Analysis of iis6.0 design defects

Author: Ice origin [0. s. t] & [L.S. T]
Note: This article has been published in Part 1 of the hacker manual. For more information, see this document!



So that we can get the web Trojan. The problem we are talking about today is this design defect.
I. Questions about access to the Trojan and solutions.
I also wanted to explore the Principles. google and Baidu could not find the desired results, and I found only one method on the Internet: Success, 1. next we went to the local machine to access 2. The access was successful. then let's try again, 3. 1. asp folder. What is the problem? This is one of the problems to be solved in this article. the problem is very strange. It is reasonable to say that you can access it. You should be able to log on and use it normally. I searched the internet and did not find such a similar problem. So I discussed it with the group. Xiao Lang, a group member, gave me great inspiration: he believes that since all the web Trojans can be parsed, the problem that the trojan cannot be logged on should have occurred. From the picture just now, we can see that the parameters received by the trojan have changed, that is, the system automatically redirects to 1. in the asp folder, why? Let's see how the trojan parameters are received? I found the following lines of code from a large Mali:
URL = Request. ServerVariables ("URL ")
ServerIP = Request. ServerVariables ("LOCAL_ADDR ")
Action = Request ("Action ")
The most important thing is that the received parameters are transmitted through URLs. That is to say, when we log on, the server will parse 1.asp( which I cannot express clearly here ), therefore, verification fails. therefore, to solve this problem, we only need to Replace the first sentence:
URL = Request. ServerVariables ("PATH_INFO ")
In this way, we can smoothly access it with a Trojan. 4. in this case, we have to mention the path_info's changes. The new feature shows a virtual image, and it can also be smoothly written to dama.jpg. however, the answer from the Internet is that this problem will not occur if you access pony directly. 5. this is because pony has simple functions and does not involve complex path parsing. However, it is most important for me to understand more principles in the spirit of learning.
Ii. Thinking about parsing other script files.
You may have learned about this problem, but what you have come up with is the most important thing! I thought that since I could parse xx. the file in the asp folder, that xx. aspx, xx. php and so on will parse the corresponding script file. My virtual machine can parse the aspx horse. Let's try it. I created a file directly in the IIS directory, then access my aspx file, 6. at first, I thought that I had to change something like asp, but when I put a common aspx file, I couldn't. (However, it was confirmed that xx cannot be resolved. aspx, because the aspx page of a normal Trojan is not displayed ). so xx. what about php? Although the php environment is not installed on my virtual machine, if I can parse it, when I access it, I will either directly display the php source code or directly display the download, let's look at the picture to prove that my guess is correct. 7. conjecture is always a conjecture. In order to ensure the correctness of the idea, I also called Xiao Lang to test it. I can indeed put xx. the file in the php folder is parsed into a PHP file (however, it is tested using a normal php file, and it is not tested using PHP Malay ).
Summary: This article mainly aims to find out other principles and discuss whether other scripts also support this form of parsing. Of course, due to limited conditions, I have not continued to test cfm, cgi, jsp, and other script files. at the same time, I hope you will pay more attention to the original rational things. After all, understanding the principles is the most important thing.