full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] iiscan results

Re: [Full-disclosure] iiscan results

From: Jan G.B. <ro0ot.w00t_at_nospam>
Date: Thu Jan 07 2010 - 14:08:06 GMT
To: full-disclosure@lists.grok.org.uk


What you see is not an issue or error. It is, what the application is supposed to do.

  • As you can see, these requests are not the same.
  • Thinking about muiltiple POST requests on WP-Login or your "logs" below, you could have guessed in the first place that the app is either trying multiple Login/Passwort combinations or (as seen below) some patterns to detect Injection possibilities.

Regards

2010/1/7 p8x <l@p8x.net>

> Hi Vincent,
>
> I also experied the same issue as mrx. I did see multiple get and post
> requests to the same page.
>
> As an example, I took a random page with a form on it, here are the totals:
>
> 2 /password.html
> 2 /password.html?key=88888&form_validated=12345&submit_form=88888
> 2 /password.html?key=88888&form_validated=12345&submit_form=88888'
> 2
>
> /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
> 2
> /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
> 2
>
> /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
> 2 /password.html?key=88888&submit_form=88888&form_validated=12345
> 2 /password.html?key=88888&submit_form=88888&form_validated=12345'
> 2
>
> /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
> 2
> /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
> 2
>
> /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
> 2 /password.html?submit_form=88888&form_validated=12345&key=88888
> 2 /password.html?submit_form=88888&form_validated=12345&key=88888'
> 2
>
> /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
> 2
> /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
> 2
>
> /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
> 4
>
> /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
> 4
> /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
> 4
>
> /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
> 4
>
> /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
> 4
> /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
> 4
>
> /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
> 4
>
> /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
> 4
> /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
> 4
>
> /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='
>
> Also, the contact forms on the websites I tested got hammered with
> emails (and they also seemed to have duplicate requests).
>
> p8x
>
> On 7/01/2010 8:00 PM, mrx wrote:
> > Vincent,
> >
> > Although the actual results of the scan were displayed in English in the
> online html report,
> > the suggested solutions were in fact in Chinese.
> >
> > Checking my access logs reveals multiple attempts of the same
> attack/probe, for example multiple identical POSTs to the same page:
> >
> > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
> /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible;
> MSIE 7.0; Windows
> > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
> >
> > There are around 100 entries identical to the above in my log. I don't
> know if this is by design or not but it does seem to be a little
> inefficient.
> >
> >
> > I also noticed there were no attempts at information disclosure via the
> TRACE method, nor were any attempts made at SQL injection despite my
> > selecting "all" in the scan options. Not that my site is vulnerable in
> any way ;-)
> >
> > Hope this helps
> >
> > regards
> > mrx
> >
> >
> >
> > Vincent Chao wrote:
> >> Thank you for your analysis. It really helps me.
> >
> >> And I also found the PDF report mail to us is in Chinese, in the website
> of
> >> iiScan, however, to see the report of html or PDF format is English (of
> >> course can change to Chinese).
> >
> >> -----Original Message-----
> >> From: full-disclosure-bounces@lists.grok.org.uk
> >> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of mrx
> >> Sent: Wednesday, January 06, 2010 8:45 PM
> >> To: full-disclosure@lists.grok.org.uk
> >> Subject: [Full-disclosure] iiscan results
> >
> >> Well, this scanner managed to find a couple of low level vulnerabilities
> on
> >> my site which were missed by both Nikto and Nessus.
> >
> >> Two directories allowed a directory listing and a test.php file I
> created,
> >> an information disclosure vulnerability, was also detected. My dumb
> >> ass forgot to delete this "test.php" file after I finished testing the
> >> server.
> >
> >> Possible sensitive directories were also listed, however browsing to
> these
> >> directories returned 403 errors, blank pages or a wordpress logon
> >> prompt, which is what I expected.
> >
> >> So all in all this scanner seems to do it's job well. At least for a
> LAMP
> >> server running wordpress
> >
> >> Of course I have addressed the vulnerabilities reported.
> >
> >> My command of the Chinese language is limited to zero, so I cannot
> >> understand the pdf report emailed to me nor the information within the
> web
> >> based report. Hopefully the developers will address this language
> problem.
> >
> >> regards
> >> mrx
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/