Andres Riancho wrote:
> List,
>
> Yesterday I found out a new trick, and I would like to share it with you
> ;)
>
> HTTP Request
> ========
>
> GET /backup HTTP/1.0
> Accept: foobar/xyz
> User-Agent: w3af
> Host: 192.168.150.2
> Connection: Close
>
> HTTP Response
> =========
>
> HTTP/1.1 406 Not Acceptable
> ...
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>406 Not Acceptable</title>
> </head><body>
> <h1>Not Acceptable</h1>
> <p>An appropriate representation of the requested resource /backup
> could not be found on this server.</p>
> Available variants:
> <ul>
> <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li>
> <li><a href="backup.zip">backup.zip</a> , type application/zip</li>
> </ul>
> <hr>
> <address>Apache/2.2.8 (Ubuntu) DAV/2 mod_python/3.3.1 Python/2.5.2
> PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
> Server at 192.168.150.2 Port 80</address>
> </body></html>
>
> In the response, please note these lines:
>
> <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li>
> <li><a href="backup.zip">backup.zip</a> , type application/zip</li>
>
> And if we go to the webroot to verify...
>
> d...@brick:/var/www$ ls -la | grep backup
> -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:02 backup.tgz
> -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:03 backup.zip
> d...@brick:/var/www$
This is the behavior of Apache's mod_speling which will in trying to
complete a request and not finding an exact match will scan the
directory and if:
* no matching document was found, Apache will proceed as usual and
return a "document not found" error.
* only one document is found that "almost" matches the request, then
it is returned in the form of a redirection response.
* more than one document with a close match was found, then the list
of the matches is returned to the client, and the client can select the
correct candidate.
See: http://httpd.apache.org/docs/2.0/mod/mod_speling.html
So this behavior won't always happen - only if mod_speling is turned on.
Grep for "mod_speling.so" or "LoadModule speling_module" in your Apache
config to confirm this.
In this case, its quite helpful but if there's a any bit of hardening on
the Apache install, that module will be turned off (hopefully). That
said, it never hurts to check since it can be quite nice for an attacker
if its running.
I think having mod_speling turned on should at least be an informational
finding as it can have negative security ramifications.
>
> This trick is really useful when finding (for example) backup files,
> because you won't need to ask for backup.zip, backup.7z, backup.bzip2,
> backup.tar.gz , etc. You just ask apache for the backup file, with an
> incorrect Accept header (please note Accept: foobar/xyz) and that's
> it, a list of given back to you.
>
> If this ain't new for you, sorry, but it was new for me =)
>
> I'm still thinking how I can use this trick in w3af, because I may use
> it as part of a discovery plugin, or maybe as an audit plugin that
> finds this as a vulnerability, and code an attack plugin that can
> exploit it to bruteforce new resources... hmmm... I still have to
> think. What do you guys think?
I don't know of an equivalent for IIS, so it would be an interesting
check for Apache servers (or all servers if you're not confident that
the server has been identified correctly). You might be able to
slightly modify a legit URL and see if you get back the page for the
unmodified URL to determine if mod_speling is on like:
---- pseudo code ---
# Legit page: http://example.com/about_us.php
if page from http://example.com/about_us.php ==
page from http://example.com/about_uz.php then
mod_speling_enabled = true
if mod_speling_enabled then
# bunch of fun things to test for.
---- pseudo code ---
Then if it is, try fun files like backup, etc.
>
> Cheers,
HTH
-- Matt Tesauro
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users
