IIS service leak file content
This is a vulnerability found by the NSFOCUS security team. When Microsoft IIS 4.0 / 5.0 (Far East Version) When processing HTTP command requests containing incomplete double-byte coding characters, the file content in the web directory will lead to remote attackers.
The Microsoft IIS Far East Region includes Chinese (Simplified / Traditional), Japanese, Korean Edition, which makes them use the double-byte encoding format due to specific text formats. When IIS receives an HTTP request submitted by the user, if the file name contains a non-ASCII character, IIS checks if this character is a leading character in double-byte encoding (for example, the Japanese leader characters contains two characters: 0x81 -0x9f, 0xe0-0xFC). If it is a front lead character, it will continue to check if the next character is end character. If there is no next character, IIS will simply discard this leader, because it does not constitute a complete double-byte encoding. However, this process will cause IIS to open different files instead of the file specified in the request.
By submitting a special format URL, IIS allows IIS to open some of the type of file that it does not explain in a certain ISAPI dynamic link library, and obtains the content of the file. Depending on the type of ISAPI application installed, an attacker may get the file content in the web root directory or virtual directory, which can be a normal text file (.asp, .ini, .asa, etc.) or two-way Document (.exe, etc.).
The hacker will use this vulnerability using Unicode:
Unicode (unified character coding standard, encoding the double-byte) can be said to be the most popular attack intrusion in recent periods, only in the near future, there are several large websites such as Jiangmin Company in the near future by this intrusion attack. Then let's talk about this easy to use the Unicode vulnerability to invade IIS.
Above we mentioned that due to certain double-bytes of Windows2000, we have different English versions when handling certain special characters, however, using this IIS vulnerability, an attacker can bypass the Directory audit of IIS. command.
http://server/scripts/..