From landre at atg.com Thu Dec 2 12:58:57 2010 From: landre at atg.com (Andre, Lionel) Date: Thu, 2 Dec 2010 18:58:57 +0000 Subject: [Nikto-discuss] user defined tests only Message-ID: The easy way to do this is to temporarily empty out db_tests file if you use udb_tests. Worked like a charm for me. -------------- next part -------------- An HTML attachment was scrubbed... URL: From landre at atg.com Fri Dec 3 11:14:51 2010 From: landre at atg.com (Andre, Lionel) Date: Fri, 3 Dec 2010 17:14:51 +0000 Subject: [Nikto-discuss] problem with POST testing XSS Message-ID: I have a weird issue with testing the submission of a form using POST. Using live HTTP headers extension in FF I grabbed the whole form submission. Using the replay function in FF it works fine, however using nikto in debug mode I get the following info. (sanitized a few things) Any ideas are welcome. The form itself has a lot of hidden fields in it and I am trying to figure out which ones are absolutely required. Thanks! The contents of the udb_test line: "400004","0","4","/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform","POST","alert(4567890)","","","","","Form Submission XSS vulnerability exists","","" THE REQUEST: D:Thu Dec 2 14:48:29 2010 'Request Hash' = { 'whisker' => { 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'ssl_save_info' => 1, 'http_space2' => ' ', 'uri_param_sep' => '?', 'timeout' => 10, 'http_space1' => ' ', 'method' => 'POST', 'force_open' => 0, 'include_host_in_uri' => 0, 'ignore_duplicate_headers' => 1, 'uri_postfix' => '', 'keep-alive' => 1, 'ssl' => 0, 'version' => '1.1', 'data' => '', 'port' => 80, 'uri' => '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform', 'host' => '127.0.0.1', 'retry' => 0, 'normalize_incoming_headers' => 1, 'invalid_protocol_return_value' => 1, 'force_bodysnatch' => 0, 'MAGIC' => 31339, 'max_size' => 0, 'trailing_slurp' => 0, 'force_close' => 0, 'http_eol' => "\r\n" }, 'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:400004)', 'Connection' => 'Keep-Alive', 'Content-Length' => 0, 'Content-Type' => 'application/x-www-form-urlencoded', 'Host' => '127.0.0.1' }; RESPONSE: D:Thu Dec 2 14:48:29 2010 'Result Hash' = { 'connection' => 'close', 'whisker' => { 'protocol' => 'HTTP', 'lowercase_incoming_headers' => 1, 'http_space2' => ' ', 'stats_reqs' => 21, 'http_space1' => ' ', 'code' => 400, 'stats_syns' => 6, 'version' => '1.1', 'abnormal_header_spacing' => 1, 'data' => 'Http/1.1 Bad Request ', 'uri' => '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform', 'message' => 'Bad Request', 'header_order' => [ 'content-length', 'connection' ], 'http_data_sent' => 1, 'MAGIC' => 31340, 'http_eol' => "\r\n", 'socket_state' => 0 }, 'content-length' => 54 }; -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Fri Dec 3 12:11:31 2010 From: csullo at gmail.com (Sullo) Date: Fri, 3 Dec 2010 13:11:31 -0500 Subject: [Nikto-discuss] problem with POST testing XSS In-Reply-To: References: Message-ID: You are sending the data in the query string--is that what you want, or should it be the post data portion? If so, this should be the line: "400004","0","4","/mysearch/mySearchResults.jsp","POST","alert(4567890)","","","","","Form Submission XSS vulnerability exists","_ARGS=/ mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform","" On Fri, Dec 3, 2010 at 12:14 PM, Andre, Lionel wrote: > > > I have a weird issue with testing the submission of a form using POST. > > > > Using live HTTP headers extension in FF I grabbed the whole form > submission. Using the replay function in FF it works fine, however using > nikto in debug mode I get the following info. (sanitized a few things) > > > > Any ideas are welcome. The form itself has a lot of hidden fields in it > and I am trying to figure out which ones are absolutely required. > > > > Thanks! > > The contents of the udb_test line: > > > > "400004","0","4","/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform > _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform","POST","alert(4567890)","","","","","Form > Submission XSS vulnerability exists","","" > > > > > > THE REQUEST: > > > > D:Thu Dec 2 14:48:29 2010 'Request Hash' = { > > 'whisker' => { > > 'protocol' => 'HTTP', > > 'require_newline_after_headers' => 0, > > 'lowercase_incoming_headers' => 1, > > 'uri_prefix' => '', > > 'ssl_save_info' => 1, > > 'http_space2' => ' ', > > 'uri_param_sep' => '?', > > 'timeout' => 10, > > 'http_space1' => ' ', > > 'method' => 'POST', > > 'force_open' => 0, > > 'include_host_in_uri' => 0, > > 'ignore_duplicate_headers' => 1, > > 'uri_postfix' => '', > > 'keep-alive' => 1, > > 'ssl' => 0, > > 'version' => '1.1', > > 'data' => '', > > 'port' => 80, > > 'uri' => > '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform > _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform', > > 'host' => '127.0.0.1', > > 'retry' => 0, > > 