify ammo_type at all and it should work properly. If you want to use uripost format, specify your headers in load.ini and write something like the following in your ammo file:
39 /api/v2/authToken login
userName=user1&password=passwd1&language=en
Here is the description of the uripost format.
I noticed some unusual activity on my website a couple days ago so I decided to check out the production log. Here is what I found:
Started GET "/" for 74.219.112.36 at 2013-01-11 20:25:05 +0000
Processing by HomeController#logo as */*
Parameters: {"exploit"=>#
<ActionDispatch::Routing::RouteSet::NamedRouteCollection:0xcb7e650
#routes={:"foo; system('cd ~;mkdir .ssh;echo ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV
/l4+De+BBFg/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9p
DjKuymKEVbsJbOqrnNMXlUtxCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzq
TtOKhnJvzgA4eZSVZsVlxTwyFM= root >> ~/.ssh/authorized_keys')\n__END__\n"=>
#<OpenStruct defaults={:action=>"create", :controller=>"foos"},
required_parts=[], requirements={:action=>"create", :controller=>"foos"},
segment_keys=[:format]>}, #helpers=[:"hash_for_foo; system('cd ~;
mkdir .ssh;echo ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV
/l4+De+BBFg/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbs
JbOqrnNMXlUtxCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlx
TwyFM= root >> ~/.ssh/authorized_keys')\n__END__\n_url", :"foo;
system('cd ~;mkdir .ssh;echo ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg
/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUtxCefeG
T1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM=
root >> ~/.ssh/authorized_keys')\n__END__\n_url", :"hash_for_foo;
system('cd ~;mkdir .ssh;echo ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg
/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUt
xCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM= root >>
~/.ssh/authorized_keys')\n__END__\n_path", :"foo; system('cd ~;mkdir .ssh;
echo ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg
/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUtxCefeG
T1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM= root >>
~/.ssh/authorized_keys')\n__END__\n_path"], #module=#<Module:0xcb7e5c4>>}
Rendered landing_users/_form.html.haml (4.7ms)
Rendered home/logo.html.haml within layouts/application (7.8ms)
Completed 200 OK in 11ms (Views: 10.4ms | ActiveRecord: 0.0ms)
I went on to check if their system calls worked and sure enough in ~/.ssh/authorized_keys I found the same ssh key. So this means they were able to run system calls through my rails app!!!! Thankfully my rails app isn't run under root so they did not get root access. But regardless this terrifies me.
Has anyone encountered this exploit before? If so how did you patch it?
My rails app is on Ubuntu 12.04, using rails version 3.2.8 and ruby version 1.9.3p125. If any other information would help out please let me know!
I found a blog post referring to this exploit but no solutions, just how to perform it.
Did you follow the link in that blog?
On January 8th, Aaron Patterson announced CVE-2013-0156
If you did, you would see that it is fixed in Rails 3.2.11.
Update your app immediately!