A closer look at the iiscan

2010-01-09 11:15:32 作者:root 来源: 浏览次数:0 网友评论 0

http://blog.sucuri.net/2010/01/closer-look-at-iiscan.html
 http://blog.sucuri.net/2010/01/closer-look-at-iiscan.html
The free IIScan was recently announced on the full-disclosure list and I took the time to review it. They announced it as a new generation web app security platform to detect XSS, sql injection, etc. All online and free.

Let's see how it worked... I tried it against the http://sucuri.net site and that's what they did:

IP addresses used
They used two ips: 216.18.22.46 and 58.60.26.171

User agent
That's what their user agent looked like: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0"

Actions
They started by trying to check the 404 results and getting a few initial files:
GET / HTTP/1.0 200
GET /never_could_exist_file.nosec HTTP/1.0 404 
GET /never_could_exist_file_nosec.aspx HTTP/1.0 404
GET /robots.txt HTTP/1.1 404


After that, they tried the PUT, TRACE, TRACK and DELETE methods (sometimes more than once for the same file):
TRACE /TRACE_test HTTP/1.1 200
PUT /jsky_web_scanner_test_file.txt HTTP/1.1 405
PUT /jsky_test.txt HTTP/1.1 405
DELETE /Jsky_test_no_exists_file.txt HTTP/1.1 405
TRACE /TRACE_test HTTP/1.1 200
TRACK /TRACK_test HTTP/1.1 501


After that they tried a few more simple attacks:
GET /%3Cscript%3Ealert(42873) HTTP/1.1 404
GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404
GET /%3Cscript%3Ealert(42873) HTTP/1.1 404
GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404


Then looked for common mistakes, like zipped php files, logs expose, etc. Plus it checked for common application directories (wp-content, etc):

GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404
GET / HTTP/1.0 200
GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404
GET /sitemap.gz HTTP/1.1 404
GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404
GET /INSTALL.mysql.txt HTTP/1.1 404
GET / HTTP/1.0 200
GET /server-info HTTP/1.1 404
GET /install.php HTTP/1.1 404
GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404
GET / HTTP/1.0 200
GET /robots.txt HTTP/1.1 404
GET /never_could_exist_file.nosec HTTP/1.0 404
GET /uploads/ HTTP/1.1 404
GET /never_could_exist_file_nosec.aspx HTTP/1.0 404
GET / HTTP/1.1 200
GET /wp-content/ HTTP/1.1 404
GET /index.php.bak HTTP/1.0 404
GET /logfiles/ HTTP/1.1 404
GET / HTTP/1.1 200
GET /index.php.BAK HTTP/1.0 404
PUT /jsky_test.txt HTTP/1.1 405
GET /index.php.zip HTTP/1.0 404
GET /jsp-examples/ HTTP/1.1 404
GET /index.php.bak HTTP/1.0 404
GET /sitemap.gz HTTP/1.1 404
GET /index.php.BAK HTTP/1.0 404
GET /INSTALL.mysql.txt HTTP/1.1 404
GET /install.php HTTP/1.1 404
GET /index.php.zip HTTP/1.0 404
GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404
GET /rss.xml HTTP/1.1 302
GET /index.php.ZIP HTTP/1.0 404
GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404
GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404
GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404
GET /index.php.tar.gz HTTP/1.0 404
GET /uploads/ HTTP/1.1 404
GET /index.php.temp HTTP/1.0 404
GET /server-info HTTP/1.1 404
GET /wp-content/ HTTP/1.1 404
GET /logfiles/ HTTP/1.1 404
GET /index.php.save HTTP/1.0 404
GET /main.css HTTP/1.1 200
GET /index.php.backup HTTP/1.0 404
GET /jsp-examples/ HTTP/1.1 404
GET /index.php.orig HTTP/1.0 404
GET /log/ HTTP/1.1 404
GET /index.php~ HTTP/1.0 404
GET /data/ HTTP/1.1 404
GET /logs/ HTTP/1.1 404
GET /index.php~1 HTTP/1.0 404
GET /index.php.cs HTTP/1.0 404
GET /datas/ HTTP/1.1 404
GET /?page=home HTTP/1.1 200
GET /index.php.java HTTP/1.0 404
GET /example/ HTTP/1.1 404
GET /index.php.class HTTP/1.0 404
GET /examples/ HTTP/1.1 404
GET /index.php.rar HTTP/1.0 404
GET /upload/ HTTP/1.1 404
GET /WebService/ HTTP/1.1 404
GET /index.php.tmp HTTP/1.0 404
GET /inc/ HTTP/1.1 404
GET /include/ HTTP/1.1 404
GET /old/ HTTP/1.1 404
GET /manage/ HTTP/1.1 404
GET /db/ HTTP/1.1 404
GET /aspnet/ HTTP/1.1 404
GET /htdocs/ HTTP/1.1 404
GET /conf/ HTTP/1.1 404
GET /config/ HTTP/1.1 404
GET /private/ HTTP/1.1 404
GET /admin/ HTTP/1.1 404
GET /administrator/ HTTP/1.1 404
GET /webadmin/ HTTP/1.1 404
GET /database/ HTTP/1.1 404
GET /samples/ HTTP/1.1 404
GET /member/ HTTP/1.1 404
GET /members/ HTTP/1.1 404
GET /pass.txt HTTP/1.1 404
GET /passwd HTTP/1.1 404
GET /users.txt HTTP/1.1 404
GET /users.ini HTTP/1.1 404
GET /install.log HTTP/1.1 403
GET /database.inc HTTP/1.1 404
GET /.bash_history HTTP/1.1 404
GET /.bashrc HTTP/1.1 404
GET /Web.config HTTP/1.1 404
GET /Global.asax HTTP/1.1 404
GET /Global.asa HTTP/1.1 404
GET /Global.asax.cs HTTP/1.1 404
GET /test.asp HTTP/1.1 404
GET /test.php HTTP/1.1 404
GET /test.jsp HTTP/1.1 404
GET /test.aspx HTTP/1.1 404
GET /admin.asp HTTP/1.1 404
GET /data.mdb HTTP/1.1 404