'normalize_incoming_headers' => 1, > > 'invalid_protocol_return_value' => 1, > > 'force_bodysnatch' => 0, > > 'MAGIC' => 31339, > > 'max_size' => 0, > > 'trailing_slurp' => 0, > > 'force_close' => 0, > > 'http_eol' => "\r\n" > > }, > > 'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) > (Test:400004)', > > 'Connection' => 'Keep-Alive', > > 'Content-Length' => 0, > > 'Content-Type' => 'application/x-www-form-urlencoded', > > 'Host' => '127.0.0.1' > > }; > > > > > > > > RESPONSE: > > > > > > > > D:Thu Dec 2 14:48:29 2010 'Result Hash' = { > > 'connection' => 'close', > > 'whisker' => { > > 'protocol' => 'HTTP', > > 'lowercase_incoming_headers' => 1, > > 'http_space2' => ' ', > > 'stats_reqs' => 21, > > 'http_space1' => ' ', > > 'code' => 400, > > 'stats_syns' => 6, > > 'version' => '1.1', > > 'abnormal_header_spacing' => 1, > > 'data' => 'Http/1.1 Bad > Request ', > > 'uri' => > '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform > _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform', > > 'message' => 'Bad Request', > > 'header_order' => [ > > 'content-length', > > 'connection' > > ], > > 'http_data_sent' => 1, > > 'MAGIC' => 31340, > > 'http_eol' => "\r\n", > > 'socket_state' => 0 > > }, > > 'content-length' => 54 > > }; > > > > > > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From landre at atg.com Fri Dec 3 13:03:25 2010 From: landre at atg.com (Andre, Lionel) Date: Fri, 3 Dec 2010 19:03:25 +0000 Subject: [Nikto-discuss] problem with POST testing XSS In-Reply-To: References: Message-ID: Sullo. Thank you! "HTTP data to be sent during POST tests" in the Fine Manual should have given me a hint ... :) It worked like a charm! From: Sullo [mailto:csullo at gmail.com] Sent: Friday, December 03, 2010 1:12 PM To: Andre, Lionel Cc: nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] problem with POST testing XSS You are sending the data in the query string--is that what you want, or should it be the post data portion? If so, this should be the line: "400004","0","4","/mysearch/mySearchResults.jsp","POST","alert(4567890)","","","","","Form Submission XSS vulnerability exists","_ARGS=/ mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform","" On Fri, Dec 3, 2010 at 12:14 PM, Andre, Lionel > wrote: I have a weird issue with testing the submission of a form using POST. Using live HTTP headers extension in FF I grabbed the whole form submission. Using the replay function in FF it works fine, however using nikto in debug mode I get the following info. (sanitized a few things) Any ideas are welcome. The form itself has a lot of hidden fields in it and I am trying to figure out which ones are absolutely required. Thanks! The contents of the udb_test line: "400004","0","4","/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform","POST","alert(4567890)","","","","","Form Submission XSS vulnerability exists","","" THE REQUEST: D:Thu Dec 2 14:48:29 2010 'Request Hash' = { 'whisker' => { 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'ssl_save_info' => 1, 'http_space2' => ' ', 'uri_param_sep' => '?', 'timeout' => 10, 'http_space1' => ' ', 'method' => 'POST', 'force_open' => 0, 'include_host_in_uri' => 0, 'ignore_duplicate_headers' => 1, 'uri_postfix' => '', 'keep-alive' => 1, 'ssl' => 0, 'version' => '1.1', 'data' => '', 'port' => 80, 'uri' => '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform', 'host' => '127.0.0.1', 'retry' => 0, 'normalize_incoming_headers' => 1, 'invalid_protocol_return_value' => 1, 'force_bodysnatch' => 0, 'MAGIC' => 31339, 'max_size' => 0, 'trailing_slurp' => 0, 'force_close' => 0, 'http_eol' => "\r\n" }, 'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:400004)', 'Connection' => 'Keep-Alive', 'Content-Length' => 0, 'Content-Type' => 'application/x-www-form-urlencoded', 'Host' => '127.0.0.1' }; RESPONSE: D:Thu Dec 2 14:48:29 2010 'Result Hash' = { 'connection' => 'close', 'whisker' => { 'protocol' => 'HTTP', 'lowercase_incoming_headers' => 1, 'http_space2' => ' ', 'stats_reqs' => 21, 'http_space1' => ' ', 'code' => 400, 'stats_syns' => 6, 'version' => '1.1', 'abnormal_header_spacing' => 1, 'data' => 'Http/1.1 Bad Request ', 'uri' => '/mysearch/mySearchResults.jsp?