Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: iiscan results
From: p8x <l () p8x net>
Date: Thu, 07 Jan 2010 22:28:12 +0800

Hi Jan,

I am not sure what you mean.

Maybe I should clarify, I used some bash magic to make it a bit easier
to read the results from my log file. Here is a copy of the log pre me
making it easy to read: http://pastebin.com/m512018cb

If you read the above log file you will be able to see the duplicate
requests, as an example these two time stamps are have the same request:

[07/Jan/2010:09:25:32 +0800]
[07/Jan/2010:09:25:36 +0800]

I did the test twice, so the results in my previous post that were
requested twice can be ignored.

p8x

On 7/01/2010 10:08 PM, Jan G.B. wrote:
What you see is not an issue or error. It is, what the application is
supposed to do.

* As you can see, these requests are not the same. 
* Thinking about muiltiple POST requests on WP-Login or your "logs"
below, you could have guessed in the first place that the app is either
trying multiple Login/Passwort combinations or (as seen below) some
patterns to detect Injection possibilities.

Regards

2010/1/7 p8x <l () p8x net <mailto:l () p8x net>>

    Hi Vincent,

    I also experied the same issue as mrx. I did see multiple get and post
    requests to the same page.

    As an example, I took a random page with a form on it, here are the
    totals:

         2 /password.html
         2 /password.html?key=88888&form_validated=12345&submit_form=88888
         2 /password.html?key=88888&form_validated=12345&submit_form=88888'
         2
    /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
         2
    /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
         2
    /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
         2 /password.html?key=88888&submit_form=88888&form_validated=12345
         2 /password.html?key=88888&submit_form=88888&form_validated=12345'
         2
    /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
         2
    /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
         2
    /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
         2 /password.html?submit_form=88888&form_validated=12345&key=88888
         2 /password.html?submit_form=88888&form_validated=12345&key=88888'
         2
    /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
         2
    /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
         2
    /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
         4
    /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
         4
    /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
         4
    /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
         4
    /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
         4
    /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
         4
    /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
         4
    /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
         4
    /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
         4
    /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='

    Also, the contact forms on the websites I tested got hammered with
    emails (and they also seemed to have duplicate requests).

    p8x

    On 7/01/2010 8:00 PM, mrx wrote:
    > Vincent,
    >
    > Although the actual results of the scan were displayed in English
    in the online html report,
    > the suggested solutions were in fact in Chinese.
    >
    > Checking my access logs reveals multiple attempts of the same
    attack/probe, for example multiple identical POSTs to the same page:
    >
    > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
    /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0
    (compatible; MSIE 7.0; Windows
    > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
    >
    > There are around 100 entries identical to the above in my log. I
    don't know if this is by design or not but it does seem to be a
    little inefficient.
    >
    >
    > I also noticed there were no attempts at information disclosure
    via the TRACE method, nor were any attempts made at SQL injection
    despite my
    > selecting "all" in the scan options. Not that my site is
    vulnerable in any way ;-)
    >
    > Hope this helps
    >
    > regards
    > mrx
    >
    >
    >
    > Vincent Chao wrote:
    >> Thank you for your analysis. It really helps me.
    >
    >> And I also found the PDF report mail to us is in Chinese, in the
    website of
    >> iiScan, however, to see the report of html or PDF format is
    English (of
    >> course can change to Chinese).
    >
    >> -----Original Message-----
    >> From: full-disclosure-bounces () lists grok org uk
    <mailto:full-disclosure-bounces () lists grok org uk>
    >> [mailto:full-disclosure-bounces () lists grok org uk
    <mailto:full-disclosure-bounces () lists grok org uk>] On Behalf Of mrx
    >> Sent: Wednesday, January 06, 2010 8:45 PM
    >> To: full-disclosure () lists grok org uk
    <mailto:full-disclosure () lists grok org uk>
    >> Subject: [Full-disclosure] iiscan results
    >
    >> Well, this scanner managed to find a couple of low level
    vulnerabilities on
    >> my site which were missed by both Nikto and Nessus.
    >
    >> Two directories allowed a directory listing and a test.php file I
    created,
    >> an information disclosure vulnerability, was also detected. My dumb
    >> ass forgot to delete this "test.php" file after I finished
    testing the
    >> server.
    >
    >> Possible sensitive directories were also listed, however browsing
    to these
    >> directories returned 403 errors, blank pages or a wordpress logon
    >> prompt, which is what I expected.
    >
    >> So all in all this scanner seems to do it's job well. At least
    for a LAMP
    >> server running wordpress
    >
    >> Of course I have addressed the vulnerabilities reported.
    >
    >> My command of the Chinese language is limited to zero, so I cannot
    >> understand the pdf report emailed to me nor the information
    within the web
    >> based report. Hopefully the developers will address this language
    problem.
    >
    >> regards
    >> mrx
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault