Home » Uncategorized » A closer look at the iiscan

A closer look at the iiscan

Posted on January 8, 2010 by dd

The free IIScan was recently announced on the full-disclosure list and I took the time to review it. They announced it as a new generation web app security platform to detect XSS, sql injection, etc. All online and free.

Let’s see how it worked… I tried it against the http://sucuri.net site and that’s what they did:

IP addresses used
They used two ips: 216.18.22.46 and 58.60.26.171

User agent
That’s what their user agent looked like: “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0″

Actions
They started by trying to check the 404 results and getting a few initial files: 

GET / HTTP/1.0 200GET /never_could_exist_file.nosec HTTP/1.0 404 GET /never_could_exist_file_nosec.aspx HTTP/1.0 404GET /robots.txt HTTP/1.1 404

After that, they tried the PUT, TRACE, TRACK and DELETE methods (sometimes more than once for the same file): 

TRACE /TRACE_test HTTP/1.1 200PUT /jsky_web_scanner_test_file.txt HTTP/1.1 405PUT /jsky_test.txt HTTP/1.1 405DELETE /Jsky_test_no_exists_file.txt HTTP/1.1 405TRACE /TRACE_test HTTP/1.1 200TRACK /TRACK_test HTTP/1.1 501

After that they tried a few more simple attacks: 

GET /%3Cscript%3Ealert(42873) HTTP/1.1 404GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404GET /%3Cscript%3Ealert(42873) HTTP/1.1 404GET /%3Cscript%3Ealert(42873).do HTTP/1.1 404

Then looked for common mistakes, like zipped php files, logs expose, etc. Plus it checked for common application directories (wp-content, etc): 

GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404GET / HTTP/1.0 200GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404GET /sitemap.gz HTTP/1.1 404GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404GET /INSTALL.mysql.txt HTTP/1.1 404GET / HTTP/1.0 200GET /server-info HTTP/1.1 404GET /install.php HTTP/1.1 404GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404GET / HTTP/1.0 200GET /robots.txt HTTP/1.1 404GET /never_could_exist_file.nosec HTTP/1.0 404GET /uploads/ HTTP/1.1 404GET /never_could_exist_file_nosec.aspx HTTP/1.0 404GET / HTTP/1.1 200GET /wp-content/ HTTP/1.1 404GET /index.php.bak HTTP/1.0 404GET /logfiles/ HTTP/1.1 404GET / HTTP/1.1 200GET /index.php.BAK HTTP/1.0 404PUT /jsky_test.txt HTTP/1.1 405GET /index.php.zip HTTP/1.0 404GET /jsp-examples/ HTTP/1.1 404GET /index.php.bak HTTP/1.0 404GET /sitemap.gz HTTP/1.1 404GET /index.php.BAK HTTP/1.0 404GET /INSTALL.mysql.txt HTTP/1.1 404GET /install.php HTTP/1.1 404GET /index.php.zip HTTP/1.0 404GET /_vti_bin/_vti_adm/admin.dll HTTP/1.1 404GET /rss.xml HTTP/1.1 302GET /index.php.ZIP HTTP/1.0 404GET /FCKeditor/editor/filemanager/upload/test.html HTTP/1.1 404GET /_vti_bin/_vti_aut/author.dll HTTP/1.1 404GET /_vti_bin/shtml.exe?_vti_rpc HTTP/1.1 404GET /index.php.tar.gz HTTP/1.0 404GET /uploads/ HTTP/1.1 404GET /index.php.temp HTTP/1.0 404GET /server-info HTTP/1.1 404GET /wp-content/ HTTP/1.1 404GET /logfiles/ HTTP/1.1 404GET /index.php.save HTTP/1.0 404GET /main.css HTTP/1.1 200GET /index.php.backup HTTP/1.0 404GET /jsp-examples/ HTTP/1.1 404GET /index.php.orig HTTP/1.0 404GET /log/ HTTP/1.1 404GET /index.php~ HTTP/1.0 404GET /data/ HTTP/1.1 404GET /logs/ HTTP/1.1 404GET /index.php~1 HTTP/1.0 404GET /index.php.cs HTTP/1.0 404GET /datas/ HTTP/1.1 404GET /?page=home HTTP/1.1 200GET /index.php.java HTTP/1.0 404GET /example/ HTTP/1.1 404GET /index.php.class HTTP/1.0 404GET /examples/ HTTP/1.1 404GET /index.php.rar HTTP/1.0 404GET /upload/ HTTP/1.1 404GET /WebService/ HTTP/1.1 404GET /index.php.tmp HTTP/1.0 404GET /inc/ HTTP/1.1 404GET /include/ HTTP/1.1 404GET /old/ HTTP/1.1 404GET /manage/ HTTP/1.1 404GET /db/ HTTP/1.1 404GET /aspnet/ HTTP/1.1 404GET /htdocs/ HTTP/1.1 404GET /conf/ HTTP/1.1 404GET /config/ HTTP/1.1 404GET /private/ HTTP/1.1 404GET /admin/ HTTP/1.1 404GET /administrator/ HTTP/1.1 404GET /webadmin/ HTTP/1.1 404GET /database/ HTTP/1.1 404GET /samples/ HTTP/1.1 404GET /member/ HTTP/1.1 404GET /members/ HTTP/1.1 404GET /pass.txt HTTP/1.1 404GET /passwd HTTP/1.1 404GET /users.txt HTTP/1.1 404GET /users.ini HTTP/1.1 404GET /install.log HTTP/1.1 403GET /database.inc HTTP/1.1 404GET /.bash_history HTTP/1.1 404GET /.bashrc HTTP/1.1 404GET /Web.config HTTP/1.1 404GET /Global.asax HTTP/1.1 404GET /Global.asa HTTP/1.1 404GET /Global.asax.cs HTTP/1.1 404GET /test.asp HTTP/1.1 404GET /test.php HTTP/1.1 404GET /test.jsp HTTP/1.1 404GET /test.aspx HTTP/1.1 404GET /admin.asp HTTP/1.1 404GET /data.mdb HTTP/1.1 404

After that, they detected my page structure and tried a few SQL injections, XSS and other attacks on them: 

GET /index.php?page=scan&page;=scan?scan=88888 HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888%20and%205=5 HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888%20and%205=6 HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='6 HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888' HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888%20and%205=5 HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888'%20and%20'5'='5 HTTP/1.0 200GET /index.php?page=scan&page;=scan?scan=88888%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 200GET /index.html?page=home%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404GET /index.html?page=homealert(42873) HTTP/1.1 404GET /index.html?page=home%2527 HTTP/1.0 404GET /?page=docs&title;=daily HTTP/1.1 200GET /index.html?page=home' HTTP/1.0 404GET /index.html?page=home%5C' HTTP/1.0 404GET /index.html?page=home%5C%22 HTTP/1.0 404GET /index.html?page=homeJyI%3D HTTP/1.0 404GET /index.html?page=home'%22 HTTP/1.0 404GET /index.html?page=home%bf%27 HTTP/1.0 404GET /?page=practical&pid;=13 HTTP/1.1 200GET /index.html?page=home HTTP/1.0 404GET /index.html?page=home'%22 HTTP/1.0 404GET /index.html?page=home/ HTTP/1.0 404GET /index.html?page=home HTTP/1.0 404GET /index.html?page=home%20and%205=5 HTTP/1.0 404GET /index.html?page=home%20and%205=6 HTTP/1.0 404GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404GET /index.html?page=home'%20and%20'5'='6 HTTP/1.0 404GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404GET /index.html?page=home%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404GET /index.html?page=home' HTTP/1.0 404GET /index.html?page=home%20and%205=5 HTTP/1.0 404GET /index.html?page=home'%20and%20'5'='5 HTTP/1.0 404GET /index.html?page=home%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404

They also found another page inside (the daily tips) and tried more attacks: 

