Dial Tone

How can I send a custom HTTP get request?

21 posts in this topic

I have a box running IIS6 set up so I can try out this new vulnerability: http://seclists.org/fulldisclosure/2009/May/0134.html (read the pdf for details)

Basically I send a malicious http get with unicode in it. The unicode is stripped out, and the file requested is served, regardless of any security considerations.

Seems like a cool thing to mess with on my network. Maybe try and work out a script to grab password files or something automagically, maybe send it in to 2600 or something similar.

0

Share this post


Link to post
Share on other sites
My favorite application for manipulating http requests is LiveHTTPHeaders for FireFox

http://livehttpheaders.mozdev.org/

Thanks, that's awesome. Do you know of anything that works on the command line? (Probably much easier to script something that way)

0

Share this post


Link to post
Share on other sites

Wow, IIS Unicode exploits? I haven't seen that in a very long time.

A good versatile HTTP tool is curl. From the command-line, it's really easy to use. It's also a C library, but I find that a bit tedious. The high-level abstractions in Ruby (the net/http library) give pretty good control and are really simple to use. And of course, if you need ultimate control, there's netcat. Form your HTTP query in a text editor and just push it out with netcat.

0

Share this post


Link to post
Share on other sites

Couldn't you also telnet to port 80 and just send a get request there via shell?

0

Share this post


Link to post
Share on other sites
Couldn't you also telnet to port 80 and just send a get request there via shell?

You could, but that's tedious. I've done this many times, and I always end up making a typo. Combine this with the complication of having to insert unicode characters in a complex URL, and it gets even harder. This is also essentially the same thing as using a text editor and netcat, so why not just do that instead?

0

Share this post


Link to post
Share on other sites
Couldn't you also telnet to port 80 and just send a get request there via shell?

You could, but that's tedious. I've done this many times, and I always end up making a typo. Combine this with the complication of having to insert unicode characters in a complex URL, and it gets even harder. This is also essentially the same thing as using a text editor and netcat, so why not just do that instead?

I was just throwing ideas lol.

0

Share this post


Link to post
Share on other sites

i'm with ohm on this one, it would be easiest to use curl, and failing that, netcat.

0

Share this post


Link to post
Share on other sites

Maybe I should scream one's and zeros into an ethernet cable.... :roll:

Probably going to go with netcat (soon as I heard the name I remembered it... probably more documentation for it that curl. Definitely easier to use)

0

Share this post


Link to post
Share on other sites
My favorite application for manipulating http requests is LiveHTTPHeaders for FireFox

http://livehttpheaders.mozdev.org/

I've never used this, but you'd probably be able to get similar results out of Tamper Data, another Firefox extension. From the screenshots I grokked of LiveHTTPHeaders, it looks like manipulating a POST would be easier with Tamper Data, at the very least.

If you're married to the command-line though (and good for you! You'll find it more flexible for this sort of thing) I second the the usage of "curl", as in the standalone binary... to me it's wget with more options.

An (untested) example of usage for your case would be something like:

curl -H "Translate: f" http://www.yourserver.com/..%c0%af/protected/protected.zip

I'm not 100% sure if the shell you're using would interpret %c0%af as the Unicode character "/", but that should be an example to get you started.

0

Share this post


Link to post
Share on other sites
My favorite application for manipulating http requests is LiveHTTPHeaders for FireFox

http://livehttpheaders.mozdev.org/

I've never used this, but you'd probably be able to get similar results out of Tamper Data, another Firefox extension. From the screenshots I grokked of LiveHTTPHeaders, it looks like manipulating a POST would be easier with Tamper Data, at the very least.

If you're married to the command-line though (and good for you! You'll find it more flexible for this sort of thing) I second the the usage of "curl", as in the standalone binary... to me it's wget with more options.

