For the concept of exchanging data stream, please refer to BigWorm translated article "NTFS unfavorable side", this article just talks about accessing ADS on IIS.
First, please see an old vulnerability: Microsoft IIS 3.0 / 4.0 :: $ DATA Requests the disclosure of the ASP source vulnerability. Probably this is the earliest report of ADS and IIS. $ DATA is one of the properties of the data stream in the NTFS file system, that is, the main data stream of the file (NTFS file system allows a file to have multiple streams, but at least one unnamed flow mainstream), when we access a. ASP :: $ data is the requested A.asp itself's data, if A.asp also contains other data streams, such as A.asp: Lake2.asp, request A.asp: Lake2.asp: $ data is A . The flow data content of the stream of .asp Lake2.asp. Microsoft's patch seems to solve the content problem of IIS leakage mainstream data, but if I request attached data? Oh, the problem became interesting! The era of IIS3 and IIS4 has passed, and the IIS version is 5.1, and the system is Windows XP SP1. I created a text file a.txt in the web directory, and I appended the file cmd.asp (a WebShell of cmd.exe) to A.TXT, although only A.TXT can be seen, but actual There is also an A.txt: cmd.asp (Oh, you can't use your eyes to see things, you must use your heart ^ _ ^). Ok, let's take a look at Access A.TXT: Cmd.asp and A.txt: cmd.asp: $ data. [Figure 1] Execute the ASP file! (Note URL) [Figure 2] Leakage ASP Source Code We can not only access non-mainstream file content in IIS, but also perform flow forms of script files! Oh, do you think that this can be used to be a hidden WebShell. Well, I was quite excited at the time, but I quickly came from the head to the foot, because this is just the result of XP - no one takes the XP to do the server ... The situation is not so interesting in 2000 and 2003, they all Flow scripts are not executed (the display cannot be found). But the 2000 Server version can access the stream without IIS (such as JPG file; huh, you can make a hidden static home page); 2000 Advance Server will appear errors for "Not Enough Storage Is Available to Process THIS Command; I have tried it before 2003, but the result is forgotten. In addition, several files such as STM are also interpreted by the server, you can try, 嘿, maybe there is HAPPY happening. Well, it's almost the same, and finally thank Bigworm, if there is no translation, I am only afraid that I still don't know what ADS. From Internet, for interner! 2005-1-26
