Full Disclosure mailing list archives
Re: iiscan results
From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Thu, 7 Jan 2010 15:08:06 +0100
What you see is not an issue or error. It is, what the application is supposed to do. * As you can see, these requests are not the same. * Thinking about muiltiple POST requests on WP-Login or your "logs" below, you could have guessed in the first place that the app is either trying multiple Login/Passwort combinations or (as seen below) some patterns to detect Injection possibilities. Regards 2010/1/7 p8x <l () p8x net>
Hi Vincent, I also experied the same issue as mrx. I did see multiple get and post requests to the same page. As an example, I took a random page with a form on it, here are the totals: 2 /password.html 2 /password.html?key=88888&form_validated=12345&submit_form=88888 2 /password.html?key=88888&form_validated=12345&submit_form=88888' 2 /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6 2 /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6 2 /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'=' 2 /password.html?key=88888&submit_form=88888&form_validated=12345 2 /password.html?key=88888&submit_form=88888&form_validated=12345' 2 /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6 2 /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6 2 /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'=' 2 /password.html?submit_form=88888&form_validated=12345&key=88888 2 /password.html?submit_form=88888&form_validated=12345&key=88888' 2 /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6 2 /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6 2 /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'=' 4 /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5 4 /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5 4 /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'=' 4 /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5 4 /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5 4 /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'=' 4 /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5 4 /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5 4 /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'=' Also, the contact forms on the websites I tested got hammered with emails (and they also seemed to have duplicate requests). p8x On 7/01/2010 8:00 PM, mrx wrote:Vincent, Although the actual results of the scan were displayed in English in theonline html report,the suggested solutions were in fact in Chinese. Checking my access logs reveals multiple attempts of the sameattack/probe, for example multiple identical POSTs to the same page:216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST/properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; MSIE 7.0; WindowsNT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" There are around 100 entries identical to the above in my log. I don'tknow if this is by design or not but it does seem to be a little inefficient.I also noticed there were no attempts at information disclosure via theTRACE method, nor were any attempts made at SQL injection despite myselecting "all" in the scan options. Not that my site is vulnerable inany way ;-)Hope this helps regards mrx Vincent Chao wrote:Thank you for your analysis. It really helps me.And I also found the PDF report mail to us is in Chinese, in the websiteofiiScan, however, to see the report of html or PDF format is English (of course can change to Chinese).-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of mrx Sent: Wednesday, January 06, 2010 8:45 PM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] iiscan resultsWell, this scanner managed to find a couple of low level vulnerabilitiesonmy site which were missed by both Nikto and Nessus.Two directories allowed a directory listing and a test.php file Icreated,an information disclosure vulnerability, was also detected. My dumb ass forgot to delete this "test.php" file after I finished testing the server.Possible sensitive directories were also listed, however browsing tothesedirectories returned 403 errors, blank pages or a wordpress logon prompt, which is what I expected.So all in all this scanner seems to do it's job well. At least for aLAMPserver running wordpressOf course I have addressed the vulnerabilities reported.My command of the Chinese language is limited to zero, so I cannot understand the pdf report emailed to me nor the information within thewebbased report. Hopefully the developers will address this languageproblem.regards mrx_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iiscan results mrx (Jan 06)
- Re: iiscan results Vincent Chao (Jan 06)
- Message not available
- Re: iiscan results mrx (Jan 07)
- Re: iiscan results p8x (Jan 07)
- Re: iiscan results Jan G.B. (Jan 07)
- Re: iiscan results p8x (Jan 07)
- Re: iiscan results Jardel Weyrich (Jan 07)
- Re: iiscan results Robin Sage (Jan 07)
- Re: iiscan results mrx (Jan 07)
- Message not available
- Message not available
- Message not available
- Re: iiscan results mrx (Jan 07)
- Message not available
- Re: iiscan results mrx (Jan 07)