It's probably trying to get different results/responses by changing the values of some request headers. The most common scenario, as far as I've seen, and as oddly as it might sound, is the User-Agent and HTTP minor version.
A more verbose logging strategy would demystify. Or maybe Vincent? On Thu, Jan 7, 2010 at 12:28 PM, p8x <[email protected]> wrote: > Hi Jan, > > I am not sure what you mean. > > Maybe I should clarify, I used some bash magic to make it a bit easier > to read the results from my log file. Here is a copy of the log pre me > making it easy to read: http://pastebin.com/m512018cb > > If you read the above log file you will be able to see the duplicate > requests, as an example these two time stamps are have the same request: > > [07/Jan/2010:09:25:32 +0800] > [07/Jan/2010:09:25:36 +0800] > > I did the test twice, so the results in my previous post that were > requested twice can be ignored. > > p8x > > On 7/01/2010 10:08 PM, Jan G.B. wrote: >> What you see is not an issue or error. It is, what the application is >> supposed to do. >> >> * As you can see, these requests are not the same. >> * Thinking about muiltiple POST requests on WP-Login or your "logs" >> below, you could have guessed in the first place that the app is either >> trying multiple Login/Passwort combinations or (as seen below) some >> patterns to detect Injection possibilities. >> >> Regards >> >> 2010/1/7 p8x <[email protected] <mailto:[email protected]>> >> >> Hi Vincent, >> >> I also experied the same issue as mrx. I did see multiple get and post >> requests to the same page. >> >> As an example, I took a random page with a form on it, here are the >> totals: >> >> 2 /password.html >> 2 /password.html?key=88888&form_validated=12345&submit_form=88888 >> 2 /password.html?key=88888&form_validated=12345&submit_form=88888' >> 2 >> >> /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6 >> 2 >> >> /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6 >> 2 >> >> /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'=' >> 2 /password.html?key=88888&submit_form=88888&form_validated=12345 >> 2 /password.html?key=88888&submit_form=88888&form_validated=12345' >> 2 >> >> /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6 >> 2 >> >> /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6 >> 2 >> >> /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'=' >> 2 /password.html?submit_form=88888&form_validated=12345&key=88888 >> 2 /password.html?submit_form=88888&form_validated=12345&key=88888' >> 2 >> >> /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6 >> 2 >> >> /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6 >> 2 >> >> /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'=' >> 4 >> >> /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5 >> 4 >> >> /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5 >> 4 >> >> /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'=' >> 4 >> >> /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5 >> 4 >> >> /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5 >> 4 >> >> /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'=' >> 4 >> >> /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5 >> 4 >> >> /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5 >> 4 >> >> /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'=' >> >> Also, the contact forms on the websites I tested got hammered with >> emails (and they also seemed to have duplicate requests). >> >> p8x >> >> On 7/01/2010 8:00 PM, mrx wrote: >> > Vincent, >> > >> > Although the actual results of the scan were displayed in English >> in the online html report, >> > the suggested solutions were in fact in Chinese. >> > >> > Checking my access logs reveals multiple attempts of the same >> attack/probe, for example multiple identical POSTs to the same page: >> > >> > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST >> /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 >> (compatible; MSIE 7.0; Windows >> > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" >> > >> > There are around 100 entries identical to the above in my log. I >> don't know if this is by design or not but it does seem to be a >> little inefficient. >> > >> > >> > I also noticed there were no attempts at information disclosure >> via the TRACE method, nor were any attempts made at SQL injection >> despite my >> > selecting "all" in the scan options. Not that my site is >> vulnerable in any way ;-) >> > >> > Hope this helps >> > >> > regards >> > mrx >> > >> > >> > >> > Vincent Chao wrote: >> >> Thank you for your analysis. It really helps me. >> > >> >> And I also found the PDF report mail to us is in Chinese, in the >> website of >> >> iiScan, however, to see the report of html or PDF format is >> English (of >> >> course can change to Chinese). >> > >> >> -----Original Message----- >> >> From: [email protected] >> <mailto:[email protected]> >> >> [mailto:[email protected] >> <mailto:[email protected]>] On Behalf Of mrx >> >> Sent: Wednesday, January 06, 2010 8:45 PM >> >> To: [email protected] >> <mailto:[email protected]> >> >> Subject: [Full-disclosure] iiscan results >> > >> >> Well, this scanner managed to find a couple of low level >> vulnerabilities on >> >> my site which were missed by both Nikto and Nessus. >> > >> >> Two directories allowed a directory listing and a test.php file I >> created, >> >> an information disclosure vulnerability, was also detected. My dumb >> >> ass forgot to delete this "test.php" file after I finished >> testing the >> >> server. >> > >> >> Possible sensitive directories were also listed, however browsing >> to these >> >> directories returned 403 errors, blank pages or a wordpress logon >> >> prompt, which is what I expected. >> > >> >> So all in all this scanner seems to do it's job well. At least >> for a LAMP >> >> server running wordpress >> > >> >> Of course I have addressed the vulnerabilities reported. >> > >> >> My command of the Chinese language is limited to zero, so I cannot >> >> understand the pdf report emailed to me nor the information >> within the web >> >> based report. Hopefully the developers will address this language >> problem. >> > >> >> regards >> >> mrx >> > >> > >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > >> > >> > >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
