Web security practices (8) attack iis6.0

Web security practices (8) attack iis6.0

Through the previous discussion, we have learned how to determine the type of web server. This section continues to discuss web platform vulnerability attacks. The defect mentioned here is the defect of the server itself, not the defect caused by the Administrator's configuration. This defect can only be avoided by upgrading or patching. Of course, for different servers and existing vulnerabilities, All I listed in this section are past tense and there should be a solution. The purpose is not to teach you how to attack a web platform, but to understand what it is to attack a web platform. This article focuses on the principle of vulnerabilities, because my goal is not to attack the technology itself.

Body

 

I. remote spoofing by Iis6.0 server name

This problem occurs when asp or asp.net programs want to obtain the IP address of the server where the application is located.

Request. ServerVariables ("SERVER_NAME") or

Request. ServerVariables ["SERVER _ NAME"]

Such a call will return the value of SERVER _ NAME in a local environment variable. If the request is from the Internet, the value is the IP address of the web server. If the request comes from the web server, the value of this variable is Localhost.

 

For the following address

Http://nic.ustl.edu.cn/

Our general request is

GET, HTTP, 1.1

Host: nic.ustl.edu.cn

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.9.0.3) Gecko/2008092417 Firefox/3.0.3

The response is

We can also modify it

GET, HTTP, 1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.9.0.3) Gecko/2008092417 Firefox/3.0.3 ......

 

The response is

 

The two received messages are different. Is it interesting? If you are lucky, you can get more confidential information. In this example, we only want to say that iis processes different requests from the internet and the server, what can we get from this difference? I will not do many demos. Here I will simply mention it.

(1) You may be able to obtain things that you do not have the permission to access normally.

(2) iis will return different information for the same error, and you can get more details.

In some code, this variable is often referenced to detect whether the IP address is the server itself, which leads to a series of illegal exploitation such as Cookie Theft, data redirection, or other URL Processing.

Let's look at another variable -- REMOTE_ADDR. This should be the correct method to determine whether the request comes from a remote or local device. It will tell the client's IP address.

If a program is like this:

If (REMOTE_ADDR = "17.0.0.1 ")

{

Sending Management Interface

}

Else

{

Sending error message page

}

Now we need to pay attention to the order in which iis searches for REMOTE_ADDR: query the set now, then the submitted data, then the cookie, and finally the server variable. Since the last is a server variable, can we give a false query variable or cookie before it finds the server variable!

For example: http: //.../login. aspx? REMOTE_ADDR = 127.0.0.1

 

2. Microsoft IIS service tracking log Bypass Vulnerability

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

TRACK/HTTP/1.0

Solution:

Temporary solution:
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
* Use a proxy, firewall, or IDS system to record logs.
* Use URLScan security tool to block TRACK requests.

Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.microsoft.com/technet/security/

 

(1) track hidden requests

Track is an http method. Currently, it seems that (I am not sure about other servers) It is only supported by iis and has the same functions as the trace method. Request Method:

Track/http/1.0

However, it is strange that iis does not record this request. In this case, DoS attacks are easily exploited.

(2) Use a long URL to bypass logging.

Many servers have a default length when writing web logs. Once the length exceeds this value, it will be omitted.

Therefore, if we want to prevent the server from recording attack behaviors, we can fill the records with meaningless characters and then keep up with the attack code.

 

Iii. WebDAV Vulnerability

IIS5.1/6.0 and WebDAV have a Denial-of-Service vulnerability. Among them, WebDAV (DAV stands for "distributed production and Version Control") is an extension of HTTP specifications, it allows users to remotely add and manage content on Web servers. By default, WebDAV is enabled If IIS is enabled on Win2000, while WebDAV is not installed on IIS 5.1 or IIS 6.0.

With this vulnerability, hackers can launch attacks by sending specially crafted WebDAV requests to servers running IIS and WebDAV. When IIS processes these messages, the CPU usage and memory usage on the IIS server are increased to 100%. The more XML attributes each XML element contains in an XML message, the longer it takes for the IIS service to process the XML message, which causes dos When IIS processes the message.

Iv. File Parsing Path Vulnerability

Win2003 has a file parsing Path Vulnerability. When the folder name is similar *. asp (the folder name looks like the name of an ASP file). In this case, all text files in this folder can be executed as ASP programs in IIS. In this way, a hacker can upload a trojan file with the extension jpg or gif, and access the file to run the Trojan. Test method: Create a test in FTP. asp folder. The folder name is test. asp: Upload a hack.jpg file in this folder. The content of this JPG file can be directly an ASP file. Then, you can use the remote hacker hack.jpg file of IE to run it as an asp file! Obviously, as long as your website program allows users to create folders and upload images themselves, we can upload images to run as ASP Trojans.

Instance: http://test.xuanhun.com/test.asp/asp.jpg
This address path is composed of the site address/test. asp/asp.jpg, in which test.aspis the folder name, while asp.jpg executes the asp permission. If asp webshell is passed, the consequences can be imagined.
Attackers can bypass the extension check during file uploading and upload trojan files with normal extensions to obtain WebShell permissions. Background administrators with advanced permissions can also exploit this vulnerability to obtain WebShell permissions.