_ARGS=/mysearch/gadgets/mySearch.jsp.searchform _dyncharset=ISO-8859-1&_dynSessConf=-6740532443327654779&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=%3E%5C%22%3E%3Cscript%3Ealert%284567890%29%3C%2Fscript%3E%3C&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchString=+&questionSaved=http%3A%2F%2F127.0.0.1%2Fmysearch%2FmySearchResults.jsp%3F_ARGS%3D%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform&catIdSaved=&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=1&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.goToPage=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=relevance&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSort=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=descending&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.docSortOrder=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.multiSearchSession=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=true&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.saveRequest=+&%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=12&_D%3A%2Fmy%2Fsearch%2Fformhandlers%2FQueryFormHandler.searchRequest.pageSize=+&searchExecByFormSubmit=true&_ARGS=%2Fmysearch%2Fgadgets%2FmySearch.jsp.searchform', 'message' => 'Bad Request', 'header_order' => [ 'content-length', 'connection' ], 'http_data_sent' => 1, 'MAGIC' => 31340, 'http_eol' => "\r\n", 'socket_state' => 0 }, 'content-length' => 54 }; _______________________________________________ Nikto-discuss mailing list Nikto-discuss at attrition.org https://attrition.org/mailman/listinfo/nikto-discuss -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From MATHIEU at fr.ibm.com Fri Dec 3 17:53:17 2010 From: MATHIEU at fr.ibm.com (Christian Mathieu) Date: Sat, 4 Dec 2010 00:53:17 +0100 Subject: [Nikto-discuss] No web server found on x.x.x.x:1081 Message-ID: Hello team I got the following message No web server found on x.x.x.x:1081 scanning with nikto 2.3.1 I've try to chnage the timeout but this does not make any difference D:Sat Dec 4 00:51:35 2010 'Result Hash' = { 'whisker' => { 'error' => "opening stream: can't connect: Connect failed: connect: timeout; A connection attempt failed because the connected party d id not properly respond after a period of time, or established connection failed because connected host has failed to respond. at C:\\nikto\\nikto-2.1 .3/plugins/LW2.pm line 5077\n: Bad file descriptor", 'uri' => '/', 'MAGIC' => 31340 } any advice ? Thanks Sauf indication contraire ci-dessus:/ Unless stated otherwise above: Compagnie IBM France Siege Social : 17 avenue de l'Europe, 92275 Bois-Colombes Cedex RCS Nanterre 552 118 465 Forme Sociale : S.A.S. Capital Social : 621.762.174 ? SIREN/SIRET : 552 118 465 03644 -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Fri Dec 3 23:30:00 2010 From: csullo at gmail.com (Sullo) Date: Sat, 4 Dec 2010 00:30:00 -0500 Subject: [Nikto-discuss] No web server found on x.x.x.x:1081 In-Reply-To: References: Message-ID: Can you connect with a web browser, and if so, is it slow? How long does this take to timeout? On Fri, Dec 3, 2010 at 6:53 PM, Christian Mathieu wrote: > Hello team > > I got the following message No web server found on x.x.x.x:1081 scanning > with nikto 2.3.1 > I've try to chnage the timeout but this does not make any difference > > D:Sat Dec 4 00:51:35 2010 'Result Hash' = { > 'whisker' => { > 'error' => "opening stream: can't connect: Connect failed: > connect: timeout; A connection attempt failed because the connected party d > id not properly respond after a period of time, or established connection > failed because connected host has failed to respond. at C:\\nikto\\nikto-2.1 > .3/plugins/LW2.pm line 5077\n: Bad file descriptor", > 'uri' => '/', > 'MAGIC' => 31340 > } > > any advice ? > > Thanks > > > > Sauf indication contraire ci-dessus:/ Unless stated otherwise above: > Compagnie IBM France > Siege Social : 17 avenue de l'Europe, 92275 Bois-Colombes Cedex > RCS Nanterre 552 118 465 > Forme Sociale : S.A.S. > Capital Social : 621.762.174 ? > SIREN/SIRET : 552 118 465 03644 > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From MATHIEU at fr.ibm.com Mon Dec 6 10:24:25 2010 From: MATHIEU at fr.ibm.com (Christian Mathieu) Date: Mon, 6 Dec 2010 17:24:25 +0100 Subject: [Nikto-discuss] No web server found on x.x.x.x:1081 Message-ID: Hello, I've run the following command t otry to dig out the no web server running issue $ time wget https://x.x.x.x:1081/ --no-check-certificate --2010-12-06 17:05:52-- https://x.x.x.x:1081/ Connecting to x.x.x.x:1081... connected. WARNING: cannot verify x.x.x.x's certificate, issued by `/C=US/ST=TX/L= .................. ~~~~~~~~~~~~~~~~~~~~~~~~~~?? 2010-12-06 17:05:55 (198 MB/s) - `logon.jsp' saved [3703/3703] real 0m3.606s user 0m0.202s sys 0m0.093s then $ perl nikto.pl -h https://x.x.x.x:1081/ - Nikto v2.1.3 --------------------------------------------------------------------------- + No web server found on x.x.x.X:1081 --------------------------------------------------------------------------- + 0 host(s) tested I Merci / Thanks Cordialement / Mit freundlichen Gr??en / Best Regards mathieu at fr.ibm.com 33 4 9211 5896 Sauf indication contraire ci-dessus:/ Unless stated otherwise above: Compagnie IBM France Siege Social : 17 avenue de l'Europe, 92275 Bois-Colombes Cedex RCS Nanterre 552 118 465 Forme Sociale : S.A.S. Capital Social : 621.762.174 ? SIREN/SIRET : 552 118 465 03644 -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Mon Dec 6 10:36:26 2010 From: csullo at gmail.com (Sullo) Date: Mon, 6 Dec 2010 11:36:26 -0500 Subject: [Nikto-discuss] No web server found on x.x.x.x:1081 In-Reply-To: References: Message-ID: Can you run...; perl nikto.pl -h https://x.x.x.x:1081/ -D DSV And attach the full output? The output should be scrubbed to remove the IP/hostnames. On Mon, Dec 6, 2010 at 11:24 AM, Christian Mathieu wrote: > Hello, > > I've run the following command t otry to dig out the > no web server running issue > > $ time wget https://x.x.x.x:1081/ --no-check-certificate > --2010-12-06 17:05:52-- https://x.x.x.x:1081/ > Connecting to x.x.x.x:1081... connected. > WARNING: cannot verify x.x.x.x's certificate, issued by `/C=US/ST=TX/L= > .................. > ~~~~~~~~~~~~~~~~~~~~~~~~~~?? > 2010-12-06 17:05:55 (198 MB/s) - `logon.jsp' saved [3703/3703] > > > real 0m3.606s > user 0m0.202s > sys 0m0.093s > > then > $ perl nikto.pl -h https://x.x.x.x:1081/ > - Nikto v2.1.3 > --------------------------------------------------------------------------- > + No web server found on x.x.x.X:1081 > --------------------------------------------------------------------------- > + 0 host(s) tested > I > > > Merci / Thanks > > Cordialement / Mit freundlichen Gr??en / Best Regards > mathieu at fr.ibm.com 33 4 9211 5896 > > Sauf indication contraire ci-dessus:/ Unless stated otherwise above: > Compagnie IBM France > Siege Social : 17 avenue de l'Europe, 92275 Bois-Colombes Cedex > RCS Nanterre 552 118 465 > Forme Sociale : S.A.S. > Capital Social : 621.762.174 ? > SIREN/SIRET : 552 118 465 03644 > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From MATHIEU at fr.ibm.com Mon Dec 6 11:24:47 2010 From: MATHIEU at fr.ibm.com (Christian Mathieu) Date: Mon, 6 Dec 2010 18:24:47 +0100 Subject: [Nikto-discuss] Fw: No web server found on x.x.x.x:1081 Message-ID: Hello $ perl nikto.pl -h https://x.x.x.X:1081/console -D DSV - Nikto v2.1.3 --------------------------------------------------------------------------- V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_apacheusers V:Mon Dec 6 18:12:50 2010 - Loaded "Apache Users" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_apache_expect_xss V:Mon Dec 6 18:12:50 2010 - Loaded "Apache Expect XSS" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_auth V:Mon Dec 6 18:12:50 2010 - Loaded "Guess authentication" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_cgi V:Mon Dec 6 18:12:50 2010 - Loaded "CGI" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_content_search V:Mon Dec 6 18:12:50 2010 - Loaded "Content Search" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_core V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_dictionary_attack V:Mon Dec 6 18:12:50 2010 - Loaded "Dictionary attack" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_embedded V:Mon Dec 6 18:12:50 2010 - Loaded "Embedded Detection" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_favicon V:Mon Dec 6 18:12:50 2010 - Loaded "Favicon" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_headers V:Mon Dec 6 18:12:50 2010 - Loaded "HTTP Headers" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_httpoptions V:Mon Dec 6 18:12:50 2010 - Loaded "HTTP Options" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_msgs V:Mon Dec 6 18:12:50 2010 - Loaded "Server Messages" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_multiple_index V:Mon Dec 6 18:12:50 2010 - Loaded "Multiple Index" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_outdated V:Mon Dec 6 18:12:50 2010 - Loaded "Outdated" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_put_del_test V:Mon Dec 6 18:12:50 2010 - Loaded "Put/Delete test" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_report_csv V:Mon Dec 6 18:12:50 2010 - Loaded "CSV reports" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_report_html V:Mon Dec 6 18:12:50 2010 - Loaded "Report as HTML" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_report_msf V:Mon Dec 6 18:12:50 2010 - Loaded "" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_report_nbe V:Mon Dec 6 18:12:50 2010 - Loaded "NBE reports" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_report_text V:Mon Dec 6 18:12:50 2010 - Loaded "Text reports" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_report_xml V:Mon Dec 6 18:12:50 2010 - Loaded "Report as XML" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_robots V:Mon Dec 6 18:12:50 2010 - Loaded "Robots" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_single V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_subdomain V:Mon Dec 6 18:12:50 2010 - Loaded "Sub-domain forcer" plugin. V:Mon Dec 6 18:12:50 2010 - Initialising plugin nikto_tests V:Mon Dec 6 18:12:50 2010 - Loaded "Nikto Tests" plugin. V:Mon Dec 6 18:12:50 2010 - Getting targets D:Mon Dec 6 18:12:50 2010 - Added -root value of '/console' V:Mon Dec 6 18:12:50 2010 - Target:example.com port:1081 V:Mon Dec 6 18:13:09 2010 - Checking for HTTP on port