############################################################################ #the definition of arirang 1.77 scan rule #by pilot #http://www.monkey.org/~pilot # # #if you make a new scan rule , send to e-mail pilot@monkey.org ############################################################################# ############################################################################### # #Type : (recv flags) Response_Data-> HTTP_Request_Method :URI^explain;information; #Type : (NOT) Response_Data-> HTTP_Request_Method :URI^explain;information; #comment # # # recv flags are OOB,PEEK,ALL. # OOB is MSG_OOB(process out-of-band data) # PEEK is MSG_PEEK(peek at incoming message) # ALL is MSG_WAITALL(wait for full request or error) # # NOT is not matching URI. (nottest.uxe) # # Response_Data able to HTTP_Status_Code or response contents. # # Response_Data maximum size is a 50 bytes. # HTTP_Request_Method maximum size is a 50 bytes. # URI maximum size is a 2500 bytes. # explain maximum size is a 100 bytes. # information maximum size is a 400 bytes. # # ############################################################################# # #HTTP_Status_Code (HTTP 1.0) # "200" ; OK # | "201" ; Created # | "202" ; Accepted # | "204" ; No Content # | "301" ; Moved Permanently # | "302" ; Moved Temporarily # | "304" ; Not Modified # | "400" ; Bad Request # | "401" ; Unauthorized # | "403" ; Forbidden # | "404" ; Not Found # | "500" ; Internal Server Error # | "501" ; Not Implemented # | "502" ; Bad Gateway # | "503" ; Service Unavailable # | extension-code #notice 200 -> 200 OK # #HTTP_Request_Methods (HTTP 1.0) # Method = "GET" # | "HEAD" # | "POST" # # # HTTP 1.1 Request_Methods # OPTIONS # GET # HEAD # POST # PUT # DELETE # TRACE # HTTP 1.1 Status code # Status-Code = "100" ; Continue # | "101" ; Switching Protocols # | "200" ; OK # | "201" ; Created # | "202" ; Accepted # | "203" ; Non-Authoritative Information # | "204" ; No Content # | "205" ; Reset Content # | "206" ; Partial Content # | "300" ; Multiple Choices # | "301" ; Moved Permanently # | "302" ; Moved Temporarily # | "303" ; See Other # | "304" ; Not Modified # | "305" ; Use Proxy # | "400" ; Bad Request # | "401" ; Unauthorized # | "402" ; Payment Required # | "403" ; Forbidden # | "404" ; Not Found # | "405" ; Method Not Allowed # | "406" ; Not Acceptable # | "407" ; Proxy Authentication Required # | "408" ; Request Time-out # | "409" ; Conflict # | "410" ; Gone # | "411" ; Length Required # | "412" ; Precondition Failed # | "413" ; Request Entity Too Large # | "414" ; Request-URI Too Large # | "415" ; Unsupported Media Type # | "500" ; Internal Server Error # | "501" ; Not Implemented # | "502" ; Bad Gateway # | "503" ; Service Unavailable # | "504" ; Gateway Time-out # | "505" ; HTTP Version not supported # | extension-code #also IIS Request Methods #Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH #Allow: OPTIONS, TRACE, GET, HEAD, LOCK, UNLOCK #Example #200 OK-> GET :/cgi-bin/Count.cgi^Count.cgi test;; #403-> HEAD :/cgi-bin/ ^cgi-bin directory test;; #404-> HEAD :/nofile ^nofile doesn't exist;; 401-> HEAD :/private/ ^Apache Authorize test;delete this file; 200 OK-> GET :/%63%67%69%2d%62%69%6e/%74%65%73%74%2d%63%67%69 ^/cgi-bin/test.cgi url-encoding;see uri; 500-> GET :/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/^buffer overflow test;cool bof; web printer-> GET :/NULL.printer^iis 5 .printer mapping test;; nobody-> GET :/cgi-bin/man.cgi?man=ls;id;pwd;^remote execute man.cgi;; #Example HTTP request injection. 200 OK-> GET :/cgi-bin/test.cgi HTTP/1.0\r\n\r\n^injection test1;; 200 OK-> GET :/cgi-bin/test.cgi HTTP/1.1\r\n\r\n^injection test2;; #Example information field(supported \n and \t) 200 OK-> GET :/cgi-bin/test.cgi^test.cgi;test\t tab test; 200 OK-> GET :/cgi-bin/test.cgi^test.cgi;test\n new line test; #example recv flags(also see codered.uxe) ALL IDQ-> GET :/a.ida^already admin deleted .ida files. server haven't .ida buffer overflow;; #example NOT keyword - see a nottest.uxe NOT 404-> GET :/^HTTP GET Request NOT 404;; ########################################################################