Today, I saw an article about% 5c branches. Oh, this trick is really used, and there will be a branches in about 10 websites. .
About this vulnerability. The Green Alliance has related information.
Microsoft IIS CGI file name error decoding vulnerability
Release Date: 2001-05-15
CVE CAN ID: CVE-2001-0333
Affected software and system: ==================== - Microsoft IIS 4.0 - Microsoft IIS 5.0
Unaffected software and system: ====================== - Windows IIS 4.0 (SP6 / SP6A does not have other new Hotfix)
Overview: ====== NSFOCUS Security Team found that Microsoft IIS 4.0 / 5.0 exists in a security vulnerability when handling the CGI program file name, due to incorrectly double decoding file name, attacker may use this vulnerability to perform any system command.
Analysis: ====== IIS When loading the executable CGI program, it will decode twice. The first decoding is an HTTP decoding for the CGI file name, and then determines if the file name is an executable file, such as checking if the hyper is ".exe" or ".com", etc. After the file name check, IIS will perform a second decoding. Normally, only the CGI parameters should be decoded, however, IIS erroneously decodes the already decoded CGI file name and CGI parameters. In this way, the CGI file name is erroneously decoded twice.
By carefully constructing the CGI file name, the attacker can bypass the security check for the IIS on the file name, such as "../" or "./" check, under certain conditions, the attacker can perform any system command.
For example, for the '/' this character, it is% 5c after normal encoding. The code corresponding to these three characters is: '%' =% 25 '5' =% 35 'c' =% 63
If you want to make another code for these three characters, there can be a variety of forms, such as% 255C %% 35C %% 35% 63% 25% 35% 63 ...
Therefore, ".." can be expressed as "..% 255c" or ".. %% 35c" and so on.
After the first decoding, it becomes "..% 5c". IIS will think this is a normal string that will not violate security rules. After the second decoding, it will become "../". Therefore, an attacker can use "../" to perform directory traversal, execute any program other than the web directory.
Test method: ========== For example, if the target is there in a virtual executable directory (Scripts), and it is on the same drive with the Windows system. So submit to the following requests:
http://target/scripts/..\..\winnt/system32/cmd.exe? / c DIR C: /
The c: / root directory will be listed. Of course, for '/' or '.' Doing the same effect, it can also achieve the above effect. For example: "..% 252F", ".% 252e /" ...
Note: An attacker can only execute the command with the permissions of the iUser_machinename user.
Workaround: ========== 1, if you do not need executable CGI, you can delete the executable virtual directory, such as / scripts, and more. 2. If you really need an executable virtual directory, it is recommended to place the executable virtual directory in a partition 3, move all command line tools that can be used by attackers to another directory and disable guest group access.
Vendor status: ========== 2001.3.27 We will report this issue to Microsoft. 2001.4.01 Microsoft Informs the issue of this problem 2001.4.16 Microsoft provides patch for testing, the test found that this issue has been resolved 2001.4.23 Microsoft requests us to delay 2 weeks release announcements to wait a better test 2001.4.30 Microsoft Tell us to postpone a week release 2001.5.14 Microsoft has released a safety announcement (MS01-026) and corresponding patches
You can see the details of the Microsoft Security Announcement at the following address:
http://www.microsoft.com/technet/security/bulletin/ms01-026.asp
Patch can be downloaded in the following address:
Microsoft IIS 4.0: http://www.microsoft.com/downloads/release.asp?releaseid=29787
Microsoft IIS 5.0: http://www.microsoft.com/downloads/release.asp?releaseid=29764
Ha ha. Although this vulnerability is not very big, it is a relevant place, IIS quadruple decoding. Everyone knows "/" and "/" in the URL, that is, http://www.example.com/abc/123.asp?id=5 and http://www.example.com/abc /123.asp?id=5 is the same.
Http://www.example.com/abc\123.asp?id=5 turns into http://www.example.com/abc/123.asp?id=5 here is wrong of. After IIS twice decoding, it becomes http://www.example.com/abc\123.asp?id=5, if the database is connected to the relative path for files. Hoo, I can't find the database file, of course, I have an error. Still very honest, even the physical path is coming out. Everyone see.
Microsoft Jet Database Engine Error '80004005'
'D: /wwrow/data/abc.asp' is not a valid path. Determine if the path name spell is correct, and whether it is connected to the server stored.
/ BLOG/CONN.ASP, line 29
This is what I have turned out, this month's black defense everyone has a look. . (Dizzy, I know that I also contributed. I found more than him, depressed.)
Many people are analyzing successful conditions, just as discussing people in ITBBS. (ITBBS has never been in recent, knowing to tell the occasion.)
Sykkk believes:
1. It is not to add a fault-tolerant code in the database connection so that the error cannot be skipped and the data file is connected to the data file. 2, the other party's IIS does not turn off error tips Just check the error message, even if you have no use.
3, do not have to be a 2-level directory but are sure is that the first-level directory is absolutely unsuccessful. If you have successful, please send it to you, you will share his article, you can make a noExists /..% C level 2 directory personal thinking It should be that at least I have no success, I have a successful welcome website test.
4, there is also the need to call to the database is not necessarily 5c1.asp? Id = 1 This category is as long as it is submitted or detected the basics of the data. Certification to find the authentication location directly / xxx% 5cCheck. ASP can also reach the purpose of branches
In fact, our XST's boss Totododo said necessary forgot that the database is relative path, and the absolute path is can't. And I added a little bit should be IIS 4.0 or IIS 5.0, IIS 6 should not be.
Regarding the secondary directory, I agree with Sykkk's opinion, some people say that it must be a secondary directory, huh, I can tell everyone that is wrong. It should be the "/" of the closest ASP file "/" to "% 5C", and only the invocation database is likely to branches. Haha, there is of course the other party has no shielding error message, or you can't see Di.
Summary:% 5C branch success conditions
1. The other server is used by IIS 4.0 or IIS 5.0, and no block information is blocked.
2. Yes Yes Database Connection is not added to the fault tolerance code, so that the error cannot be skipped and the live data file connection is turned out (On Error ResMe next)
3. It should be a Microsoft Jet Database Engine mode
4. Database file call is relative path! !
Not necessarily required is the secondary directory. The three levels are also possible (I have successful), the secondary directory is not successful, huh, huh. There is also a secondary directory, I have not succeeded, oh, it should be wrong. :)
Casually tell everyone, ASPX% 5C also has articles, and it is also very clever. If you want to know, you will know Google. ^ _ ^
Personal insights, welcome everyone to criticize.
