Analyze "Hidden Virtual Directory"

Author: Aku from: http: //www.coolersky.com/ looked at the ice fox

"Hidden Virtual Directory Exposure"

First, retrieve the hidden step:

1, in the designated website

The actual directory of http://127.0.0.1 (such as "F: / Web /") creates a directory, such as "coolersky";

2. Open the IIS manager, create a virtual directory in the COOLERSKY directory, such as "Cool", pointing to the position is f: / cool /;

3, delete the created coolersky directory;

In this way, you can't see the virtual directory Cool in the IIS manager, but you can pass

Http://127.0.0.1/coolersky/cool/ to access the virtual directory to meet the purpose of hidden websites. This should be an MS for a bug.

Second, Win2K analysis

For this problem, the solution given by Ice Fox is to use the PWS tool to view, but individuals think that there is no practical meaning.

Why do you say this? We know: PWS can build a web service in Win95 / 98. In the Win2k-Pro version, some of the contents of the PWS continues, so there is a Pws.exe file in C: / Winnt / System32 / IneTsrv /, it can be more convenient Manage virtual sites, of course we hide the virtual directory under the default station, but also flee the management of PWS.

But have a few people do their own web server with Win2k-Pro version? ! Because the Pro version has no way to create a new site, you can only create a virtual directory. Under Win2k-Ser, Win2k-ADV, you can create a new site, the system does not bring PWS.exe in C: / Winnt / System32 / IneTSRV /, even if you copy a copy from Pro, you can only manage the default site. The virtual directory, it is still in powerless other new sites.

In order to facilitate the analysis, write a monitoring directory and file, used to monitor the C: / WinNT / System32 / InetSrv / Directory, after the operation, the monitoring window does not have any display, and the directory is only a file, a file. modified. But when you restart IIS or use PWS editing, the window will display:

Added - MetaBase.bin.tmpModified - MetaBase.bin.tmpModified - MetaBase.bin.tmpRename - MetaBase.bin MetaBase.bin.bakModified - MetaBase.bin.bakRename - MetaBase.bin.tmp MetaBase.binAdded - MetaBase.bin.tmpModified - Metabase.bin.tmprename - metabase.bin metabase.bin.bakmodified - metabase.bin.bakremoved - Metabase.bin.bak Basic explanation of the procedure of the operation, and use the UE to open the metabase.bin file, found to be written with binary, Search "C O O L E R S K Y", you can see

/ W 3 S v C / 3 / R O o T / C O L E R S K Y / C O O L / But this is what I know if I know, and the administrator can't go this way. do.

Third, Win2003 analysis

There is also this problem in Win2003, and there is no PWS.exe, using the monitoring directory program, only monitor C: / Windows / System32 / InetSrv /. After several monitors found that there will be the following (may be associated with the operation, not every one has all of the content): Added - MetaBase.xml.tmpModified - MetaBase.xml.tmpAdded - History / MetaBase_0000000036_0000000000.xmlModified - History / MetaBase_0000000036_0000000000.xmlAdded - History / MBSchema_0000000036_0000000000.xmlModified - History / MBSchema_0000000036_0000000000.xmlRemoved - History / MetaBase_0000000026_0000000000.xmlRemoved - MetaBase.xml.tmpModified - History will be found that the monitoring of the situation, once every open iis, in C: / WINDOWS / system32 / inetsrv / History will be created under Two new files MBSChema_000000000036_0000000000.XML and Metabase_0000000036_0000000000.xml, the contents are C: /Windows/system32/inetsrv/Mbschema.xml and C: /Windows/system32/inetsrv/Metabase.xml Each value increases each of the values ​​per open; 10 times, the earliest is automatically deleted.

Personal Analysis: When opening the IIS manager, create metabase.xml.tmp, the part we modified will be temporarily stored in this file, then the system creates metabase_0000000036_0000000000.xml file, the content of the original document Metabase.xml; then use Metabase The contents of the .xml.TMP file modify or override Metabase_0000000036_0000000000.xml, of course, the system will regenerate ChanGenumber, HistorymajorveionsNumber, SessionKey, AdminaCl to confirm the legality of the file. Where changenumber is incremented, HistorymajorversionNumber is current 36, Sessionkey is 320 bytes, and Adminacl is 496 bytes. After turning off the IIS Manager, use the Metabase_0000000036_0000000000.xml file override the original document Metabase.xml.

Open Metabase.xml file:

We can see the virtual directory I have just created, although I can see it in the IIS manager, but here is it can be seen, and the files in the history directory and the modation time of Metabase.xml, HistorymajorversionNumber can soon It is determined whether IIS is changed by others. Fourth, summary

According to the analysis, the individual believes that in Win2K and Win2003 services, use this method to create a hidden directory is really difficult to discover, in addition to doing security settings, except for security settings, but also check the file modification time, of course, often backup IIS is also a good habit.

In addition, regularly view the IIS log, or use some professional log analysis tools, will greatly reduce the workload of the administrator.

The above is only the conclusions drawn by simple testing, limited to personal level, please refer to it!

Supplement: I just exchanged with Ice Fox. I found that Adsutil.vbs can directly operate Metabase.bin, this remembers that I have encountered it before the picture in the picture, it is really lonely! :)

The specific content is then released.