0

How to extract uploaded file

asked 2019-01-07 16:25:43 +0000

CooleRnax
1 ●1

updated 2019-01-07 16:26:24 +0000

I have troubles reconstructing uploaded file. Original file is a little bit different compared to the captured in whireshark. Seems like problem in encoding. Plase help

Here is how follow tcp stream looks like:

POST /cgi-bin/upgrade.cgi HTTP/1.1

Host: 192.168.1.15

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

Accept: application/json, text/plain, /

Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.15/

Content-Type: multipart/form-data; boundary=---------------------------265001916915724

Content-Length: 23965264

Authorization: Digest username="admin", realm="Router Configuration", nonce="e3995f748f5f0795134db47862c0b750", uri="/cgi-bin/upgrade.cgi", response="3a85f493d1ca12d7a599dc4a44e81f01", qop=auth, nc=0000063e, cnonce="35290bdcaa173dae"

Connection: keep-alive

Cookie: lang=en

-----------------------------265001916915724

Content-Disposition: form-data; name="file"; filename="firmware.tar.gz"

Content-Type: application/gzip

.....(......\u}7....^gw'.H...\ .s...0......D....I..".........7.JXQ..m.. V.<.m..j.>A.b..h.e.....O..!..d.BDc.r..?....g.......s...g.z.d..Pn..+g.:8..;?.z.......>3........ynV...nY.z.....|..kw...O....}..U7.s..9.....:.../.!./g....?.cFM.nY..U7...X......_q...jj..X.dy.

long code here

Here is the difference:

Captured file start:

.....(......\u}7....^gw'.H...\ .s...0......D....I..".........7.JXQ..m.. V.<.m..j.>A.b..h.e.....O..!..d.BDc.r..?....g.......s...g.z.d..Pn..+g.:8..;?.z.......>3........y

Original file start in notepad++:

‹ (\ мЬњ\u}7юЯ™Л^gw'HШ\ s™Ь0И™ЩD.єіI"»›‰є–‹7МJXQ‰‰m V«<µmў±jµ>A©bЈ–h’eґҐO!ПЩdBDcъrэ?пч‹іgжМпњущќsжьѕgтz±dЦФPnщШ+gН:8Џ;?шzЪЊ™У¦Пњ>3џџтУтщёynVЩ“ЕnYµzсК.¬\ѕ|хЇkwјПOјҐЈ}й”U7•sЗ9язММП:жьЗ/у!—/gЁГю?яcFMЅnYЗФU7ХФ¬Xјъ¦ЖЋ_qлхjj–¬XёdyЗ

Difference:

English symbols are fine, but others are replaced with . in wireshark

edit retag flag offensive close merge delete

Comments

Have you compared the files in binary mode, i.e. byte for byte? An editor, and Wireshark for that matter, display binary values with an arbitrary character encoding, often set from the host system.

grahamb ( 2019-01-07 16:30:18 +0000 )edit

Nope, how can I save file from dump in binary mode?

CooleRnax ( 2019-01-07 16:36:59 +0000 )edit

From the menu File -> Export Objects -> HTTP ..., then hopefully your file will be listed in the dialog and you can save it.

grahamb ( 2019-01-07 18:41:53 +0000 )edit

I wish it was so easy. But there is no such file.

I Have followed TCP stream with the file.

I have saved TCP stream as raw.

Raw TCP stream file is smaller than original file i'm thing to extract.

Then I have found start and end hex bytes of the original file in the stream and extracted the reconstructed file.

Ended with a reconstructed archieve that is smaller than the original one.

Where is the mistake?

Maybe file in the TCP stream is gzip encoded?

CooleRnax ( 2019-01-07 20:03:46 +0000 )edit

original file is 22.8mb reconsructed file is 22.7mb

CooleRnax ( 2019-01-07 20:15:57 +0000 )edit

1 Answer

Sort by » oldest newest most voted

0

answered 2019-01-15 21:00:21 +0000

flag of Netherlands

18344 ●9 ●301 ●255 https://SYN-b.it

The line "Content-Length: 23965264" in the HTTP header indicates that there are 23965264 bytes to be transferred. This calculates to 22.85 MB. This is more than the 22.7 MB that you were able to save. So either a) Wireshark did not see all bytes (do you see "previous segment not captured" messages when you filter on "tcp.analysis.flags and tcp.stream==XXX", where XXX is the TCP stream in which this upload occurs>) or b) all data is captured, but something went wrong in saving the data to file.

As you say there is no object under "Export... HTTP Objects", my bet is there is data missing and therefor Wireshark can't do the re-assembly and that means you can't save all data either.

Are you able to share the capture file or is there any sensitive data in it?

edit flag offensive delete link

Comments

Here is the archieve it includes original file and captured data. Password will be sent to [email protected]

https://www.dropbox.com/s/wybjmlnht6r...

CooleRnax ( 2019-01-16 16:51:58 +0000 )edit

As I have seen the original capture file:

There is data missing in the capture file. So your capture setup was not optimal. Have a look at frames 20714 to 20827, there is a block of 97.820 bytes missing. In the follow TCP stream this is show as:

".v....r.`.t0...Pn.J.Fs.5......s.Q......."[97820 bytes missing in capture file]....5Lb...].&N.N..%=x.hW.. ..:w..'"

So whenever you want to extract something through follow TCP stream, this is a signal that you won't be able to get the original file.

SYN-bit ( 2019-01-17 14:33:05 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Question Tools

1 follower

Stats

Asked: 2019-01-07 16:25:43 +0000

Seen: 4,772 times

Last updated: Jan 15 '19

Related questions

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.

Powered by Askbot version 0.10.2