An (untested) example of usage for your case would be something like:

curl -H "Translate: f" http://www.yourserver.com/..%c0%af/protected/protected.zip

I'm not 100% sure if the shell you're using would interpret %c0%af as the Unicode character "/", but that should be an example to get you started.

Apparently any unicode value works. The unicode is stripped out, then the path that remains is served _without authentication_. Whooooppsies.

0

Share this post


Link to post
Share on other sites

These bugs have been around forever in IIS. At one point, just about every Windows server in the world was vulnerable to this. I'm really surprised to see this pop back up though, you'd think they would have fixed it.

0

Share this post


Link to post
Share on other sites
Couldn't you also telnet to port 80 and just send a get request there via shell?

LOL.

When I was about 14, more then 10 years ago I started doing this, I would use windows clipboard and copy my request from notepad, telnet to port 80 and paste.

And it worked just fine.

I did this to exploit the old /cgi-bin/phf bug in apache back then.

If you logged your traffic, you could "save" the cat of /etc/passwd without a hassle into > dnsname.date.log

Then I started the curl or pipe to netcat like the great Ohm stated, but here is my 2 cents.

Why not learn perl or php or some other program/script lang?

To code up a HTTP request is very easy and simple with perl or php and you could even google the code to do it and just fill in a couple of blanks.

You will learn more man, if you write the code and do it yourself.

Command line tools are helpful for tasks or even to be called in scripts.

But ./hacking away with someone elses code does not teach you that much :-)

Good Luck!

<?
//connect to web server, send a GET request.
$socket = fsockopen("www.blah.com", 80); fwrite($socket, "GET / HTTP/1.0\r\nHost: www.blah.com\r\n\r\n");

// put the while() loop and fgets() here...
....

?>

Look into fgets() at while() php.net/manual/ and see if you can figure out how to read the reply from the web server to the request sent above :-)

0

Share this post


Link to post
Share on other sites

Or WebScarab is a good web browser based tool that does packet sniffing and allows you to mess with the parameters.

0

Share this post


Link to post
Share on other sites

@shizzle: If you're going to be coding, why not use an actual abstraction? If you're just writing HTTP commands manually, you're actually doing more work than if you had a template HTTP query, copy and paste with a text editor, fill in what you need and use netcat. Programming is not terribly useful if you just write programs like the one you demonstrated.

0

Share this post


Link to post
Share on other sites
Or WebScarab is a good web browser based tool that does packet sniffing and allows you to mess with the parameters.

That's basically what the beginning webgoat tutorials are about: how to use webscarab.

0

Share this post


Link to post
Share on other sites

Is there a standard location that passwords are stored on IIS? (Like, the windows equivalent of /etc/passwd)

My goal is get a script working that connects to a server (specified in stdin), and downloads their hash file.

(I think it's a safe bet anyone using unpatched IIS probably has some user accounts with dictionary word passes)

0

Share this post


Link to post
Share on other sites
Is there a standard location that passwords are stored on IIS? (Like, the windows equivalent of /etc/passwd)

My goal is get a script working that connects to a server (specified in stdin), and downloads their hash file.

(I think it's a safe bet anyone using unpatched IIS probably has some user accounts with dictionary word passes)

The equivalent of the Unix /etc/passwd for Windows is the SAM file.

0

Share this post


Link to post
Share on other sites

I think it's quite difficult to get to the SAM file on a running Windows machine. There are safeguards in place against reading it, the OS just won't let you. This is why stealing a SAM file is usually done with a boot disk.

0

Share this post


Link to post
Share on other sites
@shizzle: If you're going to be coding, why not use an actual abstraction? If you're just writing HTTP commands manually, you're actually doing more work than if you had a template HTTP query, copy and paste with a text editor, fill in what you need and use netcat. Programming is not terribly useful if you just write programs like the one you demonstrated.

yes correct, I was only trying to be 'simple' to show the guy a custom HTTP request is easy to do with many available scripting options.

or he can go with wget I was only trying to drive him a little more.

Sorry? :-P <3

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now