forked from TheDr1ver/WIPSTER
/
crits-upload.php
368 lines (290 loc) · 10 KB
/
crits-upload.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
<html>
<head>
<div id="header">
<title>Submit Files to WIPSTER and CRITs</title>
<LINK href="./css/upload2.css" rel="stylesheet" type="text/css">
<h1>Submit Files to WIPSTER and CRITs</h1>
<a href="./mastiffResults.php">WIPSTER Results Dashboard</a> | <a href="./search.php">Search</a>
</div>
</head>
<body>
<div id="container">
<div id="forms">
<div id="mastiff">
<form action="crits-upload.php" method="post" enctype="multipart/form-data">
<div id="required">
<div id="reqHead">
REQUIRED Fields
</div>
<br/>
Ticket #:
<input id="ticket" type="text" name="ticket" pattern="\d{1,12}" size="25" required />
<br/><br/>
<b>Sample for WIPSTER analysis: </b><input type="file" name="malware" size="25" />
<br/><br/>
<b>Note:</b> .xlsx and .docx files may take several minutes to complete,<br/>
as they are treated by MASTIFF as .zip files.
<br/><br/>
<input id="taSubChk" type="checkbox" name="taSubChk" value="true" /><b>Submit to ThreatAnalyzer</b>
<br/>
<input id="malwrSubChk" type="checkbox" name="malwrSubChk" value="true" /><b>Submit to Malwr.com</b>
<br/>
</div>
<br/>
<center><b>The following will be related to this ticket in <a href="https://192.168.1.131/" target="_blank">CRITs</a></b></center><br/>
<b>PCAP: </b><input type="file" name="pcap" size="25" />
<br/><br/>
<b>Email: </b><input type="file" name="email" size="25" />
<br/><br/>
<b>Domain: </b><input type="text" name="domain" size="25" />
<br/><br/>
<b>IP: </b><input type="text" name="ip" size="25" />
<br/><br/>
<!--<b>Campaign: </b><input type="text" name="campaign" size="25" />
<br/>-->
Notes:
<br/>
<textarea name="notes" cols="25" rows="5" style="width:700px; height:150px;"></textarea>
<br/>
<input type="submit" name="submit" value="Submit" />
</form>
</div>
</div>
</div>
</body>
<?php
#Import configs
require './func/config.php';
#If posting data to the page, make sure there's actual data posted
if ($_SERVER['REQUEST_METHOD']=='POST'){
#Check to make sure at least one of the required fields is populated
if (empty($_FILES['malware']['name']) && empty($_FILES['pcap']['name']) && empty($_FILES['email']['name']) && empty($_POST['domain']) && empty($_POST['ip']) && empty($_POST['campaign'])){
echo "<center><h2>At least one field is required!</h2></center>";
}
else{
require './func/crits.php';
/*
echo "<pre>"; #DEBUG
print_r($_FILES); #DEBUG
print_r($_POST); #DEBUG
echo "</pre>"; #DEBUG
*/
########################
#### FORM VALIDATION
########################
foreach ($_FILES as $key => $val){
#echo "<b>KEY: $key</b><br/>"; #DEBUG
#echo "<b>VAL: $val</b><br/><br/>"; #DEBUG
if(!empty($val['name']) && !$val['error']){
#Clean up the filename
$new_file_name = strtolower($val['name']);
$new_file_name = preg_replace('/[^A-Za-z0-9-.]/','',$new_file_name);
#Get the file extension
$fileExt = pathinfo($new_file_name, PATHINFO_EXTENSION);
$fileExt = strtolower($fileExt);
#Form validation
if($key=="malware"){
if(in_array($fileExt, array("eml", "msg", "pcap"))){
echo "<h2>ERROR: Emails and PCAPs cannot be submitted through the Sample field.</h2>";
die();
}
}
if($key=="pcap"){
if(in_array($fileExt, array("pcap"))){
#do nothing
}
else{
echo "<h2>ERROR: Invalid pcap extension: $fileExt</h2>";
die();
}
}
if($key=="email"){
if(in_array($fileExt, array("eml", "msg"))){
#do nothing
}
else{
echo "<h2>ERROR: Invalid email extension: $fileExt</h2>";
die();
}
}
}
}
/*
echo "<pre>"; #DEBUG
print_r($_FILES); #DEBUG
print_r($_POST); #DEBUG
echo "</pre>"; #DEBUG
*/
####################################
#### Process each file uploaded
####################################
#echo "Going through _FILES<br/>"; #DEBUG
foreach ($_FILES as $key => $val){
#echo "<b>KEY: $key</b><br/>"; #DEBUG
#echo "<b>VAL: $val</b><br/><br/>"; #DEBUG
if(!empty($val['name']) && !$val['error']){
#Clean up the filename
$new_file_name = strtolower($val['name']);
$new_file_name = preg_replace('/[^A-Za-z0-9-.]/','',$new_file_name);
if($val['size'] < 25600000){ #File cannot be larger than 25 MB
if(!copy($val['tmp_name'], '/var/www/upload/malware/'.$new_file_name)){ #Copy the temp file to a location with a proper name
echo "<h2>ERROR: File $key[tmp_name] failed to copy to /var/www/upload/malware/</h2><br/><br/>";
}
else{
#Set the proper file types for each field
if($key=="malware"){
$type='sample';
}
elseif($key=="pcap"){
$type='pcap';
}
elseif($key=="email"){
$type='email';
}
