search

sullo / nikto

Nikto web server scanner
Other
8.6k stars 1.24k forks source link

Can't reproduce internal IP leakage #406

Closed digininja closed 8 years ago

digininja commented 8 years ago

I've got this from a save file which shows internal IP leakage:

GET /aspnet_client HTTP/1.1
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:headers: IIS internal IP)
Connection: Keep-Alive

-----------------------------------------------------------------------
                          Response
-----------------------------------------------------------------------
HTTP/1.1 301 Moved Permanently
content-type: text/html; charset=UTF-8
location: https://192.168.2.51/aspnet_client/
server: Microsoft-IIS/7.5
x-powered-by: ASP.NET
date: Tue, 02 Aug 2016 13:06:15 GMT
connection: keep-alive
content-length: 158

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://192.168.2.51/aspnet_client/">here</a></body>

But if I try to reproduce it I get this:

GET /aspnet_client HTTP/1.1
User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:headers: IIS internal IP)
Connection: Keep-Alive

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 02 Aug 2016 13:27:28 GMT
Connection: close
Content-Length: 334

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>

I did a straight copy/paste from the save so I'm sending the same content. Any idea what could be going on?

If it helps, the site does leak the IP through a HTTP/1.0 request with exactly the same content apart from the /1.0 /1.1.

sullo commented 8 years ago

My off-the-cuff guess is the savefile is wrong and it should be HTTP/1.0 and not 1.1. Now why that's happening... have to dive into the savefile code.

digininja commented 8 years ago

I'll have to check exactly what the two plugins were but it did report the http/1.0 as well as this for http/1.1

On Tue, 2 Aug 2016, 16:53 sullo, notifications@github.com wrote:

My off-the-cuff guess is the savefile is wrong and it should be HTTP/1.0 and not 1.1. Now why that's happening... have to dive into the savefile code.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/406#issuecomment-236949277, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWRjWOblHrdPLXYSW46plvWYPPko5ks5qb2frgaJpZM4Jam9m .

digininja commented 8 years ago

Just had the same with the plugin that reports this message:

OSVDB-630: Microsoft Exchange Systems (CAS and OWA) may reveal the internal or real IP in the WWW-Authenticate header via a request over HTTP/1.0. The value is "10.1.123.10".

Can get the IP with 1.0 but not 1.1.

sullo commented 8 years ago

Wasn't a reporting issue--nfetch() reset it back to previous version...so anything deviating from the norm was reset so it never made it to the report feature.

Don't have a server handy to test this flaw but should work. @digininja if you are still in the window can you give it a whirl to be sure?

digininja commented 8 years ago

Retested it and the fix seems to have worked. Thanks

On Wed, 3 Aug 2016 at 04:29 sullo notifications@github.com wrote:

Closed #406 https://github.com/sullo/nikto/issues/406.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/sullo/nikto/issues/406#event-743310120, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHJWdnEaT9FJru93hoyiaVizKYWULksks5qcArigaJpZM4Jam9m .