full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] iiscan results

Re: [Full-disclosure] iiscan results

From: Jardel Weyrich <jweyrich_at_nospam>
Date: Thu Jan 07 2010 - 14:33:07 GMT
To: p8x <l@p8x.net>


It's probably trying to get different results/responses by changing the values of some request headers. The most common scenario, as far as I've seen, and as oddly as it might sound, is the User-Agent and HTTP minor version.

A more verbose logging strategy would demystify. Or maybe Vincent?

On Thu, Jan 7, 2010 at 12:28 PM, p8x <l@p8x.net> wrote:
> Hi Jan,
>
> I am not sure what you mean.
>
> Maybe I should clarify, I used some bash magic to make it a bit easier
> to read the results from my log file. Here is a copy of the log pre me
> making it easy to read: http://pastebin.com/m512018cb
>
> If you read the above log file you will be able to see the duplicate
> requests, as an example these two time stamps are have the same request:
>
> [07/Jan/2010:09:25:32 +0800]
> [07/Jan/2010:09:25:36 +0800]
>
> I did the test twice, so the results in my previous post that were
> requested twice can be ignored.
>
> p8x
>
> On 7/01/2010 10:08 PM, Jan G.B. wrote:
>> What you see is not an issue or error. It is, what the application is
>> supposed to do.
>>
>> * As you can see, these requests are not the same.
>> * Thinking about muiltiple POST requests on WP-Login or your "logs"
>> below, you could have guessed in the first place that the app is either
>> trying multiple Login/Passwort combinations or (as seen below) some
>> patterns to detect Injection possibilities.
>>
>> Regards
>>
>> 2010/1/7 p8x <l@p8x.net <mailto:l@p8x.net>>
>>
>>     Hi Vincent,
>>
>>     I also experied the same issue as mrx. I did see multiple get and post
>>     requests to the same page.
>>
>>     As an example, I took a random page with a form on it, here are the
>>     totals:
>>
>>          2 /password.html
>>          2 /password.html?key=88888&form_validated=12345&submit_form=88888
>>          2 /password.html?key=88888&form_validated=12345&submit_form=88888'
>>          2
>>     /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
>>          2
>>     /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
>>          2
>>     /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
>>          2 /password.html?key=88888&submit_form=88888&form_validated=12345
>>          2 /password.html?key=88888&submit_form=88888&form_validated=12345'
>>          2
>>     /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
>>          2
>>     /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
>>          2
>>     /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
>>          2 /password.html?submit_form=88888&form_validated=12345&key=88888
>>          2 /password.html?submit_form=88888&form_validated=12345&key=88888'
>>          2
>>     /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
>>          2
>>     /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
>>          2
>>     /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
>>          4
>>     /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
>>          4
>>     /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
>>          4
>>     /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
>>          4
>>     /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
>>          4
>>     /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
>>          4
>>     /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
>>          4
>>     /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
>>          4
>>     /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
>>          4
>>     /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='
>>
>>     Also, the contact forms on the websites I tested got hammered with
>>     emails (and they also seemed to have duplicate requests).
>>
>>     p8x
>>
>>     On 7/01/2010 8:00 PM, mrx wrote:
>>     > Vincent,
>>     >
>>     > Although the actual results of the scan were displayed in English
>>     in the online html report,
>>     > the suggested solutions were in fact in Chinese.
>>     >
>>     > Checking my access logs reveals multiple attempts of the same
>>     attack/probe, for example multiple identical POSTs to the same page:
>>     >
>>     > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
>>     /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0
>>     (compatible; MSIE 7.0; Windows
>>     > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
>>     >
>>     > There are around 100 entries identical to the above in my log. I
>>     don't know if this is by design or not but it does seem to be a
>>     little inefficient.
>>     >
>>     >
>>     > I also noticed there were no attempts at information disclosure
>>     via the TRACE method, nor were any attempts made at SQL injection
>>     despite my
>>     > selecting "all" in the scan options. Not that my site is
>>     vulnerable in any way ;-)
>>     >
>>     > Hope this helps
>>     >
>>     > regards
>>     > mrx
>>     >
>>     >
>>     >
>>     > Vincent Chao wrote:
>>     >> Thank you for your analysis. It really helps me.
>>     >
>>     >> And I also found the PDF report mail to us is in Chinese, in the
>>     website of
>>     >> iiScan, however, to see the report of html or PDF format is
>>     English (of
>>     >> course can change to Chinese).
>>     >
>>     >> -----Original Message-----
>>     >> From: full-disclosure-bounces@lists.grok.org.uk
>>     <mailto:full-disclosure-bounces@lists.grok.org.uk>
>>     >> [mailto:full-disclosure-bounces@lists.grok.org.uk
>>     <mailto:full-disclosure-bounces@lists.grok.org.uk>] On Behalf Of mrx
>>     >> Sent: Wednesday, January 06, 2010 8:45 PM
>>     >> To: full-disclosure@lists.grok.org.uk
>>     <mailto:full-disclosure@lists.grok.org.uk>
>>     >> Subject: [Full-disclosure] iiscan results
>>     >
>>     >> Well, this scanner managed to find a couple of low level
>>     vulnerabilities on
>>     >> my site which were missed by both Nikto and Nessus.
>>     >
>>     >> Two directories allowed a directory listing and a test.php file I
>>     created,
>>     >> an information disclosure vulnerability, was also detected. My dumb
>>     >> ass forgot to delete this "test.php" file after I finished
>>     testing the
>>     >> server.
>>     >
>>     >> Possible sensitive directories were also listed, however browsing
>>     to these
>>     >> directories returned 403 errors, blank pages or a wordpress logon
>>     >> prompt, which is what I expected.
>>     >
>>     >> So all in all this scanner seems to do it's job well. At least
>>     for a LAMP
>>     >> server running wordpress
>>     >
>>     >> Of course I have addressed the vulnerabilities reported.
>>     >
>>     >> My command of the Chinese language is limited to zero, so I cannot
>>     >> understand the pdf report emailed to me nor the information
>>     within the web
>>     >> based report. Hopefully the developers will address this language
>>     problem.
>>     >
>>     >> regards
>>     >> mrx
>>     >
>>     >
>>     >
>>     > _______________________________________________
>>     > Full-Disclosure - We believe in it.
>>     > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>     > Hosted and sponsored by Secunia - http://secunia.com/
>>     >
>>     >
>>     >
>>     >
>>
>>     _______________________________________________
>>     Full-Disclosure - We believe in it.
>>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>     Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>     _______________________________________________
>>     Full-Disclosure - We believe in it.
>>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>     Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/