Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Hacking / Hijacking / or OTHER ?

From: Botany <botany_at_strato.net>
Date: Thu, 22 Mar 2012 11:53:12 -0400

> This command line is treated by curl as two URLs with the -i option since
> there's no space between -A and the URL before it. Is that just a mistake
> in the mail or the actual command line?

Yes, I realize that the command is malformed. I discovered the output
anomaly by accident while testing mod_security for Apache (see link below).
Even so, the output was suspicious enough for me to investigate, and I need
to understand. When I run the command, the server connects to
http://209.71.59.41/ and gets the DomainRegistry.com-page which is hosted
there.

I admit that I know nothing about cURL. But I did, however, exhaust Google
in an attempt to find answers prior to making this cURL mailing list post.
I am turning to this mailing list because I think its members have the best
chance offering answers.

When I change the key word, using the command from I found in the college
tutorial on testing mod_security
(http://samsclass.info/124/proj11/p16-mod-security.html), even more curious
output is obtained. It looks like the page/code that a browser loads when
it detects a java plug-in is needed ??? :

curl -i http://www.mydomain.com/-A Nessus

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved here.</p>
</body></html>
HTTP/1.1 200 OK
Date: Thu, 22 Mar 2012 15:10:24 GMT
Server: Apache/2.2.3 (Linux/SUSE)
Last-Modified: Sun, 08 Mar 2009 17:56:05 GMT
ETag: "7000008c-42f-4649f3b575740"
Accept-Ranges: bytes
Content-Length: 1071
Content-Type: text/html

<HTML>
<BODY bgcolor="#FFFFFF">
<!-- BEGIN SECURE FTP APPLET CODE -->
<CENTER>
<!-- NOTE: All runtime properties are defined in params.txt by default -->
<object width="1024" height="768"
classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
        codebase="http://java.sun.com/products/plugin/autodl/jinstall-1_5_0-windows-i586.cab#Version=1,5,0,0">
    <param name="code" value="com.jscape.ftpapplet.FtpApplet.class">
    <param name="archive" value="sftpapplet.jar">
    <param name="scriptable" value="false">
    <comment>
        <embed
            type="application/x-java-applet;version=1.5" \
            code="com.jscape.ftpapplet.FtpApplet.class" \
            archive="sftpapplet.jar" \
            name="ftpapplet" \
            width="1024" \
            height="768" \
                    scriptable="false" \
                    pluginspage =
"http://java.sun.com/products/plugin/index.html#download">
                    <noembed>
            </noembed>
        </embed>
    </comment>
</object>
</CENTER>
<!-- END SECURE FTP APPLET CODE -->
</BODY>
</HTML>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-03-22