| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4B45E7D0.1020305@p8x.net>
Date: Thu, 07 Jan 2010 21:55:28 +0800
From: p8x <l@....net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: iiscan results
Hi Vincent,
I also experied the same issue as mrx. I did see multiple get and post
requests to the same page.
As an example, I took a random page with a form on it, here are the totals:
2 /password.html
2 /password.html?key=88888&form_validated=12345&submit_form=88888
2 /password.html?key=88888&form_validated=12345&submit_form=88888'
2
/password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6
2
/password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6
2
/password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'='
2 /password.html?key=88888&submit_form=88888&form_validated=12345
2 /password.html?key=88888&submit_form=88888&form_validated=12345'
2
/password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6
2
/password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6
2
/password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'='
2 /password.html?submit_form=88888&form_validated=12345&key=88888
2 /password.html?submit_form=88888&form_validated=12345&key=88888'
2
/password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6
2
/password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6
2
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'='
4
/password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5
4
/password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5
4
/password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'='
4
/password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5
4
/password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5
4
/password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'='
4
/password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5
4
/password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5
4
/password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'='
Also, the contact forms on the websites I tested got hammered with
emails (and they also seemed to have duplicate requests).
p8x
On 7/01/2010 8:00 PM, mrx wrote:
> Vincent,
>
> Although the actual results of the scan were displayed in English in the online html report,
> the suggested solutions were in fact in Chinese.
>
> Checking my access logs reveals multiple attempts of the same attack/probe, for example multiple identical POSTs to the same page:
>
> 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows
> NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"
>
> There are around 100 entries identical to the above in my log. I don't know if this is by design or not but it does seem to be a little inefficient.
>
>
> I also noticed there were no attempts at information disclosure via the TRACE method, nor were any attempts made at SQL injection despite my
> selecting "all" in the scan options. Not that my site is vulnerable in any way ;-)
>
> Hope this helps
>
> regards
> mrx
>
>
>
> Vincent Chao wrote:
>> Thank you for your analysis. It really helps me.
>
>> And I also found the PDF report mail to us is in Chinese, in the website of
>> iiScan, however, to see the report of html or PDF format is English (of
>> course can change to Chinese).
>
>> -----Original Message-----
>> From: full-disclosure-bounces@...ts.grok.org.uk
>> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of mrx
>> Sent: Wednesday, January 06, 2010 8:45 PM
>> To: full-disclosure@...ts.grok.org.uk
>> Subject: [Full-disclosure] iiscan results
>
>> Well, this scanner managed to find a couple of low level vulnerabilities on
>> my site which were missed by both Nikto and Nessus.
>
>> Two directories allowed a directory listing and a test.php file I created,
>> an information disclosure vulnerability, was also detected. My dumb
>> ass forgot to delete this "test.php" file after I finished testing the
>> server.
>
>> Possible sensitive directories were also listed, however browsing to these
>> directories returned 403 errors, blank pages or a wordpress logon
>> prompt, which is what I expected.
>
>> So all in all this scanner seems to do it's job well. At least for a LAMP
>> server running wordpress
>
>> Of course I have addressed the vulnerabilities reported.
>
>> My command of the Chinese language is limited to zero, so I cannot
>> understand the pdf report emailed to me nor the information within the web
>> based report. Hopefully the developers will address this language problem.
>
>> regards
>> mrx
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists