Full Disclosure mailing list archives
Re: iiscan results
From: p8x <l () p8x net>
Date: Thu, 07 Jan 2010 22:28:12 +0800
Hi Jan, I am not sure what you mean. Maybe I should clarify, I used some bash magic to make it a bit easier to read the results from my log file. Here is a copy of the log pre me making it easy to read: http://pastebin.com/m512018cb If you read the above log file you will be able to see the duplicate requests, as an example these two time stamps are have the same request: [07/Jan/2010:09:25:32 +0800] [07/Jan/2010:09:25:36 +0800] I did the test twice, so the results in my previous post that were requested twice can be ignored. p8x On 7/01/2010 10:08 PM, Jan G.B. wrote:
What you see is not an issue or error. It is, what the application is
supposed to do.
* As you can see, these requests are not the same.
* Thinking about muiltiple POST requests on WP-Login or your "logs"
below, you could have guessed in the first place that the app is either
trying multiple Login/Passwort combinations or (as seen below) some
patterns to detect Injection possibilities.
Regards
2010/1/7 p8x <l () p8x net <mailto:l () p8x net>>
Hi Vincent,
I also experied the same issue as mrx. I did see multiple get and post
requests to the same page.
As an example, I took a random page with a form on it, here are the
totals:
2 /password.html
2 /password.html?key=88888&form_validated=12345&submit_form=88888
2 /password.html?key=88888&form_validated=12345&submit_form=88888'
2
/password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
2
/password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
2
/password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
2 /password.html?key=88888&submit_form=88888&form_validated=12345
2 /password.html?key=88888&submit_form=88888&form_validated=12345'
2
/password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
2
/password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
2
/password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
2 /password.html?submit_form=88888&form_validated=12345&key=88888
2 /password.html?submit_form=88888&form_validated=12345&key=88888'
2
/password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
2
/password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
2
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
4
/password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
4
/password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
4
/password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
4
/password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
4
/password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
4
/password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
4
/password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
4
/password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
4
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='
Also, the contact forms on the websites I tested got hammered with
emails (and they also seemed to have duplicate requests).
p8x
On 7/01/2010 8:00 PM, mrx wrote:
> Vincent,
>
> Although the actual results of the scan were displayed in English
in the online html report,
> the suggested solutions were in fact in Chinese.
>
> Checking my access logs reveals multiple attempts of the same
attack/probe, for example multiple identical POSTs to the same page:
>
> 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
/properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0
(compatible; MSIE 7.0; Windows
> NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
>
> There are around 100 entries identical to the above in my log. I
don't know if this is by design or not but it does seem to be a
little inefficient.
>
>
> I also noticed there were no attempts at information disclosure
via the TRACE method, nor were any attempts made at SQL injection
despite my
> selecting "all" in the scan options. Not that my site is
vulnerable in any way ;-)
>
> Hope this helps
>
> regards
> mrx
>
>
>
> Vincent Chao wrote:
>> Thank you for your analysis. It really helps me.
>
>> And I also found the PDF report mail to us is in Chinese, in the
website of
>> iiScan, however, to see the report of html or PDF format is
English (of
>> course can change to Chinese).
>
>> -----Original Message-----
>> From: full-disclosure-bounces () lists grok org uk
<mailto:full-disclosure-bounces () lists grok org uk>
>> [mailto:full-disclosure-bounces () lists grok org uk
<mailto:full-disclosure-bounces () lists grok org uk>] On Behalf Of mrx
>> Sent: Wednesday, January 06, 2010 8:45 PM
>> To: full-disclosure () lists grok org uk
<mailto:full-disclosure () lists grok org uk>
>> Subject: [Full-disclosure] iiscan results
>
>> Well, this scanner managed to find a couple of low level
vulnerabilities on
>> my site which were missed by both Nikto and Nessus.
>
>> Two directories allowed a directory listing and a test.php file I
created,
>> an information disclosure vulnerability, was also detected. My dumb
>> ass forgot to delete this "test.php" file after I finished
testing the
>> server.
>
>> Possible sensitive directories were also listed, however browsing
to these
>> directories returned 403 errors, blank pages or a wordpress logon
>> prompt, which is what I expected.
>
>> So all in all this scanner seems to do it's job well. At least
for a LAMP
>> server running wordpress
>
>> Of course I have addressed the vulnerabilities reported.
>
>> My command of the Chinese language is limited to zero, so I cannot
>> understand the pdf report emailed to me nor the information
within the web
>> based report. Hopefully the developers will address this language
problem.
>
>> regards
>> mrx
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iiscan results mrx (Jan 06)
- Re: iiscan results Vincent Chao (Jan 06)
- Message not available
- Re: iiscan results mrx (Jan 07)
- Re: iiscan results p8x (Jan 07)
- Re: iiscan results Jan G.B. (Jan 07)
- Re: iiscan results p8x (Jan 07)
- Re: iiscan results Jardel Weyrich (Jan 07)
- Re: iiscan results Robin Sage (Jan 07)
- Re: iiscan results mrx (Jan 07)
- Message not available
- Message not available
- Message not available
- Re: iiscan results mrx (Jan 07)
- Message not available
- Re: iiscan results mrx (Jan 07)