Full Disclosure mailing list archives
Re: iiscan results
From: Jardel Weyrich <jweyrich () gmail com>
Date: Thu, 7 Jan 2010 12:33:07 -0200
It's probably trying to get different results/responses by changing the values of some request headers. The most common scenario, as far as I've seen, and as oddly as it might sound, is the User-Agent and HTTP minor version. A more verbose logging strategy would demystify. Or maybe Vincent? On Thu, Jan 7, 2010 at 12:28 PM, p8x <l () p8x net> wrote:
Hi Jan, I am not sure what you mean. Maybe I should clarify, I used some bash magic to make it a bit easier to read the results from my log file. Here is a copy of the log pre me making it easy to read: http://pastebin.com/m512018cb If you read the above log file you will be able to see the duplicate requests, as an example these two time stamps are have the same request: [07/Jan/2010:09:25:32 +0800] [07/Jan/2010:09:25:36 +0800] I did the test twice, so the results in my previous post that were requested twice can be ignored. p8x On 7/01/2010 10:08 PM, Jan G.B. wrote:What you see is not an issue or error. It is, what the application is supposed to do. * As you can see, these requests are not the same. * Thinking about muiltiple POST requests on WP-Login or your "logs" below, you could have guessed in the first place that the app is either trying multiple Login/Passwort combinations or (as seen below) some patterns to detect Injection possibilities. Regards 2010/1/7 p8x <l () p8x net <mailto:l () p8x net>> Hi Vincent, I also experied the same issue as mrx. I did see multiple get and post requests to the same page. As an example, I took a random page with a form on it, here are the totals: 2 /password.html 2 /password.html?key=88888&form_validated=12345&submit_form=88888 2 /password.html?key=88888&form_validated=12345&submit_form=88888' 2 /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6 2 /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6 2 /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'=' 2 /password.html?key=88888&submit_form=88888&form_validated=12345 2 /password.html?key=88888&submit_form=88888&form_validated=12345' 2 /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6 2 /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6 2 /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'=' 2 /password.html?submit_form=88888&form_validated=12345&key=88888 2 /password.html?submit_form=88888&form_validated=12345&key=88888' 2 /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6 2 /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6 2 /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'=' 4 /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5 4 /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5 4 /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'=' 4 /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5 4 /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5 4 /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'=' 4 /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5 4 /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5 4 /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'=' Also, the contact forms on the websites I tested got hammered with emails (and they also seemed to have duplicate requests). p8x On 7/01/2010 8:00 PM, mrx wrote: > Vincent, > > Although the actual results of the scan were displayed in English in the online html report, > the suggested solutions were in fact in Chinese. > > Checking my access logs reveals multiple attempts of the same attack/probe, for example multiple identical POSTs to the same page: > > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" > > There are around 100 entries identical to the above in my log. I don't know if this is by design or not but it does seem to be a little inefficient. > > > I also noticed there were no attempts at information disclosure via the TRACE method, nor were any attempts made at SQL injection despite my > selecting "all" in the scan options. Not that my site is vulnerable in any way ;-) > > Hope this helps > > regards > mrx > > > > Vincent Chao wrote: >> Thank you for your analysis. It really helps me. > >> And I also found the PDF report mail to us is in Chinese, in the website of >> iiScan, however, to see the report of html or PDF format is English (of >> course can change to Chinese). > >> -----Original Message----- >> From: full-disclosure-bounces () lists grok org uk <mailto:full-disclosure-bounces () lists grok org uk> >> [mailto:full-disclosure-bounces () lists grok org uk <mailto:full-disclosure-bounces () lists grok org uk>] On Behalf Of mrx >> Sent: Wednesday, January 06, 2010 8:45 PM >> To: full-disclosure () lists grok org uk <mailto:full-disclosure () lists grok org uk> >> Subject: [Full-disclosure] iiscan results > >> Well, this scanner managed to find a couple of low level vulnerabilities on >> my site which were missed by both Nikto and Nessus. > >> Two directories allowed a directory listing and a test.php file I created, >> an information disclosure vulnerability, was also detected. My dumb >> ass forgot to delete this "test.php" file after I finished testing the >> server. > >> Possible sensitive directories were also listed, however browsing to these >> directories returned 403 errors, blank pages or a wordpress logon >> prompt, which is what I expected. > >> So all in all this scanner seems to do it's job well. At least for a LAMP >> server running wordpress > >> Of course I have addressed the vulnerabilities reported. > >> My command of the Chinese language is limited to zero, so I cannot >> understand the pdf report emailed to me nor the information within the web >> based report. Hopefully the developers will address this language problem. > >> regards >> mrx > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iiscan results mrx (Jan 06)
- Re: iiscan results Vincent Chao (Jan 06)
- Message not available
- Re: iiscan results mrx (Jan 07)
- Re: iiscan results p8x (Jan 07)
- Re: iiscan results Jan G.B. (Jan 07)
- Re: iiscan results p8x (Jan 07)
- Re: iiscan results Jardel Weyrich (Jan 07)
- Re: iiscan results Robin Sage (Jan 07)
- Re: iiscan results mrx (Jan 07)
- Message not available
- Message not available
- Message not available
- Re: iiscan results mrx (Jan 07)
- Message not available
- Re: iiscan results mrx (Jan 07)