GET /index.html?page=docs&title;=daily' HTTP/1.0 404GET /index.html?page=docs&title;=daily%2527 HTTP/1.0 404GET /index.html?page=docs&title;=daily' HTTP/1.0 404GET /index.html?page=docs&title;=dail
y%5C' HTTP/1.0 404GET /index.html?page=docs&title;=daily%5C%22 HTTP/1.0 404GET /index.html?page=docs&title;=dailyJyI%3D HTTP/1.0 404GET /index.html?page=docs&title;=daily'%22 HTTP/1.0 404GET /index.html?page=docs&title;=daily%bf%27 HTTP/1.0 404GET /index.html?page=docs&title;=daily HTTP/1.0 404GET /index.html?page=docs&title;=daily'%22 HTTP/1.0 404GET /index.html?page=docs&title;=daily/ HTTP/1.0 404GET /index.html?page=docs&title;=daily HTTP/1.0 404GET /index.html?page=docs&title;=daily%20and%205=5 HTTP/1.0 404GET /index.html?page=docs&title;=daily%20and%205=6 HTTP/1.0 404GET /index.html?page=docs&title;=daily'%20and%20'5'='5 HTTP/1.0 404GET /index.html?page=docs&title;=daily'%20and%20'5'='6 HTTP/1.0 404GET /index.html?page=docs&title;=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404GET /index.html?page=docs&title;=daily%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404GET /index.html?page=docs&title;=daily' HTTP/1.0 404GET /index.html?page=docs&title;=daily%20and%205=5 HTTP/1.0 404GET /index.html?page=docs&title;=daily'%20and%20'5'='5 HTTP/1.0 404GET /index.html?page=docs&title;=daily%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404GET /index.html?page=practical&pid;=13%3Cscript%3Ealert(42873)%3C/script%3E HTTP/1.1 404GET /index.html?page=practical&pid;=13alert(42873) HTTP/1.1 404GET /index.html?page=practical&pid;=13' HTTP/1.0 404GET /index.html?page=practical&pid;=13%2527 HTTP/1.0 404GET /index.html?page=practical&pid;=13' HTTP/1.0 404GET /index.html?page=practical&pid;=13%5C' HTTP/1.0 404GET /index.html?page=practical&pid;=13%5C%22 HTTP/1.0 404GET /index.html?page=practical&pid;=13JyI%3D HTTP/1.0 404GET /index.html?page=practical&pid;=13'%22 HTTP/1.0 404GET /index.html?page=practical&pid;=13%bf%27 HTTP/1.0 404GET /index.html?page=practical&pid;=13 HTTP/1.0 404GET /index.html?page=practical&pid;=13'%22 HTTP/1.0 404GET /index.html?page=practical&pid;=13/ HTTP/1.0 404GET /index.html?page=practical&pid;=13 HTTP/1.0 404GET /index.html?page=practical&pid;=13%20and%205=5 HTTP/1.0 404GET /index.html?page=practical&pid;=13%20and%205=6 HTTP/1.0 404GET /index.html?page=practical&pid;=13'%20and%20'5'='5 HTTP/1.0 404GET /index.html?page=practical&pid;=13'%20and%20'5'='6 HTTP/1.0 404GET /index.html?page=practical&pid;=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404GET /index.html?page=practical&pid;=13%25'%20and%205=6%20and%20'%25'=' HTTP/1.0 404GET /index.html?page=practical&pid;=13' HTTP/1.0 404GET /index.html?page=practical&pid;=13%20and%205=5 HTTP/1.0 404GET /index.html?page=practical&pid;=13'%20and%20'5'='5 HTTP/1.0 404GET /index.html?page=practical&pid;=13%25'%20and%205=5%20and%20'%25'=' HTTP/1.0 404

And that was the whole scan. The only issue they found was that we allowed the TRACE method, but I think they did a good job looking for different types of vulnerabilities.



This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.
  • http://www.pentestit.com Black

    I concur! Their machine is VERY intrusive. My 404's shot up to around 154 MB's. Of course, I know that about 20 MB's of them 404's was due to trial and errors of "every one else".

  • Rasmus

    Some of those requests seem quite broken if they were logged correctly:

    GET /index.php?page=scan&page;=scan?scan=88888

    What's with the double ? there?

  • http://twitter.com/napolebsis napolebsis

    Hy, do you probably have an invite code left for me? Searched the web for nearly an hour or so but didn't find one which worked.. Would be fantastic!

    Thanks in advance! :)

  • http://sucuri.net dd@sucuri.net

    Rasmus: Yes, those are posted exactly how they were executed…

    napolebsis: try: d560e07a3b8aac06 it is the last one I have left…

  • http://bothunters.pl Borys Łącki

    Maybe this double check is – HTTP PARAMETER POLLUTION test…

  • http://www.mtl-services.com MTL-Services

    Hey there,
    does anyone have an invite code left? All codes I found on the internet were already used.
    Thanks for your help!

  • http://www.blogger.com/profile/05044980262598010701 Junior

    Anyone know how to get the codes or have any left?

    Help…

    Thanks you.

  • http://www.blogger.com/profile/06950680233029380929 Marc Ruef

    Hello,

    Nice technical analysis, I like it!

    Today, I have published another review in our labs blog. Unfortunately, it is on German only ;( !

    http://www.scip.ch/?labs.20100122

    Regards,

    Marc

RSS Delicious
Home » Uncategorized » A closer look at the iiscan