Full Disclosure mailing list archives

Re: iiscan results

From: p8x <l () p8x net>
Date: Thu, 07 Jan 2010 21:55:28 +0800

Hi Vincent,

I also experied the same issue as mrx. I did see multiple get and post
requests to the same page.

As an example, I took a random page with a form on it, here are the totals:

      2 /password.html
      2 /password.html?key=88888&form_validated=12345&submit_form=88888
      2 /password.html?key=88888&form_validated=12345&submit_form=88888'
      2
/password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
      2
/password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
      2
/password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
      2 /password.html?key=88888&submit_form=88888&form_validated=12345
      2 /password.html?key=88888&submit_form=88888&form_validated=12345'
      2
/password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
      2
/password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
      2
/password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
      2 /password.html?submit_form=88888&form_validated=12345&key=88888
      2 /password.html?submit_form=88888&form_validated=12345&key=88888'
      2
/password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
      2
/password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
      2
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
      4
/password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
      4
/password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
      4
/password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
      4
/password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
      4
/password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
      4
/password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
      4
/password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
      4
/password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
      4
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='

Also, the contact forms on the websites I tested got hammered with
emails (and they also seemed to have duplicate requests).

p8x

On 7/01/2010 8:00 PM, mrx wrote:

Vincent,

Although the actual results of the scan were displayed in English in the online html report,
the suggested solutions were in fact in Chinese.

Checking my access logs reveals multiple attempts of the same attack/probe, for example multiple identical POSTs to 
the same page:

216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 
(compatible; MSIE 7.0; Windows
NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"

There are around 100 entries identical to the above in my log. I don't know if this is by design or not but it does 
seem to be a little inefficient.


I also noticed there were no attempts at information disclosure via the TRACE method, nor were any attempts made at 
SQL injection despite my
selecting "all" in the scan options. Not that my site is vulnerable in any way ;-)

Hope this helps

regards
mrx



Vincent Chao wrote:

Thank you for your analysis. It really helps me.

And I also found the PDF report mail to us is in Chinese, in the website of
iiScan, however, to see the report of html or PDF format is English (of
course can change to Chinese).

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of mrx
Sent: Wednesday, January 06, 2010 8:45 PM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] iiscan results

Well, this scanner managed to find a couple of low level vulnerabilities on
my site which were missed by both Nikto and Nessus.

Two directories allowed a directory listing and a test.php file I created,
an information disclosure vulnerability, was also detected. My dumb
ass forgot to delete this "test.php" file after I finished testing the
server.

Possible sensitive directories were also listed, however browsing to these
directories returned 403 errors, blank pages or a wordpress logon
prompt, which is what I expected.

So all in all this scanner seems to do it's job well. At least for a LAMP
server running wordpress

Of course I have addressed the vulnerabilities reported.

My command of the Chinese language is limited to zero, so I cannot
understand the pdf report emailed to me nor the information within the web
based report. Hopefully the developers will address this language problem.

regards
mrx




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

iiscan results mrx (Jan 06)
- Re: iiscan results Vincent Chao (Jan 06)
- Message not available
  - Re: iiscan results mrx (Jan 07)
    - Re: iiscan results p8x (Jan 07)
    - Re: iiscan results Jan G.B. (Jan 07)
    - Re: iiscan results p8x (Jan 07)
    - Re: iiscan results Jardel Weyrich (Jan 07)
    - Re: iiscan results Robin Sage (Jan 07)
    - Message not available
    - Message not available
    - Message not available
    - Re: iiscan results mrx (Jan 07)
    - Message not available
    - Re: iiscan results mrx (Jan 07)