After that, they detected my page structure and tried a few SQL injections, XSS and other attacks on them:
GET /index.php?page=scan&page=scan?scan=88888 HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888%20and%205=5 HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888%20and%205=6 HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888'%20and%20'5'='6 HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888' HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888%20and%205=5 HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200
GET /index.php?page=scan&page=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200
GET /index.html?page=home%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404
GET /index.html?page=homealert(42873) HTTP/1.1 404
GET /index.html?page=home%2527 HTTP/1.0 404
GET /?page=docs&title=daily HTTP/1.1 200
GET /index.html?page=home' HTTP/1.0 404
GET /index.html?page=home%5C' HTTP/1.0 404
GET /index.html?page=home%5C%22 HTTP/1.0 404
GET /index.html?page=homeJyI%3D HTTP/1.0 404
GET /index.html?page=home'%22 HTTP/1.0 404
GET /index.html?page=home%bf%27 HTTP/1.0 404
GET /?page=practical&pid=13 HTTP/1.1 200
GET /index.html?page=home HTTP/1.0 404
GET /index.html?page=home'%22 HTTP/1.0 404
GET /index.html?page=home/ HTTP/1.0 404
GET /index.html?page=home HTTP/1.0 404
GET /index.html?page=home%20and%205=5 HTTP/1.0 404
GET /index.html?page=home%20and%205=6 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=home' HTTP/1.0 404
GET /index.html?page=home%20and%205=5 HTTP/1.0 404
GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404


They also found another page inside (the daily tips) and tried more attacks:
GET /index.html?page=docs&title=daily' HTTP/1.0 404
GET /index.html?page=docs&title=daily%2527 HTTP/1.0 404
GET /index.html?page=docs&title=daily' HTTP/1.0 404
GET /index.html?page=docs&title=daily%5C' HTTP/1.0 404
GET /index.html?page=docs&title=daily%5C%22 HTTP/1.0 404
GET /index.html?page=docs&title=dailyJyI%3D HTTP/1.0 404
GET /index.html?page=docs&title=daily'%22 HTTP/1.0 404
GET /index.html?page=docs&title=daily%bf%27 HTTP/1.0 404
GET /index.html?page=docs&title=daily HTTP/1.0 404
GET /index.html?page=docs&title=daily'%22 HTTP/1.0 404
GET /index.html?page=docs&title=daily/ HTTP/1.0 404
GET /index.html?page=docs&title=daily HTTP/1.0 404
GET /index.html?page=docs&title=daily%20and%205=5 HTTP/1.0 404
GET /index.html?page=docs&title=daily%20and%205=6 HTTP/1.0 404
GET /index.html?page=docs&title=daily'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=docs&title=daily'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=docs&title=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=docs&title=daily%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=docs&title=daily' HTTP/1.0 404
GET /index.html?page=docs&title=daily%20and%205=5 HTTP/1.0 404
GET /index.html?page=docs&title=daily'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=docs&title=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid=13%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404
GET /index.html?page=practical&pid=13alert(42873) HTTP/1.1 404
GET /index.html?page=practical&pid=13' HTTP/1.0 404
GET /index.html?page=practical&pid=13%2527 HTTP/1.0 404
GET /index.html?page=practical&pid=13' HTTP/1.0 404
GET /index.html?page=practical&pid=13%5C' HTTP/1.0 404
GET /index.html?page=practical&pid=13%5C%22 HTTP/1.0 404
GET /index.html?page=practical&pid=13JyI%3D HTTP/1.0 404
GET /index.html?page=practical&pid=13'%22 HTTP/1.0 404
GET /index.html?page=practical&pid=13%bf%27 HTTP/1.0 404
GET /index.html?page=practical&pid=13 HTTP/1.0 404
GET /index.html?page=practical&pid=13'%22 HTTP/1.0 404
GET /index.html?page=practical&pid=13/ HTTP/1.0 404
GET /index.html?page=practical&pid=13 HTTP/1.0 404
GET /index.html?page=practical&pid=13%20and%205=5 HTTP/1.0 404
GET /index.html?page=practical&pid=13%20and%205=6 HTTP/1.0 404
GET /index.html?page=practical&pid=13'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=practical&pid=13'%20and%20'5'='6 HTTP/1.0 404
GET /index.html?page=practical&pid=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid=13%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404
GET /index.html?page=practical&pid=13' HTTP/1.0 404
GET /index.html?page=practical&pid=13%20and%205=5 HTTP/1.0 404
GET /index.html?page=practical&pid=13'%20and%20'5'='5 HTTP/1.0 404
GET /index.html?page=practical&pid=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404


And that was the whole scan. The only issue they found was that we allowed the TRACE method, but I think they did a good job looking for different types of vulnerabilities.

相关文章

[收藏] [打印] [关闭] [返回顶部]

  • 验证码:

最新图片文章

最新文章