Re: [Full-disclosure] iiscan results



It's probably trying to get different results/responses by changing
the values of some request headers. The most common scenario, as far
as I've seen, and as oddly as it might sound, is the User-Agent and
HTTP minor version.

A more verbose logging strategy would demystify. Or maybe Vincent?

On Thu, Jan 7, 2010 at 12:28 PM, p8x <l@xxxxxxx> wrote:
Hi Jan,

I am not sure what you mean.

Maybe I should clarify, I used some bash magic to make it a bit easier
to read the results from my log file. Here is a copy of the log pre me
making it easy to read: http://pastebin.com/m512018cb

If you read the above log file you will be able to see the duplicate
requests, as an example these two time stamps are have the same request:

[07/Jan/2010:09:25:32 +0800]
[07/Jan/2010:09:25:36 +0800]

I did the test twice, so the results in my previous post that were
requested twice can be ignored.

p8x

On 7/01/2010 10:08 PM, Jan G.B. wrote:
What you see is not an issue or error. It is, what the application is
supposed to do.

* As you can see, these requests are not the same.
* Thinking about muiltiple POST requests on WP-Login or your "logs"
below, you could have guessed in the first place that the app is either
trying multiple Login/Passwort combinations or (as seen below) some
patterns to detect Injection possibilities.

Regards

2010/1/7 p8x <l@xxxxxxx <mailto:l@xxxxxxx>>

    Hi Vincent,

    I also experied the same issue as mrx. I did see multiple get and post
    requests to the same page.

    As an example, I took a random page with a form on it, here are the
    totals:

         2 /password.html
         2 /password.html?key=88888&form_validated=12345&submit_form=88888
         2 /password.html?key=88888&form_validated=12345&submit_form=88888'
         2
    /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
         2
    /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
         2
    /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
         2 /password.html?key=88888&submit_form=88888&form_validated=12345
         2 /password.html?key=88888&submit_form=88888&form_validated=12345'
         2
    /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
         2
    /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
         2
    /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
         2 /password.html?submit_form=88888&form_validated=12345&key=88888
         2 /password.html?submit_form=88888&form_validated=12345&key=88888'
         2
    /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
         2
    /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
         2
    /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
         4
    /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
         4
    /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
         4
    /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
         4
    /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
         4
    /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
         4
    /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
         4
    /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
         4
    /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
         4
    /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='

    Also, the contact forms on the websites I tested got hammered with
    emails (and they also seemed to have duplicate requests).

    p8x

    On 7/01/2010 8:00 PM, mrx wrote:
    > Vincent,
    >
    > Although the actual results of the scan were displayed in English
    in the online html report,
    > the suggested solutions were in fact in Chinese.
    >
    > Checking my access logs reveals multiple attempts of the same
    attack/probe, for example multiple identical POSTs to the same page:
    >
    > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST
    /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0
    (compatible; MSIE 7.0; Windows
    > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
    >
    > There are around 100 entries identical to the above in my log. I
    don't know if this is by design or not but it does seem to be a
    little inefficient.
    >
    >
    > I also noticed there were no attempts at information disclosure
    via the TRACE method, nor were any attempts made at SQL injection
    despite my
    > selecting "all" in the scan options. Not that my site is
    vulnerable in any way ;-)
    >
    > Hope this helps
    >
    > regards
    > mrx
    >
    >
    >
    > Vincent Chao wrote:
    >> Thank you for your analysis. It really helps me.
    >
    >> And I also found the PDF report mail to us is in Chinese, in the
    website of
    >> iiScan, however, to see the report of html or PDF format is
    English (of
    >> course can change to Chinese).
    >
    >> -----Original Message-----
    >> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
    <mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
    >> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx
    <mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>] On Behalf Of mrx
    >> Sent: Wednesday, January 06, 2010 8:45 PM
    >> To: full-disclosure@xxxxxxxxxxxxxxxxx
    <mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
    >> Subject: [Full-disclosure] iiscan results
    >
    >> Well, this scanner managed to find a couple of low level
    vulnerabilities on
    >> my site which were missed by both Nikto and Nessus.
    >
    >> Two directories allowed a directory listing and a test.php file I
    created,
    >> an information disclosure vulnerability, was also detected. My dumb
    >> ass forgot to delete this "test.php" file after I finished
    testing the
    >> server.
    >
    >> Possible sensitive directories were also listed, however browsing
    to these
    >> directories returned 403 errors, blank pages or a wordpress logon
    >> prompt, which is what I expected.
    >
    >> So all in all this scanner seems to do it's job well. At least
    for a LAMP
    >> server running wordpress
    >
    >> Of course I have addressed the vulnerabilities reported.
    >
    >> My command of the Chinese language is limited to zero, so I cannot
    >> understand the pdf report emailed to me nor the information
    within the web
    >> based report. Hopefully the developers will address this language
    problem.
    >
    >> regards
    >> mrx
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [PATCH] cfq-iosched: rework seeky detection
    ... a process doing some sequential requests interleaved with larger seeks ...   the current head position, i.e. it is likely in the disk cache (disks ... A queue is marked as seeky if more than 1/8 of the last 32 requests ... configuration and there are 12 disks behind it. ...
    (Linux-Kernel)
  • Re: [PATCH] cfq-iosched: rework seeky detection
    ... a process doing some sequential requests interleaved with larger seeks ...   the current head position, i.e. it is likely in the disk cache (disks ... A queue is marked as seeky if more than 1/8 of the last 32 requests ... configuration and there are 12 disks behind it. ...
    (Linux-Kernel)
  • Re: [PATCH] cfq-iosched: rework seeky detection
    ... a process doing some sequential requests interleaved with larger seeks ...   the current head position, i.e. it is likely in the disk cache (disks ... configuration and there are 12 disks behind it. ... on configurations where multiple disks are in raid configuration. ...
    (Linux-Kernel)
  • Re: Do I want an ACK in my high-level protocol when using TCP?
    ...   for { ... have those 2 connections to B at once. ... application A will hold back sending requests ... other network I/O in the application. ...
    (comp.unix.programmer)
  • Re: [PATCH 4/4] cfq-iosched: fix corner cases in idling logic
    ... for noidle queues. ... the idle timer was not armed if there were other requests in the ...   or queues for which we don't enable idling. ...
    (Linux-Kernel)