example.com:1081, using HEAD D:Mon Dec 6 18:13:09 2010 'Request Hash' = { 'Connection' => 'Keep-Alive', 'whisker' => { 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'ssl_save_info' => 1, 'http_space2' => ' ', 'uri_param_sep' => '?', 'timeout' => 10, 'http_space1' => ' ', 'method' => 'HEAD', 'force_open' => 0, 'include_host_in_uri' => 0, 'ignore_duplicate_headers' => 1, 'uri_postfix' => '', 'keep-alive' => 1, 'ssl' => 0, 'version' => '1.1', 'port' => 1081, 'uri' => '/', 'host' => 'example.com', 'retry' => 0, 'normalize_incoming_headers' => 1, 'invalid_protocol_return_value' => 1, 'force_bodysnatch' => 0, 'MAGIC' => 31339, 'max_size' => 0, 'trailing_slurp' => 0, 'force_close' => 0, 'http_eol' => "\r\n" }, 'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:Port Check)', 'host' => 'example.com' }; D:Mon Dec 6 18:13:09 2010 'Result Hash' = { 'whisker' => { 'error' => 'opening stream: can\'t connect (timeout): Unknown error', 'uri' => '/', 'MAGIC' => 31340 } }; V:Mon Dec 6 18:13:09 2010 - for HEAD: / V:Mon Dec 6 18:13:09 2010 - Checking for HTTPS on port example.com:1081, using HEAD D:Mon Dec 6 18:13:20 2010 'Request Hash' = { 'Connection' => 'Keep-Alive', 'whisker' => { 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'ssl_save_info' => 1, 'http_space2' => ' ', 'uri_param_sep' => '?', 'timeout' => 10, 'http_space1' => ' ', 'method' => 'HEAD', 'force_open' => 0, 'include_host_in_uri' => 0, 'ignore_duplicate_headers' => 1, 'uri_postfix' => '', 'keep-alive' => 1, 'ssl' => 1, 'version' => '1.1', 'port' => 1081, 'uri' => '/', 'host' => 'example.com', 'retry' => 0, 'normalize_incoming_headers' => 1, 'invalid_protocol_return_value' => 1, 'force_bodysnatch' => 0, 'MAGIC' => 31339, 'max_size' => 0, 'trailing_slurp' => 0, 'force_close' => 0, 'http_eol' => "\r\n" }, 'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:Port Check)', 'host' => 'example.com' }; D:Mon Dec 6 18:13:20 2010 'Result Hash' = { 'whisker' => { 'error' => "opening stream: can't connect: Connect failed: connect: timeout; Unknown error at ./plugins/LW2.pm line 5077\n: Bad file descriptor", 'uri' => '/', 'MAGIC' => 31340 } }; V:Mon Dec 6 18:13:20 2010 - for HEAD: / V:Mon Dec 6 18:13:20 2010 - Checking for HTTP on port example.com:1081, using GET D:Mon Dec 6 18:13:20 2010 'Request Hash' = { 'Connection' => 'Keep-Alive', 'whisker' => { 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'ssl_save_info' => 1, 'http_space2' => ' ', 'uri_param_sep' => '?', 'timeout' => 10, 'http_space1' => ' ', 'method' => 'GET', 'force_open' => 0, 'include_host_in_uri' => 0, 'ignore_duplicate_headers' => 1, 'uri_postfix' => '', 'keep-alive' => 1, 'ssl' => 0, 'version' => '1.1', 'port' => 1081, 'uri' => '/', 'host' => 'example.com', 'retry' => 0, 'normalize_incoming_headers' => 1, 'invalid_protocol_return_value' => 1, 'force_bodysnatch' => 0, 'MAGIC' => 31339, 'max_size' => 0, 'trailing_slurp' => 0, 'force_close' => 0, 'http_eol' => "\r\n" }, 'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:Port Check)', 'host' => 'example.com' }; D:Mon Dec 6 18:13:20 2010 'Result Hash' = { 'whisker' => { 'error' => 'opening stream: can\'t connect (timeout): Unknown error', 'uri' => '/', 'MAGIC' => 31340 } }; V:Mon Dec 6 18:13:20 2010 - for GET: / V:Mon Dec 6 18:13:20 2010 - Checking for HTTPS on port example.com:1081, using GET D:Mon Dec 6 18:13:30 2010 'Request Hash' = { 'Connection' => 'Keep-Alive', 'whisker' => { 'protocol' => 'HTTP', 'require_newline_after_headers' => 0, 'lowercase_incoming_headers' => 1, 'uri_prefix' => '', 'ssl_save_info' => 1, 'http_space2' => ' ', 'uri_param_sep' => '?', 'timeout' => 10, 'http_space1' => ' ', 'method' => 'GET', 'force_open' => 0, 'include_host_in_uri' => 0, 'ignore_duplicate_headers' => 1, 'uri_postfix' => '', 'keep-alive' => 1, 'ssl' => 1, 'version' => '1.1', 'port' => 1081, 'uri' => '/', 'host' => 'example.com', 'retry' => 0, 'normalize_incoming_headers' => 1, 'invalid_protocol_return_value' => 1, 'force_bodysnatch' => 0, 'MAGIC' => 31339, 'max_size' => 0, 'trailing_slurp' => 0, 'force_close' => 0, 'http_eol' => "\r\n" }, 'User-Agent' => 'Mozilla/4.75 (Nikto/2.1.3) (Evasions:None) (Test:Port Check)', 'host' => 'example.com' }; D:Mon Dec 6 18:13:30 2010 'Result Hash' = { 'whisker' => { 'error' => "opening stream: can't connect: Connect failed: connect: timeout; Unknown error at ./plugins/LW2.pm line 5077\n: Bad file descriptor", 'uri' => '/', 'MAGIC' => 31340 } }; V:Mon Dec 6 18:13:30 2010 - for GET: / + No web server found on x.x.x.X:1081 --------------------------------------------------------------------------- V:Mon Dec 6 18:13:30 2010 - Opening reports (none, ) V:Mon Dec 6 18:13:31 2010 - 6417 server checks loaded V:Mon Dec 6 18:13:31 2010 - Running start for "Guess authentication" plugin V:Mon Dec 6 18:13:31 2010 - Running start for "Content Search" plugin + 0 host(s) tested V:Mon Dec 6 18:13:31 2010 + 4 requests made in 41 seconds D:Mon Dec 6 18:13:31 2010 T:Mon Dec 6 18:13:31 2010: Ending mathieu at L3BF228-7659AB7 /cygdrive/c/nikto/nikto-2.1.3 $ Merci / Thanks Cordialement / Mit freundlichen Gr??en / Best Regards mathieu at fr.ibm.com 33 4 9211 5896 ----- Forwarded by Christian Mathieu/France/IBM on 06/12/2010 18:21 ----- From: Christian Mathieu/France/IBM To: nikto-discuss at attrition.org Date: 06/12/2010 17:24 Subject: [Nikto-discuss] No web server found on x.x.x.x:1081 Hello, I've run the following command t otry to dig out the no web server running issue $ time wget https://x.x.x.x:1081/ --no-check-certificate --2010-12-06 17:05:52-- https://x.x.x.x:1081/ Connecting to x.x.x.x:1081... connected. WARNING: cannot verify x.x.x.x's certificate, issued by `/C=US/ST=TX/L= .................. ~~~~~~~~~~~~~~~~~~~~~~~~~~?? 2010-12-06 17:05:55 (198 MB/s) - `logon.jsp' saved [3703/3703] real 0m3.606s user 0m0.202s sys 0m0.093s then $ perl nikto.pl -h https://x.x.x.x:1081/ - Nikto v2.1.3 --------------------------------------------------------------------------- + No web server found on x.x.x.X:1081 --------------------------------------------------------------------------- + 0 host(s) tested I Merci / Thanks Cordialement / Mit freundlichen Gr??en / Best Regards mathieu at fr.ibm.com 33 4 9211 5896 Sauf indication contraire ci-dessus:/ Unless stated otherwise above: Compagnie IBM France Siege Social : 17 avenue de l'Europe, 92275 Bois-Colombes Cedex RCS Nanterre 552 118 465 Forme Sociale : S.A.S. Capital Social : 621.762.174 ? SIREN/SIRET : 552 118 465 03644 Sauf indication contraire ci-dessus:/ Unless stated otherwise above: Compagnie IBM France Siege Social : 17 avenue de l'Europe, 92275 Bois-Colombes Cedex RCS Nanterre 552 118 465 Forme Sociale : S.A.S. Capital Social : 621.762.174 ? SIREN/SIRET : 552 118 465 03644 -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at mediumcool.net Wed Dec 8 03:50:47 2010 From: chris at mediumcool.net (Chris Thomas) Date: Wed, 08 Dec 2010 10:50:47 +0100 Subject: [Nikto-discuss] Unwanted authentication brute-force Message-ID: <4CFF54F7.9080403@mediumcool.net> Hi, I'm using Nikto 2.1.3 on Windows XP. When Nikto attempts to GET the page /bandwidth/index.cgi on the server I'm testing it recieves the response '401 Requires Authorization'. Nikto then appears to enter a loop repeatledly GETing /bandwidth/index.cgi which quickly trips my client's IDS and gets me blacklisted. I've done some test on my own web server using Nikto debugging and it appears Nikto is trying to brute-force authentication, making around 700 request for /bandwidth/index.cgi with various credentials before it moves on to the next test. The command I'm running is: nikto.pl -h 172.16.20.17 -T 1 -D D > debug.txt I could get myself whitelisted, but I really don't want to be trying to brute-force authentication. I see there are various options for controlling plugins and tests but I've had a look at the code, db_tests etc., but it's hard to get a handle on what's actually being run. Any suggestions? Thanks. Chris From csullo at gmail.com Wed Dec 8 12:11:43 2010 From: csullo at gmail.com (Sullo) Date: Wed, 8 Dec 2010 13:11:43 -0500 Subject: [Nikto-discuss] Unwanted authentication brute-force In-Reply-To: <4CFF54F7.9080403@mediumcool.net> References: <4CFF54F7.9080403@mediumcool.net> Message-ID: There was actually a bug in the auth guessing stuff that may have caused the high number of attempts--I just fixed it a few nights ago in the trunk version. It should be ~300 per directory (or per realm in the trunk version). You can disable plugins using -Plugins, such as: -Plugins "@@DEFAULT;-auth" That should run all the default ones except the auth testing. See this page for more info: https://cirt.net/nikto2-docs/options.html -Sullo On Wed, Dec 8, 2010 at 4:50 AM, Chris Thomas wrote: > > Hi, > > I'm using Nikto 2.1.3 on Windows XP. > > When Nikto attempts to GET the page /bandwidth/index.cgi on the server I'm > testing it recieves the response '401 Requires Authorization'. Nikto then > appears to enter a loop repeatledly GETing /bandwidth/index.cgi which > quickly trips my client's IDS and gets me blacklisted. > > I've done some test on my own web server using Nikto debugging and it > appears Nikto is trying to brute-force authentication, making around 700 > request for /bandwidth/index.cgi with various credentials before it moves on > to the next test. > > The command I'm running is: > nikto.pl -h 172.16.20.17 -T 1 -D D > debug.txt > > I could get myself whitelisted, but I really don't want to be trying to > brute-force authentication. > > I see there are various options for controlling plugins and tests but I've > had a look at the code, db_tests etc., but it's hard to get a handle on > what's actually being run. > > Any suggestions? > > Thanks. > > Chris > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From