如何识别 HTTP 负载的内容?

如何识别 HTTP 负载的内容?

我最近收到流量分析器的警告,HTTP 请求的有效负载包含 Windows 可执行文件而不是纯文本。

解释此 HTTP 请求的最佳方法是什么以及如何确定有效负载的实际内容?

谢谢!

00000000  48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d  HTTP/1.1.200.OK.
00000010  0a 41 63 63 65 70 74 2d 52 61 6e 67 65 73 3a 20  .Accept-Ranges:.
00000020  62 79 74 65 73 0d 0a 43 6f 6e 74 65 6e 74 2d 54  bytes..Content-T
00000030  79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d  ype:.text/plain.
00000040  0a 45 54 61 67 3a 20 22 32 63 62 34 64 64 63 66  .ETag:."2cb4ddcf
00000050  30 38 65 38 61 62 64 38 63 65 39 64 64 37 62 39  08e8abd8ce9dd7b9
00000060  31 66 39 36 64 63 35 36 3a 31 34 37 38 31 33 35  1f96dc56:1478135
00000070  33 33 30 22 0d 0a 4c 61 73 74 2d 4d 6f 64 69 66  330"..Last-Modif
00000080  69 65 64 3a 20 57 65 64 2c 20 30 32 20 4e 6f 76  ied:.Wed,.02.Nov
00000090  20 32 30 31 36 20 32 30 3a 32 35 3a 35 33 20 47  .2016.20:25:53.G
000000a0  4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 6b 61 6d  MT..Server:.Akam
000000b0  61 69 4e 65 74 53 74 6f 72 61 67 65 0d 0a 43 6f  aiNetStorage..Co
000000c0  6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 37 36  ntent-Length:.76
000000d0  34 30 0d 0a 44 61 74 65 3a 20 54 75 65 2c 20 30  40..Date:.Tue,.0
000000e0  39 20 4a 75 6e 20 32 30 32 30 20 31 36 3a 33 32  9.Jun.2020.16:32
000000f0  3a 33 39 20 47 4d 54 0d 0a 43 6f 6e 6e 65 63 74  :39.GMT..Connect
00000100  69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d  ion:.keep-alive.
00000110  0a 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff  ...MZ...........
00000120  ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00  ...........@....
00000130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40  ...............@
00000150  00 00 00 50 45 00 00 4c 01 01 00 bc 4b 1a 58 00  ...PE..L....K.X.
00000160  00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00  ..........!.....
00000170  00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00  ................
00000180  00 00 00 00 00 00 00 00 00 00 10 10 00 00 00 10  ................
00000190  00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00  ................
000001a0  00 00 00 e0 03 00 00 60 01 00 00 00 00 00 00 02  .......`........
000001b0  00 00 05 00 00 10 00 00 10 00 00 00 00 10 00 00  ................
000001c0  10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00  ................
000001d0  00 00 00 00 00 00 00 00 00 00 00 60 01 00 00 80  ...........`....
000001e0  02 00 00 00 00 00 00 00 00 00 00 90 06 00 00 48  ...............H
000001f0  17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000220  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000240  00 00 00 00 00 00 00 00 00 00 00 2e 72 73 72 63  ............rsrc
00000250  00 00 00 80 02 00 00 60 01 00 00 80 02 00 00 60  .......`.......`
00000260  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40  ...............@
00000270  00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00  ..@.............
00000280  00 01 00 10 00 00 00 18 00 00 80 00 00 00 00 00  ................
00000290  00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 30  ...............0
000002a0  00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002b0  00 01 00 09 04 00 00 48 00 00 00 b8 01 00 00 28  .......H.......(
000002c0  02 00 00 00 00 00 00 00 00 00 00 28 02 34 00 00  ...........(.4..
000002d0  00 56 00 53 00 5f 00 56 00 45 00 52 00 53 00 49  .V.S._.V.E.R.S.I
000002e0  00 4f 00 4e 00 5f 00 49 00 4e 00 46 00 4f 00 00  .O.N._.I.N.F.O..
000002f0  00 00 00 bd 04 ef fe 00 00 01 00 06 00 03 00 00  ................
00000300  00 05 00 06 00 03 00 00 00 05 00 00 00 00 00 00  ................
00000310  00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00  ................