if(!isset($critsJSON)){
$critsJSON=array();
}
#Build Data for Sample
if(!empty($type)&&!empty($new_file_name)){
$critsJSON[$type]=dataBuild($type, $new_file_name, $_POST, $_FILES, $critsPage, $critsLogin);
unset($type);
}
elseif(!empty($type)){
echo "<h2>ERROR: No new_file_name set for type: $type</h2>";
}
else{
echo "<h2>ERROR: No TLO type set!</h2>";
}
}
}
else{
echo "<h2>ERROR: File too large. Cannot be larger than 25 MB. $new_file_name is $val[size] bytes.</h2><br/><br/>";
}
if(isset($new_file_name)){
unset($new_file_name);
}
}
}
#Process & upload text data
#echo "Going through POST<br/>"; #DEBUG
foreach($_POST as $key=>$val){
/*
echo "<b>KEY: $key</b><br/>"; #DEBUG
echo "<b>VAL: $val</b><br/><br/>"; #DEBUG
*/
if(!empty($val)){
if($key=='submit' || $key=='ticket'){
continue;
}
if($key=='domain' && !empty($val)){
$type='domain';
}
if($key=='ip' && !empty($val)){
$type='ip';
}
#Work out the campaign stuff later
#if($key=='campaign' && !empty($val)){
# $type='campaign';
#}
if($key=='notes' && !empty($val)){
$type='notes';
}
#Check if the main JSON array already exists
if(!isset($critsJSON)){
$critsJSON=array();
}
#Build Data for Sample
if(!empty($type) && !empty($val)){
$critsJSON[$type]=dataBuild($type, $new_file_name=NULL, $_POST, $_FILES, $critsPage, $critsLogin);
}
elseif(!empty($type)){
echo "<h2>ERROR: No TLO type set</h2>";#DEBUG
}
}
}
##### Create new Event if one does not already exist
#Check if an event already exists matching the ticket number
#if the ticket number matches, add that id/data to $critsJSON['event']['id'] and $critsJSON['event']['type']
#if the ticket number does not match, build the data to create a new event and POST to the events API
if(isset($_POST['ticket'])){
#Search crits for an existing event matching this ticket #
$eventSearch = searchCRITs($type='event', $_POST['ticket'], $critsPage, $critsLogin);
$eventJSON = json_decode($eventSearch[0],true);
#If the event already exists, just set the critsJSON tags and move on. Otherwise, add the event.
if(isset($eventJSON['objects'][0]['_id'])){
$critsJSON['event']['id']=$eventJSON['objects'][0]['_id'];
$critsJSON['event']['type']='Event';
}
else{
#build a new event
$type='event';
$critsJSON[$type]=dataBuild($type, $new_file_name=NULL, $_POST, $_FILES, $critsPage, $critsLogin);
}
}
##### RELATE ALL UPLOADED CONTENT TO EACH OTHER
$relationArray=array();
$type='relationship';
#handling the fact that email uploading doesn't work properly
if(isset($critsJSON['email']['error_message'])){
#Look for a particular error message, and grab the TLO's id# if it's there
$pattern="/^ObjectId\(\'(\w*)\'\)/";
preg_match($pattern, $critsJSON['email']['error_message'], $matches);
/*
echo "<pre>"; #DEBUG
print_r($matches); #DEBUG
echo "</pre>"; #DEBUG
#die(); #DEBUG
*/
if(isset($matches[1])){
#if a match is found, properly set the id and type properties
$critsJSON['email']['id']=$matches[1];
$critsJSON['email']['type']='Email';
}
#if($critsJSON['email']['error_message']){
#}
}
foreach($critsJSON as $key=>$val){
if(isset($val['id'])){
/*
echo "<br/>critsJSON:</br>"; #DEBUG
echo "<pre>"; #DEBUG
print_r($critsJSON); #DEBUG
echo "</pre>"; #DEBUG
*/
$relationArray['TLO1type']=$val['type'];
$relationArray['TLO1id']=$val['id'];
foreach($critsJSON as $key2=>$val2){
if($key2!=$key){
$relationArray['TLO2type']=$val2['type'];
$relationArray['TLO2id']=$val2['id'];
if(isset($val2['id'])){
$relationJSON[$key][$key2]=dataBuild($type,$new_file_name=NULL,$_POST,$_FILES,$critsPage,$critsLogin,$relationArray);
}
}
}
unset($critsJSON[$key]);
}
}
#set all the CRITs variables to prep them for relation ($sampleCRITs, $ipCRITs, $domainCRITs, $pcapCRITs, etc...)
#if $sampleCRITs is not already set, that means it wasn't found in the db --
#upload it to CRITs, and save the response (id, type, msg, url, etc) as an array in $sampleCRITs
#likewise for all the other fields submitted
#Once all the $xxxCRITs variables are populated above, and the ticket #'s have all been updated, relate all the objects to eachother
# relationships.relationship:"Related_to"
# relationships.rel_reason:"Related via ticket XXXX"
#Upload files that aren't in CRITs to the CRITs DB
#Relate all files (new or old)
#######################################################
##### Handle the WIPSTER/MASTIFF analysis of the sample
#######################################################
include './accept-file.php';
}
}
###############
##### DEBUG
###############
/*echo "<pre>";
print_r(get_defined_vars());
echo "</pre>";*/
?>
</html>