Re: [Full-disclosure] iiscan results



Hi Jan,

I am not sure what you mean.

Maybe I should clarify, I used some bash magic to make it a bit easier
to read the results from my log file. Here is a copy of the log pre me
making it easy to read: http://pastebin.com/m512018cb

If you read the above log file you will be able to see the duplicate
requests, as an example these two time stamps are have the same request:

[07/Jan/2010:09:25:32 +0800]
[07/Jan/2010:09:25:36 +0800]

I did the test twice, so the results in my previous post that were
requested twice can be ignored.

p8x

On 7/01/2010 10:08 PM, Jan G.B. wrote:
What you see is not an issue or error. It is, what the application is
supposed to do.

* As you can see, these requests are not the same.
* Thinking about muiltiple POST requests on WP-Login or your "logs"
below, you could have guessed in the first place that the app is either
trying multiple Login/Passwort combinations or (as seen below) some
patterns to detect Injection possibilities.

Regards

2010/1/7 p8x <l@xxxxxxx <mailto:l@xxxxxxx>>

Hi Vincent,

I also experied the same issue as mrx. I did see multiple get and post
requests to the same page.

As an example, I took a random page with a form on it, here are the
totals:

2 /password.html
2 /password.html?key=88888&form_validated=12345&submit_form=88888
2 /password.html?key=88888&form_validated=12345&submit_form=88888'
2
/password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
2
/password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
2
/password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
2 /password.html?key=88888&submit_form=88888&form_validated=12345
2 /password.html?key=88888&submit_form=88888&form_validated=12345'
2
/password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
2
/password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
2
/password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
2 /password.html?submit_form=88888&form_validated=12345&key=88888
2 /password.html?submit_form=88888&form_validated=12345&key=88888'
2
/password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
2
/password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
2
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
4
/password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
4
/password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
4
/password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
4
/password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
4
/password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
4
/password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
4
/password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
4
/password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
4
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='

Also, the contact forms on the websites I tested got hammered with
emails (and they also seemed to have duplicate requests).

p8x

On 7/01/2010 8:00 PM, mrx wrote:
> Vincent,
>
> Although the actual results of the scan were displayed in English
in the online html report,
> the suggested solutions were in fact in Chinese.
>
> Checking my access logs reveals multiple attempts of the same
attack/probe, for example multiple identical POSTs to the same page:
>
> 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
/properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0
(compatible; MSIE 7.0; Windows
> NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
>
> There are around 100 entries identical to the above in my log. I
don't know if this is by design or not but it does seem to be a
little inefficient.
>
>
> I also noticed there were no attempts at information disclosure
via the TRACE method, nor were any attempts made at SQL injection
despite my
> selecting "all" in the scan options. Not that my site is
vulnerable in any way ;-)
>
> Hope this helps
>
> regards
> mrx
>
>
>
> Vincent Chao wrote:
>> Thank you for your analysis. It really helps me.
>
>> And I also found the PDF report mail to us is in Chinese, in the
website of
>> iiScan, however, to see the report of html or PDF format is
English (of
>> course can change to Chinese).
>
>> -----Original Message-----
>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
>> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx
<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>] On Behalf Of mrx
>> Sent: Wednesday, January 06, 2010 8:45 PM
>> To: full-disclosure@xxxxxxxxxxxxxxxxx
<mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
>> Subject: [Full-disclosure] iiscan results
>
>> Well, this scanner managed to find a couple of low level
vulnerabilities on
>> my site which were missed by both Nikto and Nessus.
>
>> Two directories allowed a directory listing and a test.php file I
created,
>> an information disclosure vulnerability, was also detected. My dumb
>> ass forgot to delete this "test.php" file after I finished
testing the
>> server.
>
>> Possible sensitive directories were also listed, however browsing
to these
>> directories returned 403 errors, blank pages or a wordpress logon
>> prompt, which is what I expected.
>
>> So all in all this scanner seems to do it's job well. At least
for a LAMP
>> server running wordpress
>
>> Of course I have addressed the vulnerabilities reported.
>
>> My command of the Chinese language is limited to zero, so I cannot
>> understand the pdf report emailed to me nor the information
within the web
>> based report. Hopefully the developers will address this language
problem.
>
>> regards
>> mrx
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] iiscan results
    ... Subject: [Full-disclosure] iiscan results ... these requests are not the same. ... > Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: [Full-disclosure] iiscan results
    ... these requests are not the same. ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Nishang: PowerShell for Penetration Testing
    ... analyzed and reported on interesting/unknown/anomalous logs. ... > Please feel free to report bugs, ... > Full-Disclosure - We believe in it. ... > Charter: http://lists.grok.org.uk/full-disclosure-charter.html ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
    ... They are going to need to update Dan Geers title in the report... ... | Subject: [Full-Disclosure] CyberInsecurity: The cost of Monopoly ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Contact for reporting Facebook vulnerability
    ... you found a form to report security issues to Facebook and instead ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)