Page 1 of 1

Breakdown of attack URL

Posted: Thu Nov 03, 2011 10:41 am
by ywickham
I want a better understanding of what I'm looking at when an attack is reported to me. I'm hoping you guys can help me out by breaking down a URL for me and sending me to the correct sources to get more information. Example URL:

Code: Select all

/MFR1.HTM?view=Panasonic_reviews%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fwww.imaging-resource.com%2FMFR1.HTM%3Fview%3DPanasonic_reviews','21','3','%2F%2F%2F%3Fpage%3Dpanasonic','',%20'00f08b68183ac8e8fc131147ad2015c66e310dec38043fbb8cc3',%200)/?page=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP Response 200
My understanding was that a server responds with 200 when the request succeeded. I'm guessing the above URL didn't break anything as far as the server was concerned so it sent a 200 repsonse. And if I load this in the browser, it continued to load the page as expected. So what was this URL trying to do exactly? Thanks!

Re: Breakdown of attack URL

Posted: Thu Nov 03, 2011 5:41 pm
by Mordred
The last part looks like an attempt to elevate a LFI into code execution as /proc/self/environ, can control attacker-controlled strings.
The javascript looks like an attempt at XSS. Why try both at the same time is a puzzle. Maybe it's a misbehaving automated attack script?

Re: Breakdown of attack URL

Posted: Fri Nov 04, 2011 2:34 am
by flying_circus
Decoded

Code: Select all

/MFR1.HTM?view=Panasonic_reviews" onmousedown="ct(this, 'http://www.imaging-resource.com/MFR1.HTM?view=Panasonic_reviews','21','3','///?page=panasonic','', '00f08b68183ac8e8fc131147ad2015c66e310dec38043fbb8cc3', 0)/?page=../../../../../../../../../../../../..//proc/self/environ00 HTTP Response 200
Looks like a session id, or cookie data?