c# HttpRequestValidationException

Question

I have a c# asp.net app running on an Amazon EC2 however I am getting a validation error:

Exception type: HttpRequestValidationException

Exception message: A potentially dangerous Request.RawUrl value was detected from the client (="...h&content=<php>die(@md5(HelloT...").

The logs show that the request url was:

http://blah.com/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>

Where does that PHP die script come from? Is this some kind of security breach and I have no idea how to debug this.

Answer 1

Those are ThinkPHP5 (Chinese PHP framework based on Laravel) RCE exploit attempts

Answer 2

This blog post suggests that this is a wordpress exploit that no longer works.

I am not running PHP (or Wordpress) yet my web server (apache2, log extract) returns a 200 to this (which is why I was interested):`

[04/Jun/2020:11:43:35 -0500] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1" 404 367 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

That request came from 195.54.160.135. Jonas Høgh is correct, of course, that securing your site is something you have to figure out yourself. I have a script to block an IP on an ad hoc basis and another one to get a list of bad actors from a website and block them all. I suppose, though, that many of these attempts come from pwned machines or through Tor, and blocking an IP may be useless.

Answer 3

It is an attempt to see if this code is running on the server side. PHP and its CMS had such problems before, but if the site is written in .net then everything is fine you don't have to worry.

Answer 4

This is due to a built-in ASP.Net feature called "Request validation" which causes an exception to be thrown to prevent attacks whenever dangerous characters are found in e.g. the query string. In this case, it is probably caused by the < character, which is forbidden to make attacks such as Cross Site Scripting harder. As such, the error indicates that the attempt to access your site was stopped before your application code was even invoked.

The query string in your example is probably generated by some automated attack script or botnet that is throwing random data at your site to try to breach it. You can safely ignore this particular instance of the attack, since you're not running PHP. That being said, as others have commented, it does indicate that someone is trying to get in, so you should consider taking appropriate security measures either in your application code or in your network/hosting setup. What these are is both out of scope for this site and hard to say without knowing a lot more about your context, however.