Identifying Versions
With simple requests to the server we can find out what software it is using. GET or POST requests will do. Requesting objects (files) that are not there or making requests for options that the server does (and does not) support are good places to start.The pink color are the requests made after I connected.
1: aichi@home# nc 127.0.0.1 81
2: head / http/1.0
3: HTTP/1.1 501 Method Not Implemented
4: Date: Fri, 22 Mar 2013 04:13:18 GMT
5: Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5
6: Allow: GET,HEAD,POST,OPTIONS,TRACE
7: Content-Length: 206
8: Connection: close
9: Content-Type: text/html; charset=iso-8859-1
10: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
11: <html><head>
12: <title>501 Method Not Implemented</title>
13: </head><body>
14: <h1>Method Not Implemented</h1>
15: <p>head to / not supported.<br />
16: </p>
17: </body></html>
The above is an output of the netcat command and a GET request to a local server here. HTTP requests are case sensitive. The server tried to process the option head and found that there was none. However it does show us all the options it allows: GET, HEAD, POST, OPTIONS and TRACE. We now also know the software the server is running, Apache, and it's version, 2.2.1.7. The operating system and even some of the other software is also listed (PHP, ModSSL and OenSSL).
1: aichi@home# nc 127.0.0.1 81
2: HEAD / AICHI/6.6.6
3: HTTP/1.1 200 OK
4: Date: Fri, 22 Mar 2013 04:19:29 GMT
5: Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5
6: Connection: close
7: Content-Type: text/html;charset=UTF-8
Using other methods supported by the server we can even get a listing (assuming there is not index file in place). Let's try the GET method.
1: aichi@home# nc 127.0.0.1 81
2: GET / AICHI/6.6.6
3: HTTP/1.1 200 OK
4: Date: Fri, 22 Mar 2013 04:23:28 GMT
5: Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5
6: Connection: close
7: Content-Type: text/html;charset=UTF-8
8: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
9: <html>
10: <head>
11: <title>Index of /</title>
12: </head>
13: <body>
14: <h1>Index of /</h1>
15: <table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>
16: <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="0fees/">0fees/</a> </td><td align="right">12-Feb-2013 19:56 </td><td align="right"> - </td><td> </td></tr>
17: <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="ForwardElectric%20Backup/">ForwardElectric Backup/</a></td><td align="right">07-May-2012 08:31 </td><td align="right"> - </td><td> </td></tr>
I supplied an invalid version (aichi/6.6.6) and it still listed the directory contents, and yes, there was no index file. Let's see what it looks like with a blank index file.
1: aichi@home# nc 127.0.0.1 81
2: GET / AICHI/6.6.6
3: HTTP/1.1 200 OK
4: Date: Fri, 22 Mar 2013 04:27:39 GMT
5: Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5
6: Last-Modified: Fri, 22 Mar 2013 04:27:17 GMT
7: ETag: "700000006ae2f-0-4d87bded2357a"
8: Accept-Ranges: bytes
9: Content-Length: 0
10: Connection: close
11: Content-Type: text/html
Sooo.. something like...
1: aichi@home# nc 127.0.0.1 81
2: TRACE / HTTP/1.1
3: host:localhost
4: X-Header: <script>alert(1)</script>
5: HTTP/1.1 200 OK
6: Date: Fri, 22 Mar 2013 04:31:48 GMT
7: Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5
8: Transfer-Encoding: chunked
9: Content-Type: message/http
10: 4a
11: TRACE / HTTP/1.1
12: host: localhost
13: X-Header: <script>alert(1)</script>
14: 0