00000320  00 00 00 00 00 00 00 86 01 00 00 01 00 53 00 74  .............S.t
00000330  00 72 00 69 00 6e 00 67 00 46 00 69 00 6c 00 65  .r.i.n.g.F.i.l.e
00000340  00 49 00 6e 00 66 00 6f 00 00 00 62 01 00 00 01  .I.n.f.o...b....
00000350  00 30 00 34 00 30 00 39 00 30 00 34 00 45 00 34  .0.4.0.9.0.4.E.4
00000360  00 00 00 30 00 08 00 01 00 46 00 69 00 6c 00 65  ...0.....F.i.l.e
00000370  00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00  .V.e.r.s.i.o.n..
00000380  00 00 00 33 00 2e 00 36 00 2e 00 35 00 2e 00 30  ...3...6...5...0
00000390  00 00 00 34 00 08 00 01 00 50 00 72 00 6f 00 64  ...4.....P.r.o.d
000003a0  00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69  .u.c.t.V.e.r.s.i
000003b0  00 6f 00 6e 00 00 00 33 00 2e 00 36 00 2e 00 35  .o.n...3...6...5
000003c0  00 2e 00 30 00 00 00 4a 00 15 00 01 00 43 00 6f  ...0...J.....C.o
000003d0  00 6d 00 70 00 61 00 6e 00 79 00 4e 00 61 00 6d  .m.p.a.n.y.N.a.m
000003e0  00 65 00 00 00 00 00 53 00 6f 00 6c 00 69 00 64  .e.....S.o.l.i.d
000003f0  00 20 00 53 00 74 00 61 00 74 00 65 00 20 00 4e  ...S.t.a.t.e...N
00000400  00 65 00 74 00 77 00 6f 00 72 00 6b 00 73 00 00  .e.t.w.o.r.k.s..
00000410  00 00 00 6a 00 23 00 01 00 4c 00 65 00 67 00 61  ...j.#...L.e.g.a
00000420  00 6c 00 43 00 6f 00 70 00 79 00 72 00 69 00 67  .l.C.o.p.y.r.i.g
00000430  00 68 00 74 00 00 00 43 00 6f 00 70 00 79 00 72  .h.t...C.o.p.y.r
00000440  00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29  .i.g.h.t...(.C.)
00000450  00 20 00 53 00 6f 00 6c 00 69 00 64 00 20 00 53  ...S.o.l.i.d...S
00000460  00 74 00 61 00 74 00 65 00 20 00 4e 00 65 00 74  .t.a.t.e...N.e.t
00000470  00 77 00 6f 00 72 00 6b 00 73 00 00 00 00 00 2e  .w.o.r.k.s......
00000480  00 07 00 01 00 50 00 72 00 6f 00 64 00 75 00 63  .....P.r.o.d.u.c
00000490  00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 44  .t.N.a.m.e.....D
000004a0  00 69 00 72 00 65 00 63 00 74 00 00 00 00 00 44  .i.r.e.c.t.....D
000004b0  00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6c  .....V.a.r.F.i.l
000004c0  00 65 00 49 00 6e 00 66 00 6f 00 00 00 00 00 24  .e.I.n.f.o.....$
000004d0  00 04 00 00 00 54 00 72 00 61 00 6e 00 73 00 6c  .....T.r.a.n.s.l
000004e0  00 61 00 74 00 69 00 6f 00 6e 00 00 00 00 00 09  .a.t.i.o.n......
000004f0  04 e4 04 50 4b 03 04 14 00 03 00 08 00 30 a3 62  ...PK........0.b
00000500  49 9d 8f 4e 82 da 01 00 00 f6 03 00 00 0c 00 2c  I..N...........,
00000510  00 6d 61 6e 69 66 65 73 74 2e 78 6d 6c 10 88 28  .manifest.xml..(
00000520  00 d3 06 55 dc c8 c4 17 17 41 5f 6e 22 4d 41 1c  ...U.....A_n"MA.
00000530  0b 58 9a f9 bf ac c0 49 22 e6 26 3f e1 b3 ae 2d  .X.....I".&?...-
00000540  54 5d b0 62 1d 27 b2 70 68 2c 9d 03 38 6a a7 8f  T].b.'.ph,..8j..
00000550  00 58 07 1a 11 02 6d bc c5 e8 8e 33 25 35 6b 9b  .X....m....3%5k.
00000560  60 42 9b 2c 5a 83 6e b5 6c e6 f5 0e 96 c8 10 98  `B.,Z.n.l.......
00000570  7f 4b de 7b 95 04 b3 36 7e 4f 7b 58 20 f7 1a db  .K.{...6~O{X....
00000580  f9 89 e2 ab ae 1d 4c da cc 45 f1 96 e6 54 4c dd  ......L..E...TL.
00000590  9a 4a 4e 01 0e 27 1f 18 b5 f9 37 e3 18 91 3a 54  .JN..'....7...:T
000005a0  7f 5c ed 9d 56 aa e6 b8 d8 4c bd 2e 86 45 01 c2  .\..V....L...E..
000005b0  8c 59 26 97                                      .Y&.

答案1

在行 00000110 上,实际的 HTTP 响应负载从该行的第四个字节开始。

有效载荷以字母开头MZ,这是用于 MS-DOS / Windows 可执行文件的标识符。

另外,在第 00000150 行,第四和第五个字母是PE,这表明该文件是 Windows 可移植可执行文件。

有关可移植可执行文件的更多信息可以在维基百科中找到:https://en.wikipedia.org/wiki/Portable_Executable

答案2

读取元数据是有帮助的,尽管它可能是谎言:

ProductVersion 3.6.5
CompanyName SolidStateNetworks
ProductName Direct

因此,下载下载程序. 通过验证签名并通过恶意软件检测(如 VirusTotal)运行来验证其真实性。

无法确定错误的 Content-Type 是否可疑,或者只是 CDN 损坏了标头。我猜这是个人使用,而不是恶意的,但我没有证据证明这一点。

相关内容