csullo at gmail.com Wed Dec 8 23:08:58 2010 From: csullo at gmail.com (Sullo) Date: Thu, 9 Dec 2010 00:08:58 -0500 Subject: [Nikto-discuss] Fw: No web server found on x.x.x.x:1081 In-Reply-To: References: Message-ID: It's a bit hard to say from this, but I'd try installing Net::SSLeay and see that works better. It should take precedence inside LibWhisker. On Mon, Dec 6, 2010 at 12:24 PM, Christian Mathieu wrote: > > Hello, > > I've run the following command t otry to dig out the > no web server running issue > > $ time wget https://x.x.x.x:1081/ --no-check-certificate > --2010-12-06 17:05:52-- https://x.x.x.x:1081/ > Connecting to x.x.x.x:1081... connected. > WARNING: cannot verify x.x.x.x's certificate, issued by `/C=US/ST=TX/L= > .................. > ~~~~~~~~~~~~~~~~~~~~~~~~~~?? > 2010-12-06 17:05:55 (198 MB/s) - `logon.jsp' saved [3703/3703] > > > real 0m3.606s > user 0m0.202s > sys 0m0.093s > > then > $ perl nikto.pl -h https://x.x.x.x:1081/ > - Nikto v2.1.3 > --------------------------------------------------------------------------- > + No web server found on x.x.x.X:1081 > --------------------------------------------------------------------------- > + 0 host(s) tested > I > > > Merci / Thanks > > Cordialement / Mit freundlichen Gr??en / Best Regards > mathieu at fr.ibm.com 33 4 9211 5896 > > Sauf indication contraire ci-dessus:/ Unless stated otherwise above: > Compagnie IBM France > Siege Social : 17 avenue de l'Europe, 92275 Bois-Colombes Cedex > RCS Nanterre 552 118 465 > Forme Sociale : S.A.S. > Capital Social : 621.762.174 ? > SIREN/SIRET : 552 118 465 03644 > > > > Sauf indication contraire ci-dessus:/ Unless stated otherwise above: > Compagnie IBM France > Siege Social : 17 avenue de l'Europe, 92275 Bois-Colombes Cedex > RCS Nanterre 552 118 465 > Forme Sociale : S.A.S. > Capital Social : 621.762.174 ? > SIREN/SIRET : 552 118 465 03644 > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at yehg.net Thu Dec 23 10:13:29 2010 From: lists at yehg.net (YGN Ethical Hacker Group) Date: Fri, 24 Dec 2010 00:13:29 +0800 Subject: [Nikto-discuss] More quiet output (no questions after scan?) In-Reply-To: References: Message-ID: As of 2.1.3, you don't even need to edit config file for it. You can specify -ask no perl nikto.pl -h attacker.in -ask no --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd On Wed, Nov 17, 2010 at 12:21 PM, Brandon Perry wrote: > Ah, thanks. > > On Tue, Nov 16, 2010 at 10:08 PM, Sullo wrote: >> Edit nikto.conf and change the UPDATES value. The default is YES... >> >> # Nikto can submit updated version strings to CIRT.net. It won't do this w/o >> permission. You should >> # send updates because it makes the data better for everyone ;)? *NO* server >> specific information >> # such as IP or name is sent, just the relevant version information. >> # UPDATES=yes?? - ask before each submission if it should send >> # UPDATES=no??? - don't ask, don't send >> # UPDATES=auto? - automatically attempt submission *without prompting* >> >> >> On Tue, Nov 16, 2010 at 10:43 PM, Brandon Perry >> wrote: >>> >>> Hi, >>> >>> I am currently running nikto v2.1.1, installed from the Ubuntu >>> repositories, automated with a bash script. >>> >>> Is there a way to keep it from asking to submit new information (if >>> found) after a scan? I have found a work around by doing 'echo "y\r" | >>> nikto -h 127.0.0.1 -o blah -Format html' and it does the trick. Awful >>> dirty though... >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> _______________________________________________ >>> Nikto-discuss mailing list >>> Nikto-discuss at attrition.org >>> https://attrition.org/mailman/listinfo/nikto-discuss >> >> >> >> -- >> >> http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > From lists at yehg.net Thu Dec 23 12:34:24 2010 From: lists at yehg.net (YGN Ethical Hacker Group) Date: Fri, 24 Dec 2010 02:34:24 +0800 Subject: [Nikto-discuss] [db_tests] new entry - myBB SQL Injection Message-ID: udb_tests ========= "400000","0","9","/search.php","POST","MyBB has experienced an internal SQL error and cannot continue.","","","Sorry, but no results were returned","","MyBB 1.6 <= SQL Injection, ref: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection ","action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1","" "400001","0","9","/private.php","POST","MyBB has experienced an internal SQL error and cannot continue.","","","Sorry, but no results were returned","","MyBBx 1.6 <= SQL Injection, ref: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection ","my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff","" Testing ======== >perl nikto.pl -h http://attacker.in -root /mybb -useproxy + Target Port: 80 + Proxy: localhost:8080 + Start Time: 2010-12-25 02:28:34 --------------------------------------------------------------------------- + Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 DAV/2 + /search.php: MyBB 1.6 <= SQL Injection, ref: http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection + 2 items checked: 0 error(s) and 1 item(s) reported on remote host + End Time: 2010-12-25 02:28:52 (18 seconds) --------------------------------------------------------------------------- + 1 host(s) tested --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd -------------- next part -------------- An HTML attachment was scrubbed... URL: From bperry.volatile at gmail.com Thu Dec 23 12:36:52 2010 From: bperry.volatile at gmail.com (Brandon Perry) Date: Thu, 23 Dec 2010 12:36:52 -0600 Subject: [Nikto-discuss] More quiet output (no questions after scan?) In-Reply-To: References: Message-ID: This is perfect, thank you. On Thu, Dec 23, 2010 at 10:13 AM, YGN Ethical Hacker Group wrote: > As of 2.1.3, you don't even need to edit config file for it. > > You can specify > > -ask no > > perl nikto.pl -h attacker.in -ask no > > > --------------------------------- > Best regards, > YGN Ethical Hacker Group > Yangon, Myanmar > http://yehg.net > Our Lab | http://yehg.net/lab > Our Directory | http://yehg.net/hwd > > > > On Wed, Nov 17, 2010 at 12:21 PM, Brandon Perry > wrote: >> Ah, thanks. >> >> On Tue, Nov 16, 2010 at 10:08 PM, Sullo wrote: >>> Edit nikto.conf and change the UPDATES value. The default is YES... >>> >>> # Nikto can submit updated version strings to CIRT.net. It won't do this w/o >>> permission. You should >>> # send updates because it makes the data better for everyone ;)? *NO* server >>> specific information >>> # such as IP or name is sent, just the relevant version information. >>> # UPDATES=yes?? - ask before each submission if it should send >>> # UPDATES=no??? - don't ask, don't send >>> # UPDATES=auto? - automatically attempt submission *without prompting* >>> >>> >>> On Tue, Nov 16, 2010 at 10:43 PM, Brandon Perry >>> wrote: >>>> >>>> Hi, >>>> >>>> I am currently running nikto v2.1.1, installed from the Ubuntu >>>> repositories, automated with a bash script. >>>> >>>> Is there a way to keep it from asking to submit new information (if >>>> found) after a scan? I have found a work around by doing 'echo "y\r" | >>>> nikto -h 127.0.0.1 -o blah -Format html' and it does the trick. Awful >>>> dirty though... >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> _______________________________________________ >>>> Nikto-discuss mailing list >>>> Nikto-discuss at attrition.org >>>> https://attrition.org/mailman/listinfo/nikto-discuss >>> >>> >>> >>> -- >>> >>> http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/ >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> _______________________________________________ >> Nikto-discuss mailing list >> Nikto-discuss at attrition.org >> https://attrition.org/mailman/listinfo/nikto-discuss >> > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website From csullo at gmail.com Thu Dec 23 22:11:21 2010 From: csullo at gmail.com (Sullo) Date: Thu, 23 Dec 2010 23:11:21 -0500 Subject: [Nikto-discuss] [db_tests] new entry - myBB SQL Injection In-Reply-To: References: Message-ID: Added these, thanks! On Thu, Dec 23, 2010 at 1:34 PM, YGN Ethical Hacker Group wrote: > udb_tests > ========= > > "400000","0","9","/search.php","POST","MyBB has experienced an internal SQL > error and cannot continue.","","","Sorry, but no results were > returned","","MyBB 1.6 <= SQL Injection, ref: > http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection > ","action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1","" > > "400001","0","9","/private.php","POST","MyBB has experienced an internal > SQL error and cannot continue.","","","Sorry, but no results were > returned","","MyBBx 1.6 <= SQL Injection, ref: > http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection > ","my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff","" > > > Testing > ======== > > > >perl nikto.pl -h http://attacker.in -root /mybb -useproxy > > + Target Port: 80 > + Proxy: localhost:8080 > + Start Time: 2010-12-25 02:28:34 > --------------------------------------------------------------------------- > + Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a > mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 > DAV/2 > + /search.php: MyBB 1.6 <= SQL Injection, ref: > http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection > + 2 items checked: 0 error(s) and 1 item(s) reported on remote host > + End Time: 2010-12-25 02:28:52 (18 seconds) > --------------------------------------------------------------------------- > + 1 host(s) tested > > > --------------------------------- > Best regards, > YGN Ethical Hacker Group > Yangon, Myanmar > http://yehg.net > Our Lab | http://yehg.net/lab > Our Directory | http://yehg.net/hwd > